The popular gay hookup app Grindr said late on Monday that it would stop sharing information about its users' HIV status with third-party analytics companies.
The announcement came after BuzzFeed News revealed that Grindr had been securely providing two companies — Apptimize and Localytics, commonly used services to help optimize apps — with some of the information that Grindr users include in their profiles, including HIV status and "last tested date."
The company decided to stop sharing the information with Localytics "based on the reaction — a misunderstanding of technology — to allay people's fears," chief security officer Bryce Case told BuzzFeed News. It will happen when the app's next update is released, he said.
Still, Case defended Grindr's decision to share the data, arguing that Apptimize and Localytics are simply tools to help apps like Grindr function better, and that the information was not shared to make money or for other nefarious purposes.
Case stressed that the HIV data had only been shared with Apptimize as part of Grindr's standard rollout procedure for new features on the app. In this case, it was part of a new opt-in feature that would allow users to be reminded to get tested for HIV. The company stopped sharing the information with the third party when the feature was rolled out last week, Case said.
The second company, Localytics, is "a software program that we use to analyze our own behavior," Case said. "It's being conflated with Cambridge Analytica. This is just something we use for internal tooling," he said. "I will not admit fault in the regard that the data was used."
As to whether the company would retroactively delete the data that was being shared with Localytics, Case said, "I don't have an answer for you at this time. It is something we can look into."
But some security experts say that this argument about whether the data was being sold to a third party for nefarious purposes or not misses the point: that HIV data is highly sensitive, and that sharing it with any outside companies is a move away from the security of its users.
"There was no reason for them to be storing that data with these analytics companies in the first place," Cooper Quintin, senior staff technologist and security researcher at the Electronic Frontier Foundation, told BuzzFeed News. "Grindr should be taking extra steps to secure this sort of very personal data."
The company came under fire after a Norwegian nonprofit called SINTEF first revealed that the HIV information is sent together with users’ GPS data, phone ID, and email. (SINTEF was commissioned to produce the report by Swedish public broadcaster SVT, which first publicized the findings.) BuzzFeed News later replicated its results and verified the information with outside cybersecurity experts.
The company first released a statement early Monday afternoon defending its decision to share the information with the third parties, stating that "the inclusion of HIV status information within our platform is always regarded carefully with our users’ privacy in mind," and that the company, like any other mobile app company, "must operate with industry standard practices."
Hours later, Case said that it would stop sharing the information with third parties. The news was first reported by Axios.