News broke on Monday that gay social networking app Grindr was sharing reams of data – including users’ HIV status – with third parties. With 3.6 million daily users – a fraction of Facebook’s 1.4 billion – this might not seem like too big a deal. But – largely because of the sensitivity of the data involved – this is a shocking breach of trust which has, rightly, caused outcry in and beyond the gay and HIV/AIDS activism communities.
Grindr is an app which uses locational data to help users, mainly gay and bisexual men, find other users in the area. Users are able (but not obliged) to state their HIV status on their profile; as a young gay man living with HIV, I recently put on my profile that I’m positive and undetectable. Despite being very open about my status, and not posing a risk to anyone, it was still a difficult decision to say to hundreds of strangers: “I’ve got HIV”.
But that was a consenting choice. Yes, it is public – anyone can download Grindr – but I also consider the app to be a safe space where, broadly, I know what type of person will see my status. I did not consent to Grindr sharing that data with others, and was a gross breach of the trust I’ve placed in the app.
For two years or so, users have been able to choose to declare on their HIV status on their Grindr profile: HIV-positive; positive and undetectable (meaning unable to pass the virus on); negative; or negative and on PrEP (meaning almost unable to contract HIV). This feature has been broadly praised as a way of reducing stigma for people living with HIV, and as a spark for useful conversations.
It now turns out this information has been shared with two analytics companies, Apptimize and Localytics, to help Grindr optimise features within the app and the roll out of new functionalities.. Even worse, it was shared alongside other personal data, making users uniquely identifiable. While it appears Grindr has acted within the law, this is a particularly bleak addition to the list of recent data controversies – and not just for those whose data has been shared.
Firstly, sharing any data without users’ consent is a breach of trust, as we’ve seen in recent weeks. But unlike in the case of Facebook, this isn’t data from a personality quiz – this is extremely sensitive information. My HIV status is not the same as the data I gave Facebook when I take a quiz to tell me which Drag Race queen I’d be in another life.
Secondly, Grindr’s practices may well deter other people living with HIV from being open about their status. To be clear, no one should ever feel obligated to disclose their status on Grindr or any other app; but some people would like to, and feel unable to. Knowing that data is being shared will do nothing to calm their existing fears.
Thirdly, if people don’t feel comfortable sharing their status because of this, there will be fewer opportunities for honest conversation about what it means to live with HIV in 2018. I’m always shocked by how many people, even in the gay community, don’t know basic facts – that HIV is not the same as AIDS, that HIV is not a death sentence, that I can’t pass HIV on even through unprotected sex.
As an openly HIV-positive person on Grindr, I find myself regularly educating people, raising awareness, normalising HIV, even encouraging people to get tested, and hopefully reducing stigma. If, as I fear, these revelations – and Grindr’s response -lead to fewer openly-positive people, we will slow down efforts to raise awareness, tackle stigma, and ultimately bring down HIV rates.
Fourthly, sharing this information could have real negative consequences for LGBT+ people. Even with the strictest requirements for confidentiality and data security, no data is 100 per cent safe in the face of ever-more sophisticated cyber attacks and good old human carelessness. We just need to look at recent data breaches like Equifax or Aadhaar to know this. Storing this data not just on Grindr’s servers, but also on their partners’ servers, means there’s more risk of data falling into the wrong hands, potentially putting people, especially those in countries or communities where LGBT+ people and people living with HIV are stigmatised or oppressed, and at risk. Indeed this regard, it’s not just the data about HIV which is a cause for concern, but also data which could help authorities locate LGBT+ people, such as phone IDs and locations.
Almost as disheartening as Grindr’s actions is the inadequacy of its response so far. The company has long been a supporter of the LGBTQ+ community and PLWHIV, but rather than showing any contrition or trying to make amends, Grindr has vehemently defended its actions in a fiery Tumblr post.
In a way not dissimilar to Facebook just last week, Grindr’s essential arguments are that it hasn’t done anything wrong because no laws were broken and its actions were industry standard. This fails to recognise that the relationship between Grindr and its users is as much based on trust as on a legal agreement, and that someone’s HIV status isn’t the same as other types of personal data.
Furthermore, the repeated references to “misinformation” and “a misunderstanding of technology” are just plain condescending. I’m also puzzled as to why, if they’ve done nothing wrong, Grindr has nonetheless decided to stop sharing information with one of the two companies.
Most worryingly, Grindr’s statement attempts to place the onus on users by conflating different issues – giving data to third parties, the functionality to share one’s HIV status on Grindr, and the choice to use that functionality – and by somewhat ominously reminding users: “you should carefully consider what information to include in your profile”.
If Grindr’s executive team has any sense, they will realise their actions were at best careless and at worst immoral. They will apologise for breaching users’ trust, find out how this happened and investigate whether any harm may have been caused to PLWHIV. They will be clear with users about any other data sharing, historic or current, and proactively work to rebuild users’ trust. Most urgently, they need to be clear how they are working to protect users in high-risk contexts, namely countries with homophobic laws and poor human rights records.
In a world of Cambridge Analytica, new stricter data laws and a growing understanding that technology isn’t all rosy, the old excuses about data protection are no longer sufficient.
Grindr might not have as many users as Facebook and it might not be charged with swaying an election, but it does need to acknowledge the seriousness of these revelations, and make sure this can’t happen again.
Matt Stokes is a 25-year old HIV advocate living in London. He tweets @stokes_matt.