A design flaw in the popular smartphone app “Grindr” permits anyone with an Internet connection, anywhere in the world, to identity the near-exact location — to within about 100 feet (30 meters) — of every gay men, worldwide, who is using the app at any given moment.
The locations of over 200,000 gay men, across the world, have already been pinpointed by the security breach in the past week, according to the gay European who discovered it.
As an example of how serious this really is, I just used Grindr to find the location of every gay man in Tehran, Iran who was online at the moment I checked. If I were to click the blue dots, you could see their profile.
Every gay man in Tehran, Iran who was on Grindr when I checked it using the security glitch:
Keep in mind that just a few weeks ago, Iran executed two men, human rights authorities believe because of their gay sexual orientation.
All 189 gay men identified in Iran since the security glitch was discovered, with their exactly location:
Here’s one young gay Iranian I easily found, to the detail of his street corner, in Bandar-e Anzali, Iran — population 110,000. I have blurred his face, and have zoomed out the map, so that he can’t be identified.
Now, you might think that a 100 foot margin of error is enough to hide the exact location of the young Iranian gays. But what happens if authorities go door to door, to the two or three homes or apartment buildings in the area, and show this young man’s photo to every occupant? It would likely be easy to find him.
I’d reported on this problem extensively yesterday, showing examples of gay men in America, Paris, Uganda, Turkey, Jordan, and even in the British House of Commons and the Republican party headquarters in Washington, DC.
In a nutshell, services like Grindr, which basically are applications used for dating and/or hooking up, show you how many feet, meters, miles or kilometers you are from other users in your area. What the app does not do is tell you exactly where those users are, or even what direction they are from you — so it’s impossible to know where they actually are.
The security glitch, discovered recently by a gay European Grindr user who prefers to remain anonymous, permits anyone to find that exact location. The person who discovered the glitch has protected the data so that no one can access who is online in particularly sensitive countries that Grindr serves (like Iran). They gave me special permission to peruse those countries, under the agreement that I make every effort to obscure the exact location and identity of the Grindr users.
Here is an example of what a typical Grindr user sees when checking out the profile of another user — note the person’s distance from me, 2 miles:
The design flaw, however, permits you to locate the near-exact location of every single Grindr user who is online at any one time — down to a 100 foot (or so) margin of error.
Using the security glitch, I was able to find dozens of gay men in Tehran, down to the location they were on a particular block. Again, I’m making this map very small so that it’s impossible to actually tell where the men are.
Here is Tehran and all the gays online on Grindr just a few hours ago. If you click the blue dots, you get to see their screen name and profile image. A number of them use their actual face as their profile image.
Here’s an example of how detailed the searches, and the resulting maps, really are. I did not attempt to locate any gays in this particular map, rather I zoomed in to show you how detailed the map is when you zoom in all the way. Here is Tehran, at full resolution. It shouldn’t be terribly difficult to locate someone once you now what block they’re on and have a photo of their face.
Here are more of the gay teens and men around Iran that I found over the past 12 hours.
