This week, a Catholic Substack publication said it observed the movements of a priest through his use of the gay dating app Grindr. The publication then outed him without his consent, in a stark reminder that supposedly anonymized app location data can be used to identify and harass people.
This is a disturbing story that's only made worse by the fact that Grindr has been warned multiple times over the years that its security and privacy practices were not adequate.
"Grindr has been, will be, and forever continues to be warned about this. They obviously don't care," Matt Mitchell, a privacy and cybersecurity researcher, told Motherboard in an online chat. "The company should have done more from day one. I mean they launched with no business plan, just a cool idea. Seems from then to now, user cybersecurity, safety and privacy comes last."
In 2019, a security researcher at Pen Test Partners, a cybersecurity firm in the UK, showed that he was able to "precisely locate and track the users of four major dating apps," including Grindr.
"By supplying spoofed locations (latitude and longitude) it is possible to retrieve the distances to these profiles from multiple points, and then triangulate or trilaterate the data to return the precise location of that person," Alex Lomas, the Pen Test Partners researchers, wrote at the time.
Lomas said he was not surprised about what happened to the priest who was outed this week.
"I think we showed there were a lot of ways to deanonymize people from location data, so if you can obtain a device’s position over time it’s absolutely possible this could happen," he told Motherboard in an online chat.
Grindr did not immediately respond to a request for comment.
Do you know about any other privacy or security issues with Grindr or another dating app? We'd love to hear from you. Using a non-work phone or computer, you can contact Lorenzo Franceschi-Bicchierai securely on Signal at +1 917 257 1382, Wickr or Wire at lorenzofb, or email firstname.lastname@example.org.
Lomas' was just the latest research highlighting Grindr's privacy issues. The previous year, LGBTQ+ blog Queer Europe warned of similar issues. And researchers had already found vulnerabilities in Grindr in 2016, when Japanese security researchers showed they could locate anyone on Grindr in just a few minutes. Their technique worked even if a Grindr user had turned off a feature that showed their distance to prospective partners.
At the time, the researchers were able to locate users by creating two fake accounts under their control, with spoofed geolocation. Then they adjusted those fake locations in a way that allowed them to essentially triangulate the position of any user.
"You draw six circles, and the intersection of those six circles will be the location of the targeted person," one of the researchers told Wired at the time.
The years go by, and people keep finding serious issues with Grindr. This week, those theoretical vulnerabilities have impacted a real person, forcing him to resign.
"No one should be doxxed and outed for adult consenting relationships, but Grindr never treated their own users with the respect they deserve," Zach Edwards, a researcher who has closely followed the supply chain of various sources of data, previously told Motherboard in an online chat for an article specifically on the priest example. "And the Grindr app has shared user data to dozens of ad tech and analytics vendors for years."