More than 70,000 photos of Tinder users are being shared by members of an online cyber-crime forum, Gizmodo has learned, raising concerns about the potential for abusive use of the photos. Ominously, only women appear to have been targeted.
Aaron DeVera, a member of New York City’s task force on cyber sexual assault, told reporters they discovered the images on a website known for trading in malicious software. (We aren’t disclosing the website’s name for obvious reasons.) The dump is also accompanied by a text file containing some 16,000 unique Tinder user IDs, which could be the total number of users affected.
The reason the photos were collected remains unclear, but their availability to cybercriminals has raised serious concerns that it may be used to commit illegal acts; to target and harass the users themselves; or to generate fake user profiles on other platforms for some other malicious purpose.
Perhaps the least threatening scenario—which may still have far-reaching consequences for the privacy of the women—is that some unscrupulous developer or company, unconcerned with consent, is now using the photos to train a facial recognition product. It wouldn’t be the first time this has happened.
Contextual clues, including particular phone models like the iPhone X seen in the photographs, as well as limited metadata, suggest that many of the (mostly) selfies were taken in recent years. Some of the photos, in fact, contain timestamps dated as recent as October 2019.
A Tinder official told Gizmodo by phone that use of any photos or information outside the confines of the app is strictly prohibited. The company would take whatever steps it could, they said, to have the data removed offline.
DeVera, who’s also a researcher at the cybersecurity firm White Ops, was doubtful the files would be easy to taken down, but has offered to provide Tinder with the archive’s location.
DeVera reached out to Gizmodo, they said, in an effort to shine a light on the issue of profile photos being used without consent, and to hopefully prompt Tinder to take additional measures to secure its users’ data. The company’s API has been abused before, they noted.
In 2017, a researcher at the Google subsidiary Kaggle unapologetically scraped some 40,000 profile photos belonging to Bay Area users to create a facial dataset, apparently for the purpose of informing a machine learning model. Tinder labeled this a violation, said it would investigate further, and vowed to take “appropriate action,” according to TechCrunch, which broke the story.
Tinder said at the time that it was taking steps to “deter and prevent” scraping of its data by parties seeking to exploit its API.
A Tinder official told Gizmodo on Wednesday that since the incident, the company has invested additional resources in an effort to address misuse of its app. Its security team, however, declined to disclose any of the specific measures being taken. Doing so, the official said, would only aid those seeking to use its users’ information in adverse ways. (This is a controversial practice security experts refer to as “security through obscurity.”)
“We work hard to keep our members and their information safe,” a Tinder spokesperson said. “We know that this work is ever-evolving for the industry as a whole, and we are constantly identifying and implementing new best practices and measures to make it more difficult for anyone to commit a violation like this.”
Tinder also noted that all of the photos are public and can be viewed by others through regular use of the app; although, obviously, the app is not designed to help a single person amass such a massive quantity of images. The app can also only be used to view the profiles of other users within 100 miles.
DeVera told Gizmodo that they are particular disturbed by the fact that whoever amassed the profile data is “very openly targeting female-presenting users.”
“Given the context of this being a dating app, there are photos a person may not necessarily want presented to the public. Further, not only is it sorted by userID, but it is also sorted by whether or not there is a face in the picture,” they said. This might indicate that someone is intending to use the Tinder profiles to train biometric software, possibly a face recognition system.
But this isn’t DeVera’s sole, nor even their primary, concern. Face datasets are a great place to start for making fake personas and online profiles, they noted.
“Dumps of data such as this typically attract fraudsters, who use it for making large collections of convincing fake accounts on other platforms. Stalkers might use this in a more targeted manner, in an effort to add to a collection of data to use against an individual. Long-term concerns is that these pictures could be used for fraud and privacy violations,” DeVera said.
Face recognition is one of the most controversial recently emerging technologies. Privacy experts are presently sounding the alarm, calling for federal regulators to ban the technology, if a not issue a temporary prohibition on its use by law enforcement agencies, at least until proper guidelines are established.
At hearing before the House Oversight and Reform Committee on Thursday, Rep. Alexandria Ocasio-Cortez likened face recognition systems developed by companies such as Amazon and Microsoft to privacy-invasive technologies depicted on the dystopic Netflix series Black Mirror. “People think, ‘I’m going to put on a cute filter and have puppy dog ears,’ and not realize that that data’s being collected by a corporation or the state, depending on what country you’re in, in order to surveil you potentially for the rest of your life,” she said.
As it stands, the face recognition use is entirely unregulated in most states and legal cases have already emerged accusing authorities of offering up unreliable results as evidence in court.
Digital rights activists this week launched a nationwide campaign to halt the spread of face recognition systems on college campuses specifically. Those efforts, led by Fight for the Future and Students for Sensible Drug Policy, have inspired students to organize and call for bans at George Washington University in D.C. and DePaul University in Chicago.
In addition, administrators at more than a dozen other major universities, including Stanford, Harvard, and Northwestern have been pressed to institute ban, said Evan Greer, deputy director of Fight for the Future. “This type of invasive technology,” she said, “poses a profound threat to our basic liberties, civil rights, and academic freedom.”
A New York Times investigation revealed this week that a host of dating apps, including Grindr, have shared personal user information including location data with numerous marketing and advertising companies in ways that experts said may violate privacy laws, according to a new report by the Norwegian Consumer Council (NCC).
Match Group, which owns Tinder and OkCupid, was not named in the privacy complaints, and said user data it shares with third-party providers remains in line with applicable laws, such as the California Consumer Privacy Act. Match Group said its services do not use “sensitive information” for advertising purposes.
“Tinder and OkCupid only share data in cases where individuals are reported for criminal activity and/or engaging in bad behavior,” it said.
Correction: A previous version of this article stated that Match Group services had been subjects of specific legal complaints, citing a New York Times article that states “dating services like Grindr, OkCupid and Tinder... may violate privacy laws, according to a new report that examined some of the world’s most downloaded Android apps.”
Match Group sent Gizmodo the following statement: “While the report mentions Match Group products OkCupid and Tinder in a discussion of mobile apps that share data with third party ad tech firms, no Match Group products were named in companion complaints filed by NCC with the Norwegian Data Protection Authority.”
We regret the error.