The Committee on Foreign Investment in the United States (CFIUS) has named the ownership of popular gay dating app Grindr a national security risk, according to a report.
Grindr describes itself as “the world’s largest social networking app for gay, bisexual, transgender and queer people.” As of 2018, it said that Grindr app reaches 196 countries and has 3.6 million users online on a daily basis.
Though based in West Hollywood, Calif., the Grindr app is actually owned by Chinese gaming giant Beijing Kunlun Tech Co Ltd., which acquired a majority stake in Grindr in 2016 for $93 million before purchasing the rest of it last year. However, because of concerns over how users’ personal data is used and handled under the new ownership, the CFIUS has intervened in the deal, according to sources speaking to Reuters. CFIUS considers the situation a national security concern, they said.
More specific concerns are not known, according to the unnamed sources “familiar with the situation,” but as a result of CFIUS’ intervention, Kunlun will look to sell the platform, they said. Previously it had been prepping an IPO for the app.
Privacy concerns arising from Kunlun’s stake in Grindr were brought up last year in a letter from U.S. Senators Edward Markey (D-Ma.) and Richard Blumenthal (D-Conn.). The action was sparked by a press report from an NPR news report exposing Grindr’s practice of sharing the most personal and sensitive information of its users with third-party analytics firms, without their informed consent. That data included personally identifiable and sensitive user information such as HIV status, email address, telephone number, precise geolocation, sexuality, relationship status, ethnicity and “last HIV tested date.”
“Simply using an app should not give companies a license to carelessly handle, use or share this type of sensitive information,” the Senators wrote. “Grindr and those with whom it shares its users’ sensitive information has an obligation to both protect this data and ensure users have meaningful control over it.”
While Grindr acknowledged the issue and said that it stopped sharing the data with third parties, the incident was not the only user data-related snafu for the company.
Grindr was also taken to court in 2017 by a man whose ex used the platform to harass him using fake profiles – as BuzzFeed reported at the time, “16 men showed up every day at his door, each one expecting either violent and degrading sex, drugs, or both. Herrick, a 32-year-old aspiring actor living in New York City, didn’t know any of them, but the men insisted they knew him — they’d just been chatting with him on the dating app Grindr.” This raised the obvious question of whether Herrick’s location was still being shared, even after he deleted the app. The case is still ongoing.
Also, last year vulnerabilities were found in the Grindr app that leaked a raft of data for people who had opted out of sharing such information. The flaws allowed anyone to see non-public user-profile information, including unread messages, email addresses, deleted photos and the location data of users. Grindr fixed the bugs, but the incident added to the growing number of privacy-related concerns around the app.
Grindr declined to comment for this article.
Eric Silverberg, CEO of Grindr alternative SCRUFF, weighed in on the issue, telling Threatpost that Grindr would have much work to do to explain the impact of its ownership structure on its data-handling policies.
“While consumers have seen numerous tech companies claim to take privacy and security seriously, internal company policy can only go so far,” he said. “Companies must abide by the laws and regulations of the country in which they are headquartered, in addition to the laws and regulations of the country in which their data is stored. Should one country have looser or less rigorous standards for privacy or security, those are the standards which de-facto will be applied.”
He added, “We believe that all apps should be open and transparent with their users about where their data is stored, the jurisdictions within which they fall, and the third parties with whom their data is shared.”
The move to declare a Chinese-backed company a security risk is not without precedent. For instance, this is not CFIUS’ first intervention in China-based takeovers of American companies. It previously blocked the acquisitions of MoneyGram International and of AppLovin, the mobile marketing firm. And the U.S. has banned the government use of gear from Chinese infrastructure giants Huawei and ZTE on the basis of security concerns.
This post was updated at 4:26 p.m. ET on March 27 to reflect Grindr’s declining to comment.