At a glance.
- Grindr data for sale.
- Mental health apps may be leaky.
- Student financial aid data inadvertently shared with Facebook.
- Data breach shutters healthcare startup.
Grindr user data being peddled on dark web.
The Wall Street Journal reports that location-tracking data from Grindr, one of the world’s largest dating and social networking apps for gay, bi, trans, and queer people, has been been on sale on the dark web since at least 2017. The data was collected from a digital advertising network, and though Grindr stopped sharing user location data with such networks two years ago, it appears that historical data is still floating around on underground marketplaces. Patrick Lenihan, a spokesman for Grindr, stated, “Since early 2020, Grindr has shared less information with ad partners than any of the big tech platforms and most of our competitors. The activities that have been described would not be possible with Grindr’s current privacy practices, which we’ve had in place for two years.” Though the exposed data doesn’t include personally identifiable information, details about users’ locations could be used to determine a user’s home address, workplace, and even romantic encounters. The reports are further evidence that dating app data is seen as a hot commodity to hackers, a fact that US national security experts demonstrated in a recent presentation warning about the intelligence risks posed by commercially available information. Furthermore, being a member of the queer community is still considered illegal in certain parts of the world, and although Grindr says it doesn’t serve ads in areas where being gay is a crime, details about a user’s romantic life can still be damaging even in the US, as evidenced by the case of an American Catholic official outed last year as a Grindr user.
“Privacy not included” in mental health apps.
New data from the researchers at Mozilla show that, compared to other mobile apps, mental health apps are the worst when it comes to user privacy protections, with prayer apps a closer runner-up. Jen Caltrider, lead on Mozilla’s “Privacy Not Included” guide, told the Verge, “The vast majority of mental health and prayer apps are exceptionally creepy. They track, share, and capitalize on users’ most intimate personal thoughts and feelings, like moods, mental state, and biometric data.” The guide found twenty-nine of the thirty-two mental health and prayer apps analyzed were allowing weak passwords, sharing data with third parties like advertisers, and in some cases even collecting chat transcripts. Mental health apps like Better Help, one of the worst offenders, connect users with mental health professionals and facilitate treatment. Youper, Woebot, Better Stop Suicide, Pray.com, and Talkspace rounded out the list, especially troubling given the sensitive nature of the data the apps collect. Mozilla researcher Misha Rykov described such apps as wolves in sheep’s clothing: “They operate like data-sucking machines with a mental health app veneer.”
Student financial aid data inadvertently shared with Facebook.
Investigators at the Markup have discovered that the personal data of millions of US students applying for college financial aid was automatically shared with Facebook via code embedded in the Free Application for Federal Student Aid (FAFSA) website. A spokesperson for the Department of Education at first denied the claims, but Federal Student Aid (FSA) chief operating officer Richard Cordray issued a follow-up admitting that as part of a March advertising campaign the agency changed its tracking settings, inadvertently allowing “some StudentAid.gov user information that falls outside of FSA’s normal collection efforts, such as a user’s first and last name, to be tracked.” Cordray added that the automatically anonymized data was not used by FSA or Facebook, and the embedded code was deactivated after the campaign ended. However, the Markup’s investigation shows that the data was being sent to Facebook from as early as January 2022. The code in question, Meta’s Pixel, is an online visitor tracker used for advertising purposes on many websites. Meta spokesperson Alisha Swinteck, stated. “We are in touch with [studentaid.gov] to ensure proper implementation of our tools. It’s also worth noting that Meta continues to proactively educate advertisers in sensitive verticals on how to properly set-up our business tools.”
Healthcare startup folds after data breach.
Healthcare startup myNurse is shutting down following a March data breach, TechCrunch reports. The company, which provides chronic care management and remote patient monitoring services, says an unauthorized individual accessed the company’s protected health data including patient demographic, health, and financial information. myNurse says the decision to shut down is unrelated to the breach, but failed to disclose another reason for the closure. Co-founder and chief executive Waleed Mohsen said only that the company is considering “how best to adjust our business model amid a changing healthcare landscape.”