Tinder is the Embarrassing Data Breach Waiting to Happen
Data breaches and digital security issues have made buzz-worthy news stories for years now. Once they’re announced publicly, new information always seems to rise to the surface, prolonging their newsworthiness for years.
Yahoo has released new information on their 2013 data breach, announcing all 3 billion of the accounts were compromised. More recently, a forensic investigation into the Equifax breach showed an additional 2.5 million people were affected than previously announced and some insider trading may have occurred.
While the recent Equifax breach is serious in that it exposes the Social Security Numbers of millions of individuals, there are government programs in place to help deal with identity theft. What happens when the data is more sensitive and intimate than a random string of nine numbers?
What would happen if the Tinder profiles of 50 million people were exposed and brought into the public eye? What kinds of information do they have on us, and how would we react to its release? Looking at the instances above, it likely would become a focal point of the news cycle.
Day after day — for years.
Tinder is the Embarrassing Data Breach Waiting to Happen
Judith Duportail, a journalist for The Guardian, requested here user data from Tinder under the EU data protection laws. What she received was astonishing. The headline by itself seems like clickbait fear mongering — until you actually read the article. She carefully explores 800 pages of chats, locations, Facebook likes, and even deleted information from her social media profiles.
Sifting through the piles of paper and seeing how much information she had unknowingly voluntarily disclosed filled her with overwhelming guilt. As Luke Stark, a digital technology sociologist at Dartmouth University put it, “Apps such as Tinder are taking advantage of a simple emotional phenomenon; we can’t feel data. This is why seeing everything printed strikes you.”
Duportail is far from the only person to have fallen victim to this phenomenon. A July 2017 study showed users of online dating sites had high rates of personal identification leakage.
What Personal Information Could Be Exposed?
Tinder can be connected to Facebook, Spotify, and Instagram — importing what you have disclosed through those services. There is the information that you enter for your profile and bio. There’s also all of your chats and messages with matches which may range from “hey” to inappropriate, late-night ramblings.
All of the above-mentioned data is easily understandable, and troubling, at the surface level. Beyond that though, there is what’s called “secondary implicit disclosed information,” a fancy name for your behavior within the app. This data is Tinder’s value as a company; extrapolating trends from large amounts of data and finding ways to monetize it. However, if that data were to be made public, provocateurs could create tools making it easy to sift through and allow a voyeuristic view of the intimate details of everyone around us.
Even anonymized data may not be as anonymous as the name implies. Another European journalist and data scientist duo were able to put real-life identities to people in a pool of anonymized data they bought. It took a lot of manual work for them, but with the right motivation, a lot of the process could be automated.
While looking into this piece, I found another group of researchers had just released finding showing serious vulnerabilities in every major mobile dating app. The vulnerabilities include: the ability to pinpoint someone’s location, using disclosed bio information to locate someone on social media, use of unencrypted data passing between the app and server, the ability to send messages, and access to authorization tokens for Facebook. These vulnerabilities will hopefully soon be fixed, but they are relatively amateur in their workings. So it is likely there could be other, more serious vulnerabilities yet to be discovered.
How Did We Get Here?
Through the undertakings of the leaders of our societies in advancing our societies well being, we have accomplished some incredible technical feats. We have created systems and applications that have become dependencies in our everyday lives. The rapid development of these technologies by billionaires with money to burn have allowed these great things to develop. But our dependency on these disruptive technologies — such as the internet and the cell phone — have accustomed us to free content, well engineered UIs, and things that “just work.” This comes at a cost that the average user does not fully comprehend.
A World of APIs
Application program interfaces (APIs) make it easy to move blocks of data back and forth between separate platforms without full integrations. When programs or applications market their functionality to “just work,” it is often through the use of APIs.
For example, when a new dating application wants to enable a seamless sign-up process (*cough* Tinder, Bumble, etc. *cough*) they may let you “Continue with Facebook” instead of creating an account from scratch. They may let you login with Spotify and show off all the obscure indies bands you like. Maybe, you can login with Instagram to show off your totally-not-hipster ‘aesthetic.’
The Security, Functionality, and Usability Triad
When it comes to interactive application design, engineers must balance security, functionality, and usability. It is a triangle (SFU Triad)of trade-offs where to get closer to one, you move away from the others. To gain the ease of use (usability) of single sign in, you lose some security and function control.
The next time you hear about a new app your friends say you just *have* to try, evaluate your risk. If you connect your accounts and one of them is compromised, they’re all compromised. If some mysterious hacking group finds an exploitable means of accessing account data, the leaking of a large amount of this data is not out of the question.
Before you say “these tools are safe, we’ve been using them for years without issue,” look at the recent flaws found in WPA2 and RSA key encryption.
Take ‘Delete’ Out of Your Internet Vocabulary
As we are constantly reminded, yet refuse to acknowledge, what we post on the internet stay there forever — even if we try to delete it. Even when you ‘delete’ your Tinder profile within the app, the data may still live on some server in some building in some unknown location. Accessible by anyone the company allows access. Or anyone who tries hard enough.
“If you close your account, we will retain certain data for analytical purposes and recordkeeping integrity”
Your data is out there now. You can try to delete your account, and Tinder may say it is deleted, but you can never truly be sure. Even if it is removed from their server, until it is written over multiple times, it could theoretically be recovered. The best thing we can do moving forward is understanding how we got here, and how we can better protect our non-critical-yet-intimate personal information.
“You should not expect, that your personal information, chats, or other communications will always remain secure.”
For Better or Worse
While researching this post, I discovered that Tinder released a tool that allows you to download a copy of the data that Tinder has collected on you. There is no real explanation of what the tool gives you, or if it is the same type of data that Duportail received, but it is at least a start. I downloaded mine, and while none of it is surprising, I do not think it is inclusive of the behavioral data they collect.
Are we so caught up in flashy buzzwords and the next social network, that we are willing to put our most intimate information up for bid? Or could the next trend in digital be taking back privacy? On one hand we have forums to trade racy pictures for fake internet points — on the other hand there are decentralized cryptocurrencies developed to keep our money away from the government and bankers.
Originally published at Dan DeSimone.