A popular gay hookup app has been sharing the HIV status of its members with two analytics companies — and civil liberties experts say it’s a breach of trust and privacy.
BuzzFeed News reported Monday that the app Grindr provided the sensitive medical information to Apptimize and Localytics — which help optimize apps and sharpen marketing strategies.
Grindr provided the HIV status along with the user’s GPS data, email and phone ID, the news site reported. Antoine Pultier, a researcher at the Norwegian nonprofit SINTEF, first identified the sharing of a user’s health.
“The HIV status is linked to all the other information. That’s the main issue,” Pultier told BuzzFeed News.
The fling-facilitating app started in 2009 and has more than 3.6 million daily active users around the globe. The app promotes healthy hookups, allowing users to connect with other members for a rendezvous.
Users have the option of including their HIV status and their “last tested date.” It also has an app tool that can remind users to get tested every three to six months.
Niam Yaraghi, an assistant professor at the University of Connecticut’s School of Business and a nonresident fellow at the Brookings Institution who has examined the sharing of patients’ health care information, said Grindr likely didn’t break the law.
He said federal Health Insurance Portability and Accountability Act — or HIPAA — bars medical providers and their business associates from disclosing patients’ health records. However, that law doesn’t apply to private businesses who aren’t in the medical world, he said.
Still he said there were ramifications for Grindr.
“The breach of trust of the user is the most important thing here,” Yaraghi said.
He said Grindr needed to come clean about what data it shared and with whom.
“If they don’t do that, and this happens again, the federal government is going to get involved,” Yaraghi said.
James Krellenstein, a member of AIDS advocacy group ACT UP New York, told BuzzFeed that it appeared Grindr didn’t explicitly notify members of the data sharing.
“That is an extremely, extremely egregious breach of basic standards that we wouldn’t expect from a company that likes to brand itself as a supporter of the queer community,” Krellenstein said.
Grindr Chief Technology Officer Scott Chen said in a statement that Apptimize and Localytics did not share the information with other parties. He also said that Grindr has never sold the personally identifiable information, including HIV status.
“As a company that serves the LGBTQ community, we understand the sensitivities around HIV status disclosure,” Chen said. “Our goal is and always has been to support the health and safety of our users worldwide.”
The statement said that its privacy policy makes clear that if users chose to include their HIV status, then the information will also become public.
Manhattan attorney Adam P. Slater said it would be challenging to prove that users had been damaged on a class-wide basis.
“There really is no harm to each individual victim because the public doesn’t have the information,” Slater, of the firm Slater Slater Schulman, said. He noted that Grindr was sharing the data with the companies to optimize its own application, rather than for the companies’ own financial gain.
“That’s a pretty big distinction,” Slater said.
Yaraghi said he had been excited that Grindr had created a trust in the gay community and set up a service that reminds users to get tested for HIV. He predicted the breach would be a setback.
“People are going to think twice before sharing that information again with these websites,” he said.
The news of Grindr sharing sensitive data comes on the heels of Congress’ plans to grill Facebook founder and Chief Executive Mark Zuckerberg about a data breach involving 50 million of the social-media site’s users.
Zuckerberg agreed to answer questions on how Cambridge Analytica — a British consulting firm hired by President Trump’s campaign to craft its digital media strategy during the 2016 election — harvested that data.
With Stephen Rex Brown
