grindr
Auto Added by WPeMatico
Auto Added by WPeMatico
TikTok may be the fastest-growing social network in the history of the internet, but it is also quickly becoming the fastest-growing security threat and thorn in the side of U.S. China hawks.
The latest, according to a notice published by the U.S. Navy this past week and reported on by Reuters and the South China Morning Post, is that TikTok will no longer be allowed to be installed on service members’ devices, or they may face expulsion from the military service’s intranet.
It’s just the latest example of the challenges facing the extremely popular app. Recently, Congress led by Missouri senator Josh Hawley demanded a national security review of TikTok and its Sequoia-backed parent company ByteDance, along with other tech companies that may share data with foreign governments like China. Concerns over the leaking of confidential communications recently led the U.S. government to demand the unwinding of the acquisition of gay social network app Grindr from its Chinese owner Beijing Kunlun.
The intensity of criticism on both sides of the Pacific has made it increasingly challenging to manage tech companies across the divide. As I recently discussed here on TechCrunch, Shutterstock has actively made it harder and harder to find photos deemed controversial by the Chinese government on its stock photography platform, a play to avoid losing a critical source of revenue.
We saw similar challenges with Google and its Project Dragonfly China-focused search engine as well as with the NBA.
What’s interesting here though is that companies on both sides are struggling with policy on both sides. Chinese companies like ByteDance are increasingly being targeted and stricken out of the U.S. market, while American companies have long struggled to get a foothold in the Middle Kingdom. That might be a more equal playing field than it has been in the past, but it is certainly a less free market than it could be.
While the trade fight between China and the U.S. continues, the damage will continue to fall on companies that fail to draw within the lines set by policymakers in both countries. Whether any tech company can bridge that divide in the future unfortunately remains to be seen.
Powered by WPeMatico
On January 12, 2016, Grindr announced it had sold a 60% controlling stake in the company to Beijing Kunlun Tech, a Chinese gaming firm, valuing the company at $155 million. Champagne bottles were surely popped at the small-ish firm.
Though not at a unicorn-level valuation, the 9-figure exit was still respectable and signaled a bright future for the gay hookup app. Indeed, two years later, Kunlun bought the rest of the firm at more than double the valuation and was planning a public offering for Grindr.
On March 27, 2019, it all fell apart. Kunlun was putting Grindr up for sale instead.
What went wrong? It wasn’t that Grindr’s business ground to a halt. By all accounts, its business seems to actually be growing. The problem was that Kunlun owning Grindr was viewed as a threat to national security. Consequently, CFIUS, or the Committee for Foreign Investment in the United States, stepped in to block the transaction.
So what changed? CFIUS was expanded by FIRRMA, or the Foreign Risk Review Modernization Act, in late 2018, which gave it massive new power and scale. Unlike before, FIRRMA gave CFIUS a technology focus. So now CFIUS isn’t just an American problem—it’s an American tech problem. And in the coming years, it will transform venture capital, Chinese involvement in US tech, and maybe even startups as we know it.
Here’s a closer look at how it all fits together.
Image via Getty Images / Busà Photography
CFIUS is the most important agency you’ve never heard of, and until recently it wasn’t even more than a committee. In essence, CFIUS has the ability to stop foreign entities, called “covered entities,” from acquiring companies when it could adversely affect national security—a “covered transaction.”
Once a filing is made, CFIUS investigates the transaction and both parties, which can take over a month in its first pass. From there, the company and CFIUS enter a negotiation to see if they can resolve any issues.
Powered by WPeMatico
Hot on the heels of last week’s security issues, dating app Grindr is under fire again for inappropriate sharing of HIV status with third parties (not advertisers, as I had written here before) and inadequate security on other personal data transmission. It’s not a good look for a company that says privacy is paramount.
Norwegian research outfit SINTEF analyzed the app’s traffic and found that HIV status, which users can choose to include in their profile, is included in packets sent to Apptimize and Localytics. Users are not informed that this data is being sent.
These aren’t advertising companies but rather services for testing and improving mobile apps — Grindr isn’t selling them this data or anything. The company’s CTO told BuzzFeed News that “the limited information shared with these platforms is done under strict contractual terms that provide for the highest level of confidentiality, data security, and user privacy.” And to the best of my knowledge regulations like HIPAA don’t prevent the company from transmitting medical data provided voluntarily by users to third parties as specified in the privacy policy.
That said, it’s a rather serious breach of trust that something as private as HIV status is being shared in this way, even if it isn’t being done with any kind of ill intention. The laxity with which this extremely important and private information is handled undermines the message of care and consent that Grindr is careful to cultivate.
Update: Grindr’s head of security told Axios that the company will stop sending HIV status data to third parties.
Perhaps more serious from a systematic standpoint, however, is the unencrypted transmission of a great deal of sensitive data.
The SINTEF researchers found that precise GPS position, gender, age, “tribe” (e.g. bear, daddy), intention (e.g. friends, relationship), ethnicity, relationship status, language and device characteristics are sent over HTTP to a variety of advertising companies. A Grindr representative confirmed that location, age, and tribe are “sometimes” sent unencrypted. I’ve asked for clarification on this.
Not only is this extremely poor security practice, but Grindr appears to have been caught in a lie. The company told me last week when news of another security issue arose that “all information transmitted between a user’s device and our servers is encrypted and communicated in a way that does not reveal your specific location to unknown third parties.”
