Gay People on the Radar? — Signal intelligence from dating apps
How Grindr and Jack’d might out you?
Introduction
The popularity of dating applications (apps) in the gay communities has transformed how gay sexual relationships are initiated. While previous studies associate the “privatisation” of sexual encounters with the emergence of dating apps targeting gay people, the unsatisfactory security design of these apps shows that such “privatisation” should be reassessed in light of signal analysis. This paper tries to showcase that a sociological study of gay dating apps should take the black box beneath user interactions and signs into account as a matter of rigour. An inspection of unencrypted network traffic of Grindr and Jack’d, two well-known gay dating apps, reveals how gay people may de-privatise themselves in their quest for sexual adventures.
Literature review
Previous studies on gay dating platforms were mostly focused on Grindr. They should also apply to Jack’d due to their functional similarity. Studies on Grindr have aligned its adoption with the development of the “hook-up” practice built on 20th-century gay culture. Public toilets, bars and saunas were venues in which gay people would hang out to meet with strangers who would engage in a same-sex sexual relationship. The colonisation of public places for “hook-ups” was temporally fluid as the presence of gay people in general-purpose places such as parks and beaches could just be observed at certain moments of the day. Grindr enabled gay people to achieve the same purpose in the safety of their homes. This phenomenon was described as the “’privatization’ of gay sexual encounters with strangers”. (Licoppe, Riviere and Morel, 2016)
Nevertheless, Licoppe, Riviere and Morel also questioned “safety” in the sense which users had to use pseudonymous to identify themselves in their interactions with strangers when using the app. In comparison, gay people enjoyed an almost complete anonymity when interacting with strangers in public places. Licoppe, Riviere and Morel suggested a process of “deanonymization” of sexual encounters as a result of using hook-up apps.
Grindr “induced” a “shift in the notions of ‘nearby’, ‘close’, or ‘intimate’” in the “very nature of contemporary intimacy”. “Four movements” of intimacy were identified: Interface-to-face & face-to-interface: users create an intimacy environment using their smartphones; interface-to-interface: users connect with each other around the world; and interface-to-space: users create an imaginary map of the presence of gay people geographically located from him. Furthermore, users interacted based on a scripted checklist in lieu of a casual conversation. The idea of intimacy was reduced from a variety of topics to merely sexual encounters. (Stempfhuber and Liegl, 2016)
Ciszek (2017) called on advocates for the sexual and gender minorities to take social media platforms into account because of the blurring boundary between the offline and online worlds for LGBTQ young people, especially in the formation of identities. The gay dating app may function as a sanctuary for “sexual refugees” to “distance themselves from […] homophobic culture” (Dhoest and Szulc, 2016)
Digital devices are enabling new ways to arrange sex and intimacy against the background which monogamy and marriage is the mainstream view. A departure from previous research focused on the “objectification of gay sex and gay person” encouraged by digital devices. (Race 2015)
Cramer and Fuller (2008) discussed the asymmetric power in the difference between machine and human operations. “The asymmetric powers conjoined by means of human-machine interfaces, also find themselves arranged in other relations which themselves articulate, filter, and organize the activities modelled and modulated by the interface.”
General users interpret and interact with the signs on screens. However, beneath the screens, software code and microcontrollers are performing highly complex signal processing (Nake, 1994). Between a user’s mobile phone and the platform’s service, data packets pass through a complex infrastructure comprised of multiple components. The decisions made by algorithms to handle the packets are called “micro-decisions”. There exists a power relationship between the users and the micro-decisions obscured by the user interfaces. (Sprenger 2015)
Zhao, Zui and Li (2017) used geolocation data provided by Jack’d to map the presence of gay people in Beijing over time. Jack’d wrote about its collection of behaviour data and sharing of such data “with others” for research purposes in Article 4 of its Privacy Policy.
Hoang, Asano and Yoshikawa’s (2016) identified several privacy issues with Grindr and Jack’d: 1.) it was possible to use trilateration to calculate the precise location of a Grindr user; 2.) Grindr served user pictures without encryption; and 3.) Jack’d and Grindr’s send user devices’ information to a third-party advertiser without encryption.
With the exception of Hoang, Asano and Yoshikawa’s paper on the vulnerabilities of Grindr and Jack’d, previous research largely overlooked the impact of the side of signal processes on the secrecy of sexual encounters that the users do not perceive from their user-application interactions.
