A Chinese gaming company is reportedly looking to offload the gay dating site Grindr due to US government concerns over its ownership, according to Reuters.
Sources familiar with the matter told the news service that Beijing Kunlun Tech Co Ltd., which picked up Grindr in 2016, is looking to sell it after a US national security panel raised concerns about its Chinese ownership.
Two sources told Reuters that the Committee on Foreign Investment in the United States (CFIUS) informed Kunlun that its ownership of Grindr, which is based in California, constitutes a national security risk.
Protecting users’ data
Reuters didn’t manage to glean CFIUS’s specific concerns or whether any attempts were made to mitigate them.
What we do know is that questions about the safety of Grindr users’ data in the hands of a Chinese company bubbled up in August 2018. That was when Kunlun announced it was planning an initial public offering for this, the world’s largest gay social networking app.
The IPO gave rise to questions such as whether Grindr users’ data would be transferred to China, and whether Chinese authorities would get their hands on it.
Grindr’s privacy policy notes that user data may be shared with a parent company. If a new owner comes on board, that owner gets the personal data:
We may share your Personal Data with our parent company, any subsidiaries, joint ventures, or other companies under common control. If another company acquires our company, business, or our assets, that company will possess the Personal Data collected by us and will assume the rights and obligations regarding your Personal Data as described in this Privacy Policy.
And an article in The Conversation explains that personal user data may be transferred to China:
Coupled with the Chinese trend towards data localisation requirements, which dictate that data should be processed within China itself, this provision means it may be possible for Grindr users’ personal data to be transferred to China.
Even without the very real prospect of user data shifting to China and out of US legal jurisdiction, Grindr has had a troubled history of protecting user privacy.
As of September, anybody could still use third-party apps that exploited Grindr’s API to obtain exact locations of millions of cruising men, in spite of what Grindr claimed in April 2018.
This would be far from the first time that US national security officials have stepped in when they’ve perceived threats from foreign technology companies. In May 2018, for example, the Pentagon ordered military exchanges to pull Chinese smartphones due to security concerns.
The cloud never forgets
Personal data collected by Grindr includes a user’s location, messages, sexual orientation, as well as, on an opt-in basis, their HIV status or last-tested date, according to its privacy policy.
Given how sensitive the information is that gets entrusted to mobile dating apps such as Grindr, it might be a good idea to abstain from sharing too much… or maybe not sharing anything intimate at all. After all, whatever the cloud gets, the cloud keeps, as pointed out by Naked Security’s own Paul Ducklin:
This very public disagreement over cloud data is a good reminder of the maxim, ‘If in doubt, don’t give it out.’ By all means, use Grindr – or any other dating site or social network – if you like, but make sure you take the time to ask yourself first whether data about very personal matters like sexuality is something you really want to entrust to the elephantine memory of the cloud.
The fact that these dating apps can get sold suggests that we should also think ahead when voluntarily giving away data, Paul says:
How much control are you likely to have if there’s a change of ownership of the company holding your data, especially when ownership moves between two very different jurisdictions and legal systems?
The potential for dating apps to be snapped up by other countries – some of which may prosecute or harass people on the basis of HIV status or sexuality – is one thing. It’s also wise to bear in mind that dating apps have a history of spilling highly personal data. Besides Grindr’s own history, recent cases of leaky dating sites have included…
Jack’d: In February, the gay/bi-/curious dating/hook-up app Jack’d was publicly sharing, without permission, photos that users thought they were sharing privately. As in, anyone with a web browser who knew where to look could access any Jack’d user’s photos, be they private or public – all without authentication or even the need to sign in to the app.
Nor were there any limits in place: anyone could have downloaded the entire image database for whatever mischief they wanted to get into, be it blackmail or outing somebody in a country where homosexuality is illegal and/or gays are harassed.
DonaldDaters: The dating app for Donald Trump supporters is another recent case in point: it was exposing users’ data from the very day it launched in October 2018.