Dating apps are now as much a part of modern courtship as going to the movies or buying flowers. But dating apps like Tinder, Grindr, or Bumble, present significant privacy risks. This Valentine’s Day, take some time to protect your privacy on dating apps.
Online dating is a privacy nightmare because it’s a Catch-22. You are obviously looking to entice someone and therefore want to create a level of intimacy, but you are speaking with someone you have never met. It requires a delicate dance of revealing enough information about yourself to beguile without sharing too much. And you need to accept information from people on the other end of your conversation, hoping they are acting in good faith.
Scammers know this. They have begun hacking these apps or using social engineering to access people’s most sensitive photos or to trick people into sending payments. According to the US Federal Trade Commission, romance scams have been increasing steadily, and over $547 million was lost to these scams in 2021.
Beyond scammers, many of these dating apps use the data you give them to target you with ads. When you consider that hundreds of millions of people use dating apps around the world to meet new people, there is a lot of data to be mined. Furthermore, many dating apps have been less-than-responsible stewards of the data entrusted to them.
But don’t give up on love! (It is Valentine’s Day, after all.) There are ways to limit your exposure online.
What data do dating apps have?
Most dating apps use the data they collect from you to target you with ads. That’s how they can continue operating while offering their service for free. (It’s also why you often can get access to stronger privacy controls if you pay for a subscription to a dating app.)
When you consider the types of sensitive information many of these apps require you to share when you create an account, this data collection can be concerning. As an example, before you can use Tinder, you must share:
- Your phone number or Google or Apple account
- Your first name
- Your date of birth
- Two photos of you
- Your location by turning on location tracking on your phone
- Your sexual orientation
And nearly all dating apps encourage you to share more information, from your place of work to your favorite hobbies to your ethnicity. They also monitor any activity in their app, including swipes and conversations. Obviously, a dating app can use any information you share with it to target you with ads.
Many dating websites also contain dozens of trackers. Ghostery found that Match Group dating services (including Match.com, Tinder, and OkCupid) had up to 36 trackers on their websites, including trackers from Facebook and Google.
Dating app data breaches
Most dating apps are still relatively new. Tinder launched in 2012, yet it has already suffered several data breaches and has been caught improperly sharing user data. This is sadly the norm among dating apps, which is important to keep in mind as you decide what personal data to divulge in these apps.
Back in 2013, cybersecurity experts discovered trileration attacks ((similar to triangulation) that Tinder allowed third parties to discover users’ exact location, down to within a few hundred feet. Tinder resolved the issue by only specifying their users’ location in increments of miles, making the location data much less precise. In 2014, experts found the same flaw in Grindr. Grindr claimed to have resolved the issue, but in 2016, researchers in Japan could still determine Grindr users’ location. Then, in 2018, another security expert discovered the location of Grindr users, including ones that had opted out of letting Grindr share their location data.
A report by Kaspersky in 2017 examined several dating apps, including Tinder, Bumble, and OkCupid, and found that nearly all the Android versions of these apps stored sensitive data on the Android device without proper protection. Hackers could use Facebook authorization tokens to gain full access to your account. Once a hacker had this access, they could view all the messages sent and received through these dating devices.
In January 2018, the cybersecurity firm Checkmarx discovered that Tinder did not use HTTPS encryption to secure the photos on its iOS or Android apps. If hackers connected to the same WiFi network as a Tinder user, they could see the same photos that user was viewing, whether they swiped right or left, and even insert pictures into that user’s queue. Tinder has since added HTTPS encryption to all its services.
In April 2019, the Norwegian Consumer Council (NCC) filed a complaint after discovering that Grindr was sharing its users’ HIV status with third parties without consent. Grindr has since announced it would stop sharing its users’ health information with third parties.
The NCC filed another complaint in 2020 after it found that Grindr, Tinder, and OkCupid were sharing data unexpectedly with ad networks and other third parties. This information included users’ ages, genders, GPS location, IP address, and details about their device.
In January 2021, the dating website MeetMindful.com suffered a data breach that exposed the details of all of its nearly 2.3 million users. The breach exposed geolocation data, full names, email addresses, Facebook IDs, Facebook authentication tokens, and more. Later that year, an engineer discovered that Bumble allowed a trilateration attack (similar to the one that affected Tinder) that could expose a user’s exact location.
In 2022, “anti-vax dating” site Uninjected left its entire unencrypted database exposed, and in April 2023, Have I Been Pwned? founder and maintainer, Troy Hunt, reported data breaches affecting two dating websites – CityJerks and TruckerSucker – that exposed highly personal information about their users.