In light of the ideas of asymmetry between user interfaces, signs, signals and micro-decisions, the privatisation of the app users’ sexual encounters is called into question.
Methodology
In my view, a study of these applications is by no means “complete” without an understanding of the mechanisms in signal processing beneath the interfaces which the users interact with. By digging into the signals of Grindr and Jack’d, I challenge the idea of privatisation of the sexual lives of gay people in the adoption of dating apps.
HTTPS, officially known as “HTTP Over TLS”, provides end-to-end encryption for the application data “to prevent man-in-the-middle attacks”. (Rescorla, 2000; Dierks and Rescorla, 2008). In 2013, former US NSA contractor Edward Snowden blew a whistle to the scale of the US government’s programmes on aggregation of signal intelligence. Following Snowden’s revelation, major Internet service providers switched from unencrypted HTTP to HTTPS by default (Cardozo et al., 2014). Therefore, for purposes of this paper, only unencrypted HTTP traffic between the apps and their servers is recorded and studied.
Using hypervisor VirtualBox, an instance of x86-based Android 7.1 was installed as a virtual machine (VM). Also, an instance of Ubuntu 16.04 Linux Server was installed as a VM to serve as the network gateway. A virtual network interface was created inside VirtualBox to connect the Android VM and the gateway VM. An Internet-enabled interface was attached to the gateway VM. On the gateway VM, the “iptables” were set to forward traffic from the virtual network interface with the Android VM to the Internet-enabled interface. Using network tool “tcpdump”, all packets to and from the Android VM were written to a pcap file on the gateway VM. Network packet analyser Wireshark was used to open pcap files to study the HTTP requests.
For the purposes of this analysis, fictional personas were created as the users of Grindr and Jack’d. By enabling the Developer Mode on Android and using a location simulator, the device location was manually set to Vauxhall, London.
Data “Leakage” from Grindr and Jack’d
Device information and user location were sent to advertiser MoPub without encryption in URL query strings using GET requests. Not only did I create the issue of exposing device parameters demonstrated in Hoang, Asano and Yoshikawa’s study, but also, I found gender, age, marital status in the unencrypted data.
The data, with reserved characters decoded, from Grindr that concerned me are as follows.
bundle=com.grindrapp.android (App identifier)
q=m_gender:m,m_age:28 (User gender and age)
ll=51.4886…,-0.1207… (User location in latitude and longitude; with values truncated)
The data, with reserved characters decoded, from Jack’d that concerned me are as follows.
bundle=mobi.jackd.android (App identifier)
q=m_age:21,m_gender:m,m_marital:single (User age, gender and marital status)
ll=51.4886…,-0.1207… (User location in latitude and longitude; with values truncated)
It must be emphasised that the values above may be retained by a very basic web history logger available for consumer grade routers (Busch, 2017). Contrary to the values passed through request headers or POST requests that may only be recorded by advanced loggers like surveillance equipment or a network sniffer being used in this study.
Regarding the advertiser MoPub, the first paragraph on the website of the advertiser is self-explanatory enough to us to understand the motive of Jack’d using this platform. It reads “MoPub, a Twitter company, provides monetization solutions for mobile app publishers and developers […]”. (MoPub, 2017)
Observations
In this study, only packages sent in plaintext (via HTTP without encryption) are studied. The reason is that unencrypted HTTP traffic is readable by any intermediate network equipment between the users’ device and the servers without minimum effort to the extent which most consumer-grade routers would have the feature to log the clients’ attempts to open specific URLs.
The intercepted traffic confirmed the issue of leaking device information with Jack’d first identified by Hoang, Asano and Yoshikawa in 2016. The user locations were exposed in URLs.
Signal intelligence (SIGINT) is not a privilege of state apparatus since any component in-the-middle have access to the signals (Vacca, 2006). In fact, any intermediate party to the transfer of data between a client and a server can read content transported via unencrypted HTTP. Man-in-the-middle interception of traffic is oblivious to both the servers and the clients. One may easily underestimate the effect of micro-decisions. These decisions with an intrusive intention may be influenced by a mere curiosity of parents or a surveillance plan orchestrated by controllers of a network infrastructure, as explained in the following two hypothetical scenarios.
Hypothetical scenario 1: A teenager who connects his phone to home networks unknowingly exposes his use of a gay dating app (and his sexual orientation) to his parents or guardians who have administrative access to the router.
