App Security Flaws Could Create Added Risks for LGBTQI Communities

This article was initially publish under the Open internet global blog.

The struggle of the LGBTQI community against invisibility, and for the recognition of their human rights is a long-standing one, and it has found a new face in the online world.  Human rights defenders, LGBTQI organizations and activists conduct activities, disseminate information, and promote opinions through social networks and other various channels enabled by the internet.

However, the very nature of the internet means that many times, as it happens in the streets, there are situations of violence – both from the internet and society as well – which  can negatively impact the online freedom of the LGBTQI community, as well as other vulnerable and marginalized groups. Policies and practices that restrict these voices – whether intentional or not – threaten to undermine the democratic nature of the internet.

One issue of rising concern among the LGBTQI community is linked to the way in which community members interact with social networking platforms specifically designed for them, such as Grindr. While ostensibly a platform for enabling freedom of expression and association among members of a vulnerable community, users of Grindr and other similar platforms may ultimately find themselves at greater physical risk if the platform’s owners fail to adequately address the diverse legal, political, and cultural environments of their users, or put in place critical data privacy and protection standards.

Security concerns

Launched in 2009 in the U.S., Grindr is a dating app that claims it has “over three million daily active users in every country in the world.” On average, Grindr users spend 54 minutes a day engaging with the app, with a global daily circulation of 228 million messages and 20 million photographs. As a result, large amounts of personal information from and about a very specific and often vulnerable community flow through the app’s infrastructure.

A central part of Grindr’s operating model is connecting people who are located in a nearby grid. It is up to each user to enable or disable the function that makes visible the exact number of meters they are away from other users, but the mere fact of being visible in a certain area is unavoidably associated with proximity.

In 2016, 60% of the company was acquired by the Chinese consortium, Beijing Kunlun Tech Company. At the beginning of 2018, the same consortium acquired the remaining percentage to become Grindr’s sole owner. This acquisition could have serious implications for user security.

First, Grindr is a service targeted at members of historically marginalized and vulnerable groups in most countries of the world. Even with the recent progress made in the empowerment of the LGBTQI community, the reality is that there is still a long way to go in many of the 192 countries in which Grindr operates. Consequently, the total acquisition of Grindr by a Chinese consortium brings about justifiable concerns from the LGBTQI community that a corporate entity without a known history of engagement with marginalized groups would be particularly careful or empathetic with those considerations.

Additionally, even though Grindr claims that users shouldn’t be worried about their personal data and privacy, there are unanswered questions related to data transfers to the new company headquarters in China, and the fact that laws in China are very permissive in terms of allowing the government to access online activities in the name of security. Lastly, linkages could be made to the controversial social credit score system in China and the potential for cross-referencing data with other aspects of a citizen’s online activity, like Grindr usage. Such dystopian scenarios must be considered as part of a broader analysis of initiatives driven by both the public and private sectors.

Privacy by mistake?

The fight for privacy is a long standing one. In global south countries, where internet penetration levels have typically lagged behind, there is often a corresponding lack of understanding of the nuances, vulnerabilities and exposures that new technologies can bring into people’s lives. For LGBTQI communities in particular, failure to recognize the link between online behavior and data privacy can lead to negative consequences1. In Grindr’s specific case, since 2014 there have been a number of problems and complaints raised by specialists related to the risks of using of the platform.

One of the most recent cases with global repercussions involved a security failure related to the geolocation of users who had chosen to disconnect this functionality from their profiles. Through a website created by Trever Faden, Grindr users could access information about other profiles that had blocked them and, in turn, Faden could access a lot of additional user data, such as unread messages, emails, deleted photos and the geolocation of users who had even disabled this function. Faden himself noted, «one could, without too much difficulty or even huge amount of technological skill, easily pinpoint a user’s exact location.»

Additionally, last February Grindr became the target of anger from its users and found itself under media scrutiny after an independent investigation by the Norwegian organization, SINTEF, showed that the company was sharing user information with third parties, including information about the HIV status of users who had provided such information in their profile.

Such security breaches reflect concerns about the way Grindr was both initially designed and is currently managed. The ease with which users’ personal data became public demonstrates that concepts such as privacy by design do not appear to have been taken into account from the beginning. The repeated nature of the incidents leads to questions about the diversity of developers and project managers working on products and platforms that cater to vulnerable or at-risk communities – are they fully aware of the potential risks and consequences that their users might face? Furthermore, as long as the content of the internet continues to be driven by western, wealthy countries, huge gaps in user needs will continue to exist, especially to the detriment of those who live outside that criteria, such as representatives of vulnerable communities in the global south. In the case of Grindr, what steps have been taken to ensure that the fights, rights, and fears of the LGBTQI community have been taken into account?

