A recent KU Leuven-led study has revealed significant data privacy flaws in location-based dating apps, which could enable the profiling or tracking of their users, leading to higher vulnerability to identity theft, extortion, or even stalking and assault.
This large-scale study examined the fifteen most popular location-based dating apps and assessed the risks associated with their use. Through an analysis of the ease to create a fake or incomplete profile and the facility to retrieve personal data – whether intentionally made public or inadequately protected by the platform – from a test profile, the research found that the majority of these apps failed to sufficiently safeguard their users’ private and sensitive data.
These platforms indeed pose a complex challenge for data protection due to two inherent features: their reliance on user location data and the necessity for users to share personal information with other users prior to knowing them.
Methodology
The research differentiates between intended and unintended sharing of private data. It in fact adopts three levels of investigation:
- data voluntarily made public by the user;
- data retrievable (by an individual with no necessary technical sophistication) from the user interface; and
- data leaked by the Application Programming Interface (API) traffic, which requires more technical knowledge.
This demonstrates that location-based dating apps are vulnerable to various types of malicious individuals, not just the ‘typical hacker.’ In the same direction, this research is solely based on information retrieved in the built-in functionalities of the apps, without requiring server hacking, which would necessitate more acute technical knowledge.
The ease to see without being seen
The first finding of this research is that it tends to be too easy to create a fake account on dating apps (providing a valid e-mail address usually being sufficient), which exposes users to the risk of being observed without knowing it. This question is intricate as dating apps requiring more stringent security measures may not be a viable solution, as it would oblige users to share additional private and potentially sensitive data. The study has noted, however, that requiring a valid phone number would reduce the number of fake accounts. In the same vein, the possibility to remain anonymous on certain apps (for instance, by not having to upload a profile picture or by being able to hide a profile from other users) is also a source of concern for similar reasons.
The access to personal, sensitive and app usage data
The researchers next delved into the ease of access to personal data on these apps. In that respect, location-based dating apps are, of course, bound by legal principles and limited – to some extent – to the comfort of users in sharing their personal information. This study has revealed that apps, however, require user profiles to contain numerous elements of personal data such as first name, gender, age, etc. In addition, these apps leak information which users are most likely not aware of, such as data which a user cannot normally access unless they have provided the same information themselves. For instance, researchers were able to uncover the date of birth, gender, employment status, etc., of test users.
This study aims at raising awareness around the amount of data users share publicly – ranging from their name and age to their political views and sexual orientation – which may have severe consequences. However, the burden of precaution does not solely lay on users: the apps have made certain information mandatory (sometimes unless users have a premium subscription), and users may feel a ‘pressure to share,’ whether from other users or in the hope to build a significant relationship.
The finding is the same when it comes to sensitive data. In fact, while user interface requirements may reveal certain sensitive information, app traffic reveals data which all users should not be able to access, such as health data.
Likewise, app usage data (i.e. likes, recent activity, the type of relationship sought by the user, etc.) are partly revealed by the user interface itself, and more broadly through traffic leaks.
The ease to locate other users
These apps also aim to connect users located in proximity to each other. For that purpose, they reveal the distance between a user and a potential match. This, of course, is a particularly sensitive element of data, which dating apps attempt to protect by only making the distances between two users available instead of their respective locations. However, this research has shown that, for six of the apps, a technique called trilateration (i.e., deducing one’s location based on three different location measurements) would enable users to determine the (almost exact) location of another user for six of the apps.
Recommendations and conclusion
Overall, this study has indicated certain vulnerabilities in location-based dating apps and the potential risks they pose. These findings open the door to improvements on the part of both the user and the apps.
The authors of this study have reached out to all apps concerned, providing recommendations on how to enhance user data protection. Their advice is threefold:
- first, granting users greater control over the data they choose to share (namely by putting an end to default visibility and certain mandatory requirements for non-premium users);
- second, protecting their APIs and minimising data collection; and
- third, bearing in mind that any individual with malicious intent, not just the typical hacker, could easily retrieve and use data to their advantage.
In addition, it is in the best interest of dating platforms to further inform their users on this issue, through their privacy policies and terms of use.
Additionally, the research offers important advice to dating app users. They are essentially encouraged to be more mindful of what information they share on the app, even if it is not made publicly available on their profile, and to use built-in features of the app or their device to limit data exposure – for example, by manually providing their (approximate) location instead of allowing the app to automatically access it automatically. By following these recommendations, dating apps will become safer to use.
