De-anonymizing Tinder
If you’re on Tinder, someone can use Google’s reverse image search to find your Facebook profile, even though Tinder tries to protect you. Here’s how to prevent this.
After the news that Fetlife, an online community for kinksters, had some of its data leaked, here’s a post about Tinder, how users can be de-anonymized and located, and what to do about it. Longer post below, but tl; dr takeaways:
- Put the photos you want to have on your Tinder in a Facebook album visible only to you.
- Only use these hidden photos with your Tinder, since the service forces you to use photos imported from Facebook.
My particular brand of privacy activism seems to be morphing into looking at popular apps and services and how they use and misuse your personal information. In December, I wrote about how you can a stray setting could reveal your home location on Instagram. Today, I want to talk dating apps.
I think the reason Tinder’s so popular on college campuses — it doesn’t feel like you’re using a dating app when you’re swiping left and right on people. Students tend to use it regularly even if they’re a) dating people and b) not remotely interested in meeting someone in real life.
The concept is pretty simple — each profile has up to 6 photos, your first name, your age and relative location (x miles away), and a 500-character section where you can write about yourself. You select your own gender and what gender you’re interested in (men, women, or both) Everything except location (which is taken from GPS) and your “interested in” settings are taken from Facebook, which you have to link to use the app. You can select which photos the app displays, and in what order, but crucially they have to come from Facebook. You can’t upload them.
Once your profile’s set up, you start selecting yes or no on other people’s profiles. If you and another person select yes, Tinder opens a conversation window and you take it from there.
Tinder goes to lengths to protect your privacy: they only show your first name at all times, and only people you’ve matched with can contact you. But that doesn’t really matter.
By taking a screenshot of someone’s profile and cropping the image, you can email the image to yourself and then use a images.google.com to do a reverse image search. With this, you can see the URLs where the image appears. When I did this for one or two Tinder profiles, and each time the list of URLs included a link to facebook.com/$profile. Depending on how locked down the person’s Facebook is, you can get a lot more info from that cross-reference. At the very least, you get a surname, which can be used to springboard further.
I ran this test on a whim, and was somewhat surprised it worked. But more surprising was how different the reactions were when I told some friends. I told some friends who do security research, and they were totally unsurprised that doing this was possible. One mentioned that it’s also possible with Lyft Line. When I mentioned this in my journalism class, to people whose main focus isn’t technology, they were freaked out.
I showed it to one friend whose comment to me afterwards was “I wouldn’t want to have you as an enemy,” which I think is a really interesting comment. Given that I work with groups on LGBTQ rights and the preventing sexual violence on campus, my particular strain of security and privacy research has become how techology can support or be detrimental to marginalized communities.
I don’t fault Tinder here — there’s really nothing they can do about this. Like the Instagram post from December, I’m writing this because people should be aware that this is possible. In terms of mitigating the risk, a good plan might be to keep the photos you use for Tinder private, in an album that’s visible only to you. Overall, though, this fits into the classification of “Potentially harmful but not by design. Proceed with caution.”
Tommy Collison is a writer interested in privacy and the future of journalism in a post-Snowden world. His columns focus on technology, security, and student life. Originally from rural Ireland, he grew up among cows, computers, and not much else. When not writing, he teaches journalists, activists, and others how to use privacy software. He’s @tommycollison on Twitter.
