Several mobile apps such as Grindr, OKCupid and Tinder have been found to be leaking personal information to advertising tech companies in possible violation of European data privacy laws, an investigation by a Norwegian consumer group has discovered.
As stated in the Out of Control report, the Norwegian Consumer Council, a government-funded non-profit group, commissioned cybersecurity company Mnemonic to study 10 Android mobile apps. It said it found “serious privacy infringements” in its analysis of how online ad companies track and profile smartphone users, with the apps sending user data to at least 135 different third party services involved in advertising or behavioral profiling.
“As it stands, the situation is completely out of control, harming consumers, societies, and businesses,” the report said. Most of the adtech companies that Mnemonic observed receiving personal data have a “questionable legal basis” for harvesting and using consumer data, the report continued.
“If these companies do not have a legally valid basis for processing personal data, the backbone of much of the adtech system may be systemically in breach of the GDPR.”
The Norwegian Consumer Council therefore urged data protection authorities to enforce the GDPR, and for advertisers and publishers to look toward alternative digital advertising methods that respect fundamental rights.
“The digital marketing and adtech industry has to make comprehensive changes in order to comply with European regulation, and to ensure that they respect consumers’ fundamental rights and freedoms.”
Jake Moore, cybersecurity specialist at ESET, said: “When you join a high profile site such as Grindr, you expect to have your data protected and dealt with sensitively. Sadly, data on people is a lucrative currency, and so it can be tempting to share when given the opportunity. I always recommend that people limit the amount of personal data shared on these sites due to the possibility that the data could be targeted with a cyber-attack.”
James McQuiggan, security awareness advocate at KnowBe4, added that it is difficult in today’s society with social media apps for people to actually read the privacy or end user agreements and to understand what is happening with their name, address, pictures, contacts and GPS location once the data is entered into or collected by an app.
“On a lot of social media apps that are not charging users for their service, the users are undoubtedly the product,” he said. “Their information is collected and sold off to third party organizations for revenue for the social media app. Only in recent years are governments finally taking actions such as the GDPR in the UK and recently, the California Consumer Protection Act (CCPA).”