A recent KU Leuven-led study has revealed significant data privacy flaws in location-based dating apps, which could enable the profiling or tracking of their users, leading to higher vulnerability to identity theft, extortion, or even stalking and assault.
This large-scale study examined the fifteen most popular location-based dating apps and assessed the risks associated with their use. Through an analysis of the ease to create a fake or incomplete profile and the facility to retrieve personal data – whether intentionally made public or inadequately protected by the platform – from a test profile, the research found that the majority of these apps failed to sufficiently safeguard their users’ private and sensitive data.
These platforms indeed pose a complex challenge for data protection due to two inherent features: their reliance on user location data and the necessity for users to share personal information with other users prior to knowing them.
Methodology
The research differentiates between intended and unintended sharing of private data. It in fact adopts three levels of investigation:
- data voluntarily made public by the user;
- data retrievable (by an individual with no necessary technical sophistication) from the user interface; and
- data leaked by the Application Programming Interface (API) traffic, which requires more technical knowledge.
This demonstrates that location-based dating apps are vulnerable to various types of malicious individuals, not just the ‘typical hacker.’ In the same direction, this research is solely based on information retrieved in the built-in functionalities of the apps, without requiring server hacking, which would necessitate more acute technical knowledge.
The ease to see without being seen
The first finding of this research is that it tends to be too easy to create a fake account on dating apps (providing a valid e-mail address usually being sufficient), which exposes users to the risk of being observed without knowing it. This question is intricate as dating apps requiring more stringent security measures may not be a viable solution, as it would oblige users to share additional private and potentially sensitive data. The study has noted, however, that requiring a valid phone number would reduce the number of fake accounts. In the same vein, the possibility to remain anonymous on certain apps (for instance, by not having to upload a profile picture or by being able to hide a profile from other users) is also a source of concern for similar reasons.
The access to personal, sensitive and app usage data
The researchers next delved into the ease of access to personal data on these apps. In that respect, location-based dating apps are, of course, bound by legal principles and limited – to some extent – to the comfort of users in sharing their personal information. This study has revealed that apps, however, require user profiles to contain numerous elements of personal data such as first name, gender, age, etc. In addition, these apps leak information which users are most likely not aware of, such as data which a user cannot normally access unless they have provided the same information themselves. For instance, researchers were able to uncover the date of birth, gender, employment status, etc., of test users.
This study aims at raising awareness around the amount of data users share publicly – ranging from their name and age to their political views and sexual orientation – which may have severe consequences. However, the burden of precaution does not solely lay on users: the apps have made certain information mandatory (sometimes unless users have a premium subscription), and users may feel a ‘pressure to share,’ whether from other users or in the hope to build a significant relationship.
The finding is the same when it comes to sensitive data. In fact, while user interface requirements may reveal certain sensitive information, app traffic reveals data which all users should not be able to access, such as health data.
Likewise, app usage data (i.e. likes, recent activity, the type of relationship sought by the user, etc.) are partly revealed by the user interface itself, and more broadly through traffic leaks.
The ease to locate other users
These apps also aim to connect users located in proximity to each other. For that purpose, they reveal the distance between a user and a potential match. This, of course, is a particularly sensitive element of data, which dating apps attempt to protect by only making the distances between two users available instead of their respective locations. However, this research has shown that, for six of the apps, a technique called trilateration (i.e., deducing one’s location based on three different location measurements) would enable users to determine the (almost exact) location of another user for six of the apps.
Recommendations and conclusion
Overall, this study has indicated certain vulnerabilities in location-based dating apps and the potential risks they pose. These findings open the door to improvements on the part of both the user and the apps.
The authors of this study have reached out to all apps concerned, providing recommendations on how to enhance user data protection. Their advice is threefold:
- first, granting users greater control over the data they choose to share (namely by putting an end to default visibility and certain mandatory requirements for non-premium users);
- second, protecting their APIs and minimising data collection; and
- third, bearing in mind that any individual with malicious intent, not just the typical hacker, could easily retrieve and use data to their advantage.
In addition, it is in the best interest of dating platforms to further inform their users on this issue, through their privacy policies and terms of use.
Additionally, the research offers important advice to dating app users. They are essentially encouraged to be more mindful of what information they share on the app, even if it is not made publicly available on their profile, and to use built-in features of the app or their device to limit data exposure – for example, by manually providing their (approximate) location instead of allowing the app to automatically access it automatically. By following these recommendations, dating apps will become safer to use.