Hypothetical scenario 2: A company implements web access monitoring to detect corporate espionage. Network administrators detect the presence of gay hook-up apps and infer the sexual orientation of its users.
A development of hypothetical user situations in home and workplace is important because they real users may use apps in these contexts. Business entities may covertly identify their members who possess a socially stigmatised identity. It may expose them to vulnerabilities in places where discrimination on the ground of sexual orientation is rampant. The asymmetric power on the side of signals can join forces with power relations in the offline hierarchy of human organisations. Such “outing” shatters the illusion of the “privatisation of sexual encounters”.
The risk of “self-outing” is a matter of concern for users not living in Western countries. In places where legal protection against discrimination on sexual orientation grounds is absent or weak, it makes gay people vulnerable to discreet unfair treatments.
A privatisation of sexual encounters through the use of these apps is by no means certain. The user interfaces are obscuring the fact that the users’ activities may be visible by an intermediate. The exposure of data containing user location and age may invite or aid de-anonymization attempts.
Conclusion
A signal analysis of the data traffic of gay social apps Grindr and Jack’d has suggested that the privatisation of sexual encounter is a misconception. Unwrapping the black box comprised of software logic and network infrastructure dramatically changes the how these apps should be seen sociologically. The presumed secrecy of the sexual lives of gay people is significant, especially in regions where non-mainstream demographics are vulnerable to unfair treatment.
Acknowledgements
Jason CHAO would like to thank Dr Michael Dieter and Dr Nathaniel Tkacz for their instruction and advice.
References
Alexander, Dhoest, and Szulc Lukasz. “Navigating Online Selves: Social, Cultural, and Material Contexts of Social Media Use by Diasporic Gay Men.” Social Media + Society, Vol 2, Iss 4 (2016), no. 4 (2016).
Busch, Jack. “Spy on Your Kids Using Your Wireless Router [Free Parental Controls].” groovyPost, 2017.
Cardozo, Nate, Cindy Cohn, Parker Higgins, Kurt Opsahl, and Rainey Reitman. “Who Has Your Back? Protecting Your Data from Government Requests.” Report. Electronic Frontier Foundation, 2014.
Ciszek, Erica L. “Advocacy Communication and Social Identity: An Exploration of Social Media Outreach.” Journal Of Homosexuality 64, no. 14 (2017): 1993–2010.
Dierks, Tim, and Eric Rescorla. “Rfc 5246: The Transport Layer Security (Tls) Protocol.” The Internet Engineering Task Force (2008).
Fuller, Matthew. Software Studies: A Lexicon. Mit Press, 2008.
Hoang, Nguyen Phong, Yasuhito Asano, and Masatoshi Yoshikawa. “Your Neighbors Are My Spies: Location and Other Privacy Concerns in Dating Apps.” (04/20/ 2016).
Licoppe, Christian, Carole Anne Riviere, and Julien Morel. “Grindr Casual Hook-Ups as Interactional Achievements.” New Media & Society 18, no. 11 (12// 2016): 2540.
MoPub. “Mopub — Powerful App Monetization.” https://www.mopub.com/.
Nake, Frieder. “Universität Bremen, Germany.” Languages of Design 2 (1994): 193–205.Race, Kane. “Speculative Pragmatism and Intimate Arrangements: Online Hook-up Devices in Gay Life.” Culture, Health & Sexuality 17, no. 4 (2015): 496–511.
Rescorla, Eric. “Rfc 2818: Http over Tls.” Internet Engineering Task Force: http://www. ietf. org (2000).
Sprenger, Florian. The Politics of Micro-Decisions: Edward Snowden, Net Neutrality, and the Architectures of the Internet. meson press, 2015.
Stempfhuber, Martin, and Michael Liegl. “Intimacy Mobilized: Hook-up Practices in the Location-Based Social Network Grindr.” Mobilisierte Intimität: Hook-up-Praktiken im standortbezogenen sozialen Netzwerk Grindr. 41, no. 1 (03// 2016): 51.
Vacca, John R. “The Information Warfare Wireless Network Security Arsenal and Tactics of Private Enterprises.” Guide to Wireless Network Security (2006): 519–56.
Zhao, Bo, Daniel Z. Sui, and Zhaohui Li. “Visualizing the Gay Community in Beijing with Location-Based Social Media.” Environment & Planning A 49, no. 5 (2017): 977–79.