At the time I asked them about accusations that the app sent some data unencrypted; I never heard back. Fortunately for users, though unfortunately for Grindr, my question was answered by an independent body, and the above statement is evidently false.
It would be one thing to merely share this data with advertisers and other third parties — although it isn’t something many users would choose, presumably they at least consent to it as part of signing up.
But to send this information in the clear presents a material danger to the many gay people around the world who cannot openly identify as such. The details sent unencrypted are potentially enough to identify someone in, say, a coffee shop — and anyone in that coffee shop with a bit of technical knowledge could be monitoring for exactly those details. Identifying incriminating traffic in logs also could be done at the behest of one of the many governments that have outlawed homosexuality.
I’ve reached out to Grindr for comment and expect a statement soon; I’ll update this post as soon as I receive it.
Update: Here is Grindr’s full statement on the sharing of HIV data; notably it does not address the unencrypted transmission of other data.
As a company that serves the LGBTQ community, we understand the sensitivities around HIV status disclosure. Our goal is and always has been to support the health and safety of our users worldwide.
Recently, Grindr’s industry standard use of third party partners including Apptimize and Localytics, two highly-regarded software vendors, to test and validate the way we roll out our platform has drawn concern over the way we share user data.
In an effort to clear any misinformation we feel it necessary to state:
Grindr has never, nor will we ever sell personally identifiable user information – especially information regarding HIV status or last test date – to third parties or advertisers.
As an industry standard practice, Grindr does work with highly-regarded vendors to test and optimize how we roll out our platform. These vendors are under strict contractual terms that provide for the highest level of confidentiality, data security, and user privacy.
When working with these platforms, we restrict information shared except as necessary or appropriate. Sometimes this data may include location data or data from HIV status fields as these are features within Grindr, however, this information is always transmitted securely with encryption, and there are data retention policies in place to further protect our users’ privacy from disclosure.
It’s important to remember that Grindr is a public forum. We give users the option to post information about themselves including HIV status and last test date, and we make it clear in our privacy policy that if you chose to include this information in your profile, the information will also become public. As a result, you should carefully consider what information to include in your profile.
As an industry leader and champion for the LGBTQ community, Grindr, recognizes that a person’s HIV status can be highly stigmatized but after consulting several international health organizations and our Grindr For Equality team, Grindr determined with community feedback it would be beneficial for the health and well-being of our community to give users the option to publish, at their discretion, the user’s HIV Status and their Last Tested Date. It is up to each user to determine what, if anything, to share about themselves in their profile.
The inclusion of HIV status information within our platform is always regarded carefully with our users’ privacy in mind, but like any other mobile app company, we too must operate with industry standard practices to help make sure Grindr continues to improve for our community. We assure everyone that we are always examining our processes around privacy, security and data sharing with third parties, and always looking for additional measures that go above and beyond industry best practices to help maintain our users’ right to privacy.
Powered by WPeMatico
Users of Grindr, the popular dating app for gay men, may have been broadcasting their location despite having disabled that particular feature. Two security flaws allowed for discovery of location data against a user’s will, though they take a bit of doing.
The first of the flaws, which were discovered by Trever Faden and reported first by NBC News, allowed users to see a variety of data not available normally: who had blocked them, deleted photos, locations of people who had chosen not to share that data and more.
The catch is that if you wanted to find out about this, you had to hand over your username and password to Faden’s purpose-built website, C*ckblocked (asterisk original), which would then scour your Grindr account for this hidden metadata.
Of course it’s a bad idea to surrender your credentials to any third party whatsoever, but regardless of that, this particular third party was able to find data that a user should not have access to in the first place.
The second flaw involved location data being sent unencrypted, meaning a traffic snooper might be able to detect it. (In its comment, Grindr says it encrypts and obfuscates location data, but has not specifically denied the existence of this issue.)
It may not sound too serious to have someone watching a Wi-Fi network know a person’s location — they’re there on the network, obviously, which narrows it down considerably. But users of a gay dating app are members of a minority often targeted by bigots and governments, and having their phone essentially send out a public signal saying “I’m here and I’m gay” without their knowledge is a serious problem.
I’ve asked Grindr for comment and confirmation; the company told NBC News that it had changed how data was handled in order to prevent the C*ckblocked exploit (the site has since been shut down), but did not address the second issue.
Update: Grindr has offered a statement on these issues, which I quote in part below (emphasis theirs):
Anytime a user discloses their login credentials to an unknown third-party, they run the risk of exposing their own profile information, location information, and related metadata. We cannot emphasize this enough: we strongly recommend against our users sharing their personal login information with these websites as they risk exposing information that they have opted out of sharing.
Grindr is a location-based app. Location is a critical element of our social network platform. This allows our users to feel connected to our community in a world that would seek to isolate us. That said, all information transmitted between a user’s device and our servers is encrypted and communicated in a way that does not reveal your specific location to unknown third parties.
Furthermore, the statement points out, “In territories where homosexuality is criminalized, or it is otherwise unsafe to be LGBTQ identified, we deliberately obfuscate the location-based features of our application to protect our users.”
I’ve asked for any further information on the possibility that location data was, as reported, sent unencrypted. I’ll update if I hear back.
Powered by WPeMatico
The first sentence has been handed down in a case centered on the use of Grindr as a platform from which to perpetrate hate crimes. Nigel Garrett was given 15 years yesterday after pleading guilty to a list of crimes including assault, carjacking, and use of firearms, the Tyler Morning Telegraph reported. Read More
Powered by WPeMatico