Grindr's privacy issues may extend beyond access to data with a login. BuzzFeed News and Norwegian non-profit SINTEF report that Grindr has been sharing its users' HIV statuses (including their last test date) with two app optimization companies, Apptimize and Localytics. As that data is attached to info like email addresses, GPS info and phone IDs, it's possible for an intruder to link specific people (beyond just their public profiles) to their health info.
SINTEF also found that Grindr was giving ad companies an extensive range of data that users might not want to share outside of the app, including their gay subculture, relationship status and precise GPS locations. Some of this info was shared in plain text, too, making it relatively easy to swipe.
We've asked Grindr for comment. In a statement to BuzzFeed, CTO Scott Chen said the company was following "standard practices" for sharing app data and that the company doesn't sell info to third parties. Apptimize and Localytics are under "strict contractual terms" that won't let them share data, Chen added.
The problem, however, isn't the trustworthiness of the companies -- it's that Grindr is putting sensitive information on servers it doesn't control. Users may be willing to make their HIV statuses public, but that doesn't mean they want to share those statuses with corporate partners, no matter how above-board those partners may be. Also, spreading that information to other companies increases the number of attack points for hackers. People are already anxious about data sharing in light of the Cambridge Analytica scandal, where the company collected Facebook friends' info without consent; they might not be pleased about sharing medical info with a wider circle than their would-be partners.
Update: In an interview with Axios, Grindr security chief Bryce Case said it has stopped sharing that information with third parties and disagreed with comparisons to its policy and the Cambridge Analytica situation.