Ben
It might seem like everyone knows that lots of companies are collecting and sharing data about their customers in pretty much any given situation, and that while we all keep using these services, that’s tacit acceptance of the practice.
In reality, however, the sheer extent of the data sharing taking place is beyond what most regular people would assume, and that becomes even more problematic when it’s personal data that people have entered into a dating site.
To highlight the issue, artist Joana Moll and Tactical Tech collaborated to purchase 1 million online dating profiles from USDate. This cost them just €136 – around $155 currently.
For that paltry sum, the one million profiles included “usernames, e-mail addresses, nationality, gender, age and detailed personal information about all of the people who had created the profiles, such as their sexual orientation, interests, profession, thorough physical characteristics and personality traits.” And yes, those 5 million images too. USDate did not disclose the source of the information it sold.
While trading (buying) user details is a quick way to start a new dating site, it’s not one that users necessarily know is taking place, and certainly not on the scale it is. Of course, businesses tend to bury the legal ability to do whatever they want with user data in privacy policies and terms of service that need to be agreed to if you want to use their service, so the suggestion from the group isn’t that the use was improper legally, but opaque to users.
“In order to trace their origins, we looked into the company’s ‘official partners’ […] Then we forensically analysed some of the images contained in the dataset we bought: first by doing reverse-image searches of the profile pictures, to see if they appeared on other dating websites; then by examining the metadata of the images. Whilst the first approach didn’t provide enough proof to link the images to a specific source, the latter gave us a promising hint about the original source of the data.”
The way in which dating companies are structured only adds to the confusion about what user data could end up where. In the researchers example, anyone that has an account on Plenty of Fish – through agreeing to its privacy policy – will have their data shared with its parent company, Match Group, and crucially, other Match Group-owned businesses.
This is where it starts to get even more complicated though.
Match Group is made up of “more than 130 different websites and apps divided into several different brands, based in countries all over the world, including: Tinder, Hinge, OkCupid, Plenty of Fish, Match, Meetic, Match Affinity, Meetic, Affinity, Affiny, LoveScout24, Parperfeito, Twoo, Lexamore.nl, Amoreux, Neu.de, Partner.de, Secret.de, Gencontros, Divino Amor, e-kontakt, Sprydate, Datingdirect, OurTime, People Media [and] Pairs,” according to the research.
“But who owns Match Group?” I hear you cry.
Well, that’s InterActiveCorp (IAC), a US-based business that’s made up of five different verticals: ANGI Home Services, IAC Video, IAC Applications, IAC Publishing, and Match Group. And while it’s likely that data could be shared between any and all of these companies, the research couldn’t confirm it.
“According to IAC brands’ and sub-brands’ privacy policy, user data is shared among all the divisions of the IAC conglomerate. However, Match Group’s privacy policy is not as clear: except for its sub-brand Meetic, which publicly states that it is sharing information with IAC, we could not confirm whether other Match Group sub-brands actively shared information with IAC, despite our attempts to ask them. But based on the fact that other IAC divisions publicly state that they actively share information with their parent company, it’s quite likely that Match Group and its subsidiaries do, too.”
What’s the upshot?
It’s not a revelation that user privacy isn’t at the top of mind for many dating companies – hell, it’s not top of mind for most non-dating companies – but given the sensitive nature of the data shared on dating sites, being aware of quite how many places it could end up is something that people should have access to before deciding to hand that data over.
In the research we’ve looked at above, it has only focused on potential ways data could be shared within the IAC-owned companies, but it’s likely being used to generate further revenue by sharing it with third-parties.
“To date, we couldn’t find an official document that lists the third party companies with whom Match Group and IAC are sharing their users’ information. However, during our investigation we identified more than 300 third-party cookies linked to IAC and Match Group businesses that are potentially collecting all sorts of data on user behaviour. And this is only accounting for desktop browser activity – it doesn’t even include trackers on mobile apps,” the research group said. “Overall we were able to map a network of more than 700 interconnected companies and online services that potentially financially exploit(ed) the 1 million profiles we bought from USDate.”
It’s also not just the potential for personal data to be spread far and wide that should be of concern, either – where prices for services, credit applications and everything else is dictated by an algorithm, the researchers note that”exploiting this data is questionable because dating profiles might contain intimate and sensitive data on users which, if made public, might have dramatic effects on the user’s lives.” And that’s before you even consider the impact of unintended sharing of user data if a breach occurs.
All of the photos and data – in an anonymized form – is available to view via the project’s site.
Read Next: UK’s Age Verification Porn Plans Delayed