Just days later, a federal judge ordered that a class action against Bumble be sent to arbitration, following complaints that Bumble harvests a huge amount of sensitive data from its users. It does this without their knowledge or consent, and shares it with third parties such as Facebook and Instagram. The plaintiffs argued that the case was “even more egregious,” due to a massive data breach in 2020 that potentially affected some 95 million Bumble users.
And if you like to be spooked, Hulu is now (2024) streaming a three-part documentary about the infamous dating site for cheaters, Ashley Madison, that was devastatingly hacked in 2015 and where personal details of more than 2,500 unfaithful (or would-be unfaithful) users were published online.
The majority of these system-level vulnerabilities have been resolved, but they speak to a culture of playing fast and loose with people’s personal data. Fortunately, there are things you can do yourself to patch up potential security failures in the dating apps you use.
How to protect your privacy on dating apps
- Use a strong, unique password and two-factor authentication if it’s available. Proton Pass can generate strong passwords for you, and can also generate secure 2FA codes.
- Beware of links, and especially links using shortened URLs. Hackers will try to lure you away from the dating app to sites where they can more easily harvest your data. This is one of the most common Tinder scams. Rest your cursor over any link before you click it, or copy and paste the link into https://www.checkshorturl.com/.
- Only ever access your dating app on a secure WiFi network. An even better option is to protect the internet connection of your dating app with a trustworthy VPN. This will add an extra layer of security to the app’s encryption.
- Consider subscribing to a paid plan. Many dating apps give you additional privacy options, like turning off location tracking or hiding your account, if you subscribe to a paid plan.
Privacy and social engineering
- Never share your full name, address, or place of work in your profile. Tinder, Bumble, and Happn all allow users to add information about their jobs and education. With just this information and a first name, Kaspersky researchers matched a dating app profile to a LinkedIn or Facebook account 60% of the time.
- Use a VPN to block dating app trackers and trilateration attacks. Nearly every dating website and app contain trackers that can follow you around the internet. Proton VPN’s NetShield Ad-Blocker stops trackers from even loading, speeding up your internet connection. And, unlike other ad blockers, it can protect block trackers in apps, not just in your browser.
- Choose your profile pictures carefully. A lot of information can often be gleaned from what is in the background of a photo, information that could be used to identify you. Also, remember that if you use a photo from one of your social media accounts, a reverse image search could link your dating profile to that account.
- Do not link your dating app account to other accounts, like Facebook, Twitter, Instagram, etc. This makes it easy for hackers to connect your social media profile to your online dating one. It also would expose your data if Facebook were to suffer a data breach.
- Don’t use your everyday email for your dating app or to contact new matches. Instead, use an alias or a private email just for that specific app or relationship.
- Always disable location-sharing features.
- Give a temporary phone number to your matches. You can use services like Phoner or Burner that give you temporary phone numbers that last a couple of weeks for free or for a small fee. Since they are temporary, it is hard to use such a phone number on your dating app account, but it could give you some time to meet your matches in real life before you trust them with your phone number.
- Try reverse image searching your match’s profile picture if something feels off. If your search finds the photo is from a modeling agency or a foreign celebrity, you are likely looking at a fake account.
- Avoid sharing specific information that could identify you. Eventually, you will have to share information about yourself. After all, you are trying to convince someone that you are interesting enough to meet. Try to talk more about your interests, ambitions, and preferences. More “I love pizza” than “My favorite pizza restaurant is on the corner of Main St. and 2nd Ave.” Never be afraid to say “no” if someone asks you for personal information that you’re not yet comfortable sharing.
- Avoid sending photos to people you do not know. Photos can contain metadata about when and where the photo was taken. If you must share a photo, be sure to remove its metadata first.
- Beware of chatting with bots. Online bots are getting harder and harder to detect, but one test you can try is to work gibberish into a phrase, like “I love a;lkjasdllkjf,” and see if the bot repeats the non-word or transitions into a non-sequitur question. (If it’s a human, you can always cover by saying your phone slipped.)
- If someone asks you over a dating app to send them money, your answer should always be “No” unless you want to show up on the next version of The Tinder Swindler.
- Do not immediately friend your matches on Facebook. Once someone has access to your Facebook account, they can see your friend and family network along with your past activity and location. Wait until you have been dating for a month or two before friending them. (Or, more ideally, quit Facebook.)
- Arrange to meet in a public area and let a friend know that you are going. You should also choose to meet in a neutral place, not the restaurant or cafe you go to every week.
Don’t let this advice scare you off of dating apps! They can be fun, and they’ve helped millions of people find dates, hookups, friends, and partners. Just try not to let Cupid’s arrow lull you into a false sense of security, and always keep in mind that this person who seems too good to be true just might be.
Happy Valentine’s Day!