Grindr: A chronicle of negligence and irresponsibility.

Question

What is Grindr?

"Grindr is a geosocial networking application geared towards gay, bisexual, and bi-curious men. The app makes use of the device's geolocation, which allows users to locate other men within close proximity. This is accomplished through a user interface that displays a grid of representative pictures of men, arranged from nearest to farthest away. (...) The largest and most popular gay mobile app community in the world currently available in 192 countries."
(en.wikipedia.org)

Information

First information to Grindr

Grindr has been informed independently by different people about issues in their system, allowing anyone find out the exact position of their users.
Grindr has been informed several times again, sometimes they responded, most of they time they did not.
They have been aware of this issues since minimum March and took no action.
how trilateration works

Feb/14
Message

Last information to Grindr

After Grindr has been repeatedly informed during the past six months, they received the last information before the whole story went public in early August. Locating users is still possible, no reaction.

early Aug/14
Information

Going public

I released a technical documentation and video demonstration of the location flaw and sent it to several newssites, started a Twitter account.
video thumbnail

16/Aug/14
Message

Sent out warnings

From the very beginning it has been clear that people in countries with anti-gay law might be in danger. So I sent a warning to 100.000 Users in those countries.
(Grindr fails in protecting the privacy and so do they in spamprotection.)
First warning from Grindr

19/Aug/14
News

"Alleged Grindr Security Flaw Exposes Exact Location Data, Endangers Users"

NDTV published the first article.

20/Aug/14
News
Grindr

"We don’t view this as a security flaw"

First official statement from Grindr arrived: It's no a bug, it's a feature!
So I created "GrindrMap" and made this "feature" available to anybody.
It allowed anyone to locate Grindr-Users and show them on a map.
Of course, I blurred all pictures and blacklisted more than 70 countries with anti-gay law. Users from these countries have never been displayed on the public map.

23/Aug/14
News

"Grindr security glitch exposes gay users in Uganda, Russian Kremlin"

When americablog.com reported, we got in contact and I created a custom, uncensored map for them to point out the problem:
Map of Users in Kremlin
gay users in Uganda, Russian Kremlin

26/Aug/14
Map

500.000 localizations..

..of 150.000 unique Grindr users have been performed within the first 48h when the map went public. Each of them received a notification about what's going on and how to prevent being located again (turn "show distance" off).
how to disable distance-information

26/Aug/14
News

"Grindr smartphone app outs exact location of gays across Iran"

Map of Grindr Users in Iran
Grindr smartphone app outs exact location of gays across Iran (americablog.com)

27/Aug/14
Map

1.000.000 times..

..350.000 unique Grindr users have been localized by now.
second warning from Grindr

28/Aug/14
Twitter

29/Aug/2014
Grindr

Grindr sent out a message to all users:

Grindr warning
"More" links to a blogpost on their site.
(Too bad it's english only.)

29/Aug/2014
News

"Security Flaw In Gay Dating App Grindr Reveals Precise Location Of 90% Of Users"

Businessindier reports: Security Flaw In Gay Dating App Grindr Reveals Precise Location Of 90% Of Users

29/Aug/14
Information

More than two million times..

..600.000 unique Grindr users have been localized in total.
That's more than 10% of all active Grindr users.
world map of grindr users

31/Aug/14
News

"Egyptian Cops Using Grindr To Hunt Gays"

CairoScene.com reported Egyptian government spies are using dating apps, including Grindr, to catch gays.
Within four hours I was able to get that newsarticle translated to egyptian arabic by some awesome Twitter-users and sent it to all egyptian Grindr users online that day.
Time to act, so I contacted Apple and Google to step in, they promised to care, but did not take any visible action.

31/Aug/14
News

"you should consider your location to be a form of PII (personally identifiable information)"

nakedsecurity.sophos.com: Grindr app has privacy issues - who's surprised?

01/Sept/14
News

"Grindr gay smartphone app turns off distance option in face of privacy concerns"

americablog.com: "It would seem that Grindr may have finally started to get the message. Time will tell."
(Spoiler: I didn't take much time.)

01/Sept/14
News
Grindr
News

"If there was ever a better example of a "privatized, depoliticized gay culture," then I don't know what it is."

washingtonpost.com: "Grindr's locator "glitch" was a major fail. It revealed the company's lack of empathy for its gay users."

02/Sept/14
Question

What's next?

This whole story is about responsibility. If you run a business and work with sensitive data like geocoordinates of gay people around the world, including guys in countries like Iran where they get hanged for being gay, you have to care about their privacy. If someone reports to you several times about this issues, you have immediately to shut down these locationservices and find a solution without risking anybody's life.

What Grindr did was absolutely irresponsible and I have no idea why their CEO Joel Simkhai took no action.
If Grindr was a european company, I would have probably taken legal steps to get their servers shut down within days.
This is no usual business where you just loose some ad revenue when something goes wrong.
Grindr exposed many people of a high risk and has been aware of it for months.
btw: It is still possible to find out the location of most of the grindr users.

I'm sure there are more gay dating apps which face similar problems. I invested "some" hours of work making this issue public on Grindr.

Please, be proactive and contact these App-developers on your own and share the results.

Feel free to contact me via Twitter (@GrindrMap).

Information

gay dating apps compared

I created an overview of the top 20 gay dating apps on android. This issue is public for a month and none of the other developers took action by now. It is possible to map all of their users too.

17/Sept/14
Information

other developers fail too

Some weeks have elapsed and nearly every gay dating app still allows locating their users. Similar to GrindrMap I'm going to publish maps for other apps too. Users in countries with anti-gay-law still face high risks, the app developers need to act.

5/Oct/14