In March of this year, German reporter Judith Duportail acted on her rights, thanks to the European Union’s data protection directive (DPD), to request a copy of all personal data captured by the Tinder dating service over a span of nearly four years. The result may not surprise anybody familiar with how much data free online services gather about their users, but it may be the most vivid personal identifier (PID) disclosure yet from the popular dating app.
Duportail’s frank article at the Guardian makes no bones about her dating history over the past few years. That detail is provided in part to describe just how much sensitive information appeared in the massive 800-page report that Tinder sent her.
Much of the data was sourced primarily from Tinder itself, including complete message histories and geolocation data for every interaction on the app, while other data was sourced from linked accounts at Facebook and Instagram. Duportail does not go into granular detail about which parts of her Facebook and Instagram profiles were included, but she says Tinder tracked all of her Facebook “likes” and stored her Instagram photos even after she had de-linked that photo-sharing account from her Tinder profile.
Data researcher and PersonalData.io co-founder Paul-Olivier Dehaye took to his Twitter account to confirm that the process of retrieving Duportail’s data from Tinder was exhaustive. “It took real involvement of one data protection activist (me) and a human rights lawyer for them to answer,” Dehaye wrote. “Two [data protection directive] complaints, dozens of e-mails, months of waiting. Far from easy!”
I had two friends sending the same exact e-mail to request access but not identified as journalists on social medias, they never go a reply— Judith Duportail (@judithduportail) September 26, 2017
Duportail responded to Dehaye’s tweet by saying that Tinder chose not to reply to other journalists’ DPD requests. She blamed that partially on the other requesters outing their roles as journalists on their social media profiles.
Tuesday’s data dump included over 1,700 messages sent and received by Duportail, which she points out before mentioning Tinder’s formerly casual terms of service attitude about such messaging: “You should not expect that your personal information, chats, or other communications will always remain secure.” (Tinder has since updated its TOS to remove that statement, along with statements about PID being used for the sake of “targeted advertising,” but those phrases were in the TOS up until March of this year.) She expressed concerns over exactly how secure that data is, either in the face of a security breach or in the event of Tinder ever being sold.
When Duportail asked Tinder why the service needed access to so much of its users’ personally identifying information, a Tinder representative told her it was used “to personalize the experience for each of our users around the world… Our matching tools are dynamic and consider various factors when displaying potential matches in order to personalize the experience for each of our users.” Tinder did not answer her follow-up questions on exactly how those tools apply data to finding each users’ potential matches on the service.
Source: Ars Technica