Popular dating apps introduce tighter data security measures in response to KU Leuven research
Dating apps have become an essential tool for people who are looking for a date or partner. When users create a profile, they enter a lot of personal data which they share with people who are still strangers at that point. Apps often give an indication of your location or the distance between you and your potential match. Some information you share intentionally. But other data you share without wanting to. This data can often easily be uncovered by someone with bad intentions and some knowledge of IT. Researchers from KU Leuven’s DistriNet research unit examined the fifteen most popular location-based dating apps (LBD). They discovered various safety risks, including leaks of sensitive data and exact user locations. They presented their findings to the app developers and most of them have made efforts towards better user data protection.
Location-based dating apps (LBD) allow users to get to know more people in their area. Users can scroll or swipe through profiles, and, based on the personal data people share, decide whether they want to get to know the person behind the profile. Users share a lot of personal and sensitive information with the app to allow the algorithm to predict good matches. But how safe is your personal data on the app? And are you always aware of what you share with others?
The personal and sensitive data we were able to uncover using simple methods are seen as very valuable by people with bad intentions.
Victor Le Pochat, computer scientist at KU Leuven
The KU Leuven research team selected the fifteen most downloaded LBD apps in the Google Play Store and examined them. This includes apps like Tinder, Badoo, Grindr, Bumble... The researchers analysed the data that users share based on three categories: personal data (name, age, nationality, phone number, place of residence...), sensitive data (political view, religion, alcohol use, sexual orientation...), and app usage data (time of last use, received likes, which type of relationship you are looking for...).
Some of this data is visible in the apps (sometimes even mandatory), some should always remain invisible, and for other information, you decide whether to share it or not. Users are assumed to know they are sharing this data. But the apps are linked to the internet, and in this internet traffic, a lot more data is shared than most users realise.
All apps leak data
’We have intensively studied the internet traffic of the apps,’ says researcher Karel Dhondt. ’First, we uncovered the data from other users that the apps receive from the servers, something that was not all that hard to do for someone with a bit of computer knowledge. In the second stage, we actively adapted that data traffic to see whether it would reveal more information. We had a well-considered approach: we only used the built-in functionalities of the apps, so we did not hack the servers, and we only used profiles that we created ourselves, so we would not uncover data from real users.’
The results of the study were clear: all’apps leaked personal and sensitive user data.
- The internet traffic of all’apps leaked usage data and sensitive data like gender and sexual orientation.
- By making changes to the data traffic, the researchers could even see users’ age and gender preferences.
- Six out of fifteen of the most popular LBD apps also leaked detailed location data that allowed the researchers to find a user’s almost exact location.
- There is a great difference in the number of fields you can fill in in the different apps. The apps included in the study had between 9 and 23 information fields to fill in, up to half of these being sensitive data fields. A higher number of fields led to a higher risk of leaks.
- The most popular app, Tinder, asks for a relatively small amount of personal data and protects the user location data well. This shows that an app doesn’t have to ask for a lot of data in order to be popular.
’There are real risks,’ says researcher Victor Le Pochat. ’The personal and sensitive data we were able to uncover using simple methods are seen as very valuable by people with bad intentions. These might be people from your neighbourhood or complete strangers. Uncovering personal data can make users vulnerable to online manipulation through phishing or identity theft. If you combine this with sensitive data like sexual orientation and someone’s location, this can result in risks of physical danger, like stalking or assault or even state persecution, which already occurred in Egypt for LGBTQ users.’
The researchers found that the privacy policy that users have to accept do not inform users about these risks enough and place final responsibility on the users. The researchers call for the apps to hide all profile data as a standard setting, so users have to make a conscious choice about what they want others to see. They have shared the results of their research with the app makers and most of them quickly made the necessary adaptations to stop these leaks, including the leak of exact user locations.
Time for a date with your data
Even if most apps have now made the necessary adaptations, this research shows again that you should be very cautious with your personal and sensitive data. The researchers share three tips:
- Be conscious about what you share. What you can see on other users’ profiles is what they can also see on yours. Do not share unnecessary information that can be sensitive, like your employer or political view.
- Do not put too much faith in the dating apps’ settings for hiding data for others. Everything you share with a dating app is saved to their servers and can, knowingly or unknowingly, be shared with others, now or in the future.
- Use your smartphone’s built-in settings to protect your location data. Consider sharing only an estimated location, and adjust the settings of your phone so that you have to give permission to share your location every time you open a dating app.