Playing matchmaker goes along with security implications users are not always aware of.
The spike in dating apps downloads in the lead-up to Saint Valentine’s day is a yearly occurrence. Now, a recent report released by the Bipartisan Policy Center, a think tank based in Washington DC, included these apps among the “top cyber risks to watch out for in 2023”.
Whenever Cupid’s holiday shoots its arrow into our lives, even the most diehard singles may want to resort to dating apps to look for their significant other. If living footloose and fancy-free does no longer look like an appealing option and you start venturing through the online dating jungle, it is advisable to take things slow, data security experts warn.
After the pandemic, romance fraud has been on the rise, with 55.000 people falling victim to dating scams in 2021 and $547 million lost according to a report from the Federal Trade Commission. These figures underscore the need for more cybersecurity best practices.
Privacy and online dating: a match not made in heaven
Dating apps thrive on personal data and harvest them on a regular basis without sufficient awareness among users. Every swipe, match or personal message is monitored in order to optimize the user experience.
Both Tinder and Bumble have adopted a photo verification tool, which maps a person’s face through artificial intelligence, to counter episodes of catfishing and therefore verify users are who they claim they are. This is supposed to be a safety feature, but it entails even more collection of biometric data.
Article 9 of the General Data Protection Regulation (GDPR), which came into force in 2018, protects the processing of a special category of personal data, notably biometric data, and other sensitive information such as sexual orientation, political and religious beliefs.
But, if it is the individual concerned that discloses that information, “that doesn’t put any extra pressure on the company to treat that data differently than any other data,” says Gerard Ritsema van Eck, assistant professor and post-doc researcher in IT-law at the University of Groningen.
So, how do we protect our data?
The simple answer is “don’t use the apps,” says van Eck. Online dating cannot work without sharing personal information. The first step is acknowledging it and approaching these platforms less naively.
“Whenever you’re using an app, there’s an inherent risk because you have to be willing to be open about yourself to find people to match with,” says van Eck.
These companies’ privacy policies are deliberately murky about where and for how long they store user data. Tinder publicly declares it stores them for “as long as we need it for legitimate business purposes”. Despite stating that third-party sharing occurs only on limited grounds, it is not clear to what extent those data are shared with other entities belonging to parent company Match Group.
They certainly have the legal obligation to delete data when the account is shut down and the service discontinued. “Sometimes, it turns out they deleted only part of these data and maybe there is a backup copy in the database that still exists,” reveals van Eck.
Besides, premium services and the subscription-based model these apps rely on imply these apps also process and retain payment details like credit card numbers. “That kind of information they need to hold on to for a longer period of time for tax reasons,” points out van Eck.
Act of faith
Data leaks are always around the corner.
“When it comes to hacks, data leaks, and those kinds of stuff, you’re really at the mercy of the company storing your data. Tinder has to do the hard work of keeping it safe,” says van Eck, who’s also a member of the Data Protection Law Scholars Network.
However, even dating companies equipped with good security teams aren’t spared by the possibility of cyber-attacks, due to the complexity of databases. The only thing the user can do is try to clean up after themselves when they no longer use an online service.
“The idea that perfect security exists is just not true. Every database can be breached at some point,” says van Eck.
Ironic paradox
The Groningen Observer has tried asking for further information on precautionary measures undertaken by these apps. “We encourage members to be vague and avoid providing personal details, such as where you work out or your address, as well as to never provide financial information to their matches,” says Blixa Jansen, spokesperson for Tinder and senior account manager at Edelman Amsterdam.
A principle that doesn’t apply to the app itself though.
“This is generally sound advice, but it completely ignores the fact that a dating app will probably know your address already, because it knows your location,” says van Eck, as he underlines the paradoxical irony of it.
Jansen reiterates it is important members are mindful of the dangers and encourages them “to take their time when moving conversations off the app. Nothing is more important on a dating site than people feeling like their personal information is protected.”
However, some might not consider dangerous displaying a social media handle on their Tinder profile. “I move conversations usually to Instagram, never to WhatsApp, before meeting someone: firstly, because I don’t want a stranger to have my number, but also to confirm (their identity) through social media,” says Janine (not her real name), a user who prefers to stay anonymous.
Earlier last year, a class action was filed in California against Bumble for “reckless handling of user data” in the wake of a 2020’s breach, which exposed the accounts of 100 million users for at least eight months.
Among the charges against the company are unlawful data collection used to feed algorithms, enhance AI technologies, improve profitability and overall market value. The unsettled lawsuit points the finger also at the app’s application program interface, which seems particularly vulnerable to these kinds of unfortunate incidents.