In late March 2019, the US found that Chinese ownership of the popular gay dating app Grindr is a threat to national security after the Committee on Foreign Investment in the United States (CFIUS) had been scrutinizing the deal between Kunlun (Chinese gaming company) and Grindr.NBC News were told that CFIUS had begun investigating after unease about the security of sensitive data held by the company in 2016 after Kunlun had paid $98.6 million (USD) for a 60% controlling stake in Grindr. Ownership of Grindr includes select personal information of its users, including their HIV status and geo-location. As of early April Kunlun was in talks with US authorities about whether it should sell the app.

There have been calls in the UK for the British government to also investigate. Queer News teamed up with CanQueer to find out if Canada also considers Grindr to be a threat to national security. In short, the Canadian Department of National Defence (DND) told CanQueer “There is no policy preventing CAF members accessing these sites while off-duty, and the applications themselves are not considered to be a DND/CAF Security Risk.”

The US has become increasingly concerned with data security in recent years. For example, the CFIUS ruled in 2018 against a merger between MoneyGram and the Chinese firm Ant Financial, reportedly over data privacy concerns. The use of mobile applications by serving military personnel in the US also triggered embarrassment for the US in January 2018 when the popular running and cycling app Strava published its popular visualisation maps showing the aggregate travel maps of its users. This visualisation revealed the location and staffing of top secret overseas US basis. CanQueer was informed by the DND that they do not share concern on this issue as Canada does not have secret basis.

In speaking with CanQueer, the DND clarified their policy on the use of mobile apps by serving members of the Canadian Armed Forces (CAF).  They noted that

“given Operations Security (OPSEC) is paramount to the CAF, there are directives from Canadian Joint Operations Command that provide direction, guidance and information to deployed (on missions, basically) commanders, commanding officers and their military and civilian staffs on the effective and safe use of social media and associated devices. These directives include, for instance, a requirement that automatic geolocation be disabled on personal devices and that metadata pertaining to specific location and time be stripped from online posts.  We are confident our existing measures and pre-deployment briefings will continue to provide our personnel with the tools they need to keep themselves and their operation safe.”

Grindr operates by sorting other users by distance, which relies on the use of a smart phone’s geolocator, and this geolocation has been the leading data privacy issue that has plagued the company. Before Kunlun bought the company in 2016 Grindr had privacy issues revealed as early as 2013 in the Application Security Audit conducted by the University of Amsterdam. The US cyber security company Synack had began looking into Grindr after the 2013 revelation that Tinder was sending the latitude and longitude information directly to the user’s iOS client. This made it possible to query the Tinder API, gather that information, and reveal their location. Tinder made changes to fix that issue. When Syntak turned their attention to Grindr they found that the data passing between the Grindr app and their servers included location data noted in kilometres, which translated into centimetre-level location accuracy which was transmitted regardless of whether or not a user had chosen to disclose location (it would not be shown in the app). They noted that although Grindr wasn’t revealing the exact location, it was possible to triangulate an exact location with an accuracy of less than 1 foot if queries were made from mulitple locations.

It is worth noting that in 2014, the French national news agency France 24 reported that LGBT activists in Egypt has been warning that Egyptian authorities has been using GPS location apps such as Grindr to locate gays and lesbians in Egypt.

Four months after Kunlun bought into Grindr, Wired reported that the same issue was still apparent and it still remained possible to find the exact location of Grindr users. Wired additionally reported on research by Nguyen Phong Hoang from Kyoto University, who was able to determine exact locations on the app by using trilateration – a method of determining the relative positions of three or more points by treating these points as vertices of a triangle or triangles of which the angles and sides can be measured. Huang summarized his research to Wired; “You draw six circles, and the intersection of those six circles will be the location of the targeted person”.  At the time of this second security breach, Grindr reported in its marketing materials that there were over 280,000 users in Canada.

In 2018 Grindr faced a new series of revelations about its data privacy. The first issue arose with the release of a website called ‘C*ckblocked’ (actual name). This website invited users to login with their Grindr account information and the website revealed who had blocked them. The team at CanQueer reported on it and tested the website at the time. The website’s creator Trever Faden used a similar security loophole for Grindr that had been used in other research which had allowed Cambridge Analytica to gather detailed information of 50 million Facebook users. Faden notified Grindr of this issue at the time. Faden told NBC News that without much skill one could find the exact location of users, and independent cyber security experts confirmed this was the case. Within weeks Grindr closed the loophole that allowed C*ckblocked to function, and the website is still up though no longer functions as described.

However, within the month Grindr faced backlash for providing third party applications with access to their users’ data. Buzzfeed News reported in early April that Grindr was giving data access to Apptimize and Localytics (services for app optimization and testing) which included HIV information in conjunction with location data and email addresses. This leak was first identified by the Norwegian nonprofit SINTEF. Within a week Grindr announced it would stop sharing HIV information with other companies.

Hoping to move out of the shadow of its data breaches in 2018, Grindr again faced media scrutiny after a blog on Queer Europe revealed that by again using trilateration the app ‘Fuckr’ was able to locate users. The writer SP noted;

“With the use of trilateration, I was able to locate users with a deviation of five to ten meters. But it was also possible to locate users even more accurately, by comparing the outcomes of several trilateration sessions. By doing so, and within a few seconds, I was able to locate cruising men with an accuracy of two to five meters, which is very precise, and accurate enough to determine in which house and room users are located. The reason why these locations can be determined so precisely, is that Grindr uses a geohash4 of 12 characters to locate users, which equals to a ‘square on an atlas‘ of 37×18 centimeters.” [emphasis added]

Fuckr had been using an unauthorized API found on GitHub. GitHub immediately removed the data, which rendered the app unusable. Queer News tested a download of Fuckr and was not able to connect to any information.

The Canadian Department of Defence told CanQueer “Security briefings are provided to all DND/CAF personnel, to help them navigate the potential risks of personnel internet and social media use, understand their security responsibilities and how to ensure they are protected by adequate security measures“. The Operational Security directives issued, which include the disabling of automatic geolocation, follows the advice provided by cyber security experts about the Grindr leaks.

The Canadian government, unlike the US does, not consider Grindr to be a national security risk, stating that they are “[…] confident our existing measures and pre-deployment briefings will continue to provide our personnel with the tools they need to keep themselves and their operation safe”.