Digital identity can be a death sentence

The idea that there is a disassociation between the offline and online worlds is out of date; our digital identity and our online habits are indisputably associated with our notion of personality and identity. In some cases, our online behavior shows much more than most people can perceive about us, and what we actually choose to show to the rest.

There are contexts where that identity can generate a series of problems that vary in severity and consequence, and that nevertheless have the cross-cutting effect of discrimination, marginalization, and maybe even death. In regions as varied as the Middle East, Africa and Latin America, where homosexuality continues to be taboo or even illegal, apps such as Grindr have fundamentally changed the ways in which the LGBTQI community interacts and meets. It is of the utmost importance that platforms such as Grindr – and the private sector at large – take a leading role in protecting their users online behavior with the highest security standards they can offer. They should be held accountable for this.

It is with this in mind that many people celebrated the alliance between Grindr and Article 19 to protect LGBTQI communities in Egypt, Iran and Lebanon, members of which are suffering from police harassment, torture and also the loss of their freedom. The collaboration with Article 19 led to the implementation of a series of changes in the application to protect users in the Middle East, the Gulf and North Africa, areas known to be problematic for the LGTBQI community. Specifically, security enhancements include the ability to change the appearance of the application, as well as for a user to set a password in order to open the application.

Security for the ones that can pay for it

Although we live in a reality where the marketplace determines the development of online products and services – as well as who has access to them – there should be safeguards in place when it comes to people’s safety. Latin America, despite important recent legal victories for the rights of the LGBTQI community, like marriage equality in Brazil, Argentina and Uruguay –  is currently experiencing a regression associated with the rise to power of evangelical and catholic fundamentalist groups. The victory of right-wing candidate Jair Bolsonaro

in Brazil’s presidential elections is a further example of this movement, and must serve as a driving force for digital rights defenders to maintain the internet as a source of empowerment for vulnerable communities, and avoid its potential weaponization as a tool for the suppression of human rights.

The rise of these political forces threatens to reverse advancements in equal rights made by the LGBTQI community, putting its members further at risk of persecution, and jeopardizing the democratic participation of all citizens. Against such a backdrop, a dating application for the gay community with an estimated 2015 revenue of $38 million USD has the capacity – as well as the obligation – to be at the forefront of protecting the community it serves.

The fact that Grindr has addressed concerns about users’ safety by enabling security features like the ones mentioned above must be widely celebrated and applauded. However, the ability to access and use these features differs depending on the location of the user. In Latin America, for example, these security features are only available to those who subscribe to a more enhanced version of the platform – a situation which puts economically disadvantaged users at a higher risk. Given that these security features were created in close alliance with human rights organizations, inequalities in accessing them bring about an ethical contradiction: why should services created to protect vulnerable communities in one region be monetized in others?

Paths towards an open and democratic internet for everyone

Applications such as Grindr have allowed for a reconfiguration of the way in which the LGBTQI community interacts and meets, providing new forms of “safe spaces” in which the community feels free to express itself as it really wants. This must be widely celebrated and further strengthened. Still, the dangers outlined above – prevalent not only in Grindr, but in other apps targeting the LGBTQI community as well – need to be more widely understood and addressed to ensure a better digital environment. Both platforms and governments bear a responsibility to ensure an online environment where users are able to express themselves without fear, assemble with those they wish, and to know that their data and privacy are ensured by design.

Furthermore, regimes that use online behavioral habits – such as those in Grindr, or similar platforms – to punish or censor must be widely condemned by the international community, and technology companies must prioritize the safety of their users over profit. The same condemnation must happen with companies that commit abuses in the name of profit. Users as well bear a responsibility to understand their rights both on- and offline in order to protect what they already have and defend against actions taken to restrict these rights.

According to the Democratic Principles for an Open Internet, “all members of a society have an equal right to learn about, access, and use the internet.” The ongoing and willful jeopardization of user safety compromises the potential of an internet that enables participation of all users – and serves as a reminder that the vital advocacy carried out by civil society organizations, internet freedom activists and individual users still has a long way to go if the internet is to be truly open and safe to all.

Notas:

  1. There are other examples in regard to the importance of data protection in the digital world and the potential existing risks. The Cambridge Analytica scandals or the hacking of credit reporting company Equifax provide concrete examples of those risks, demonstrating direct consequences on people’s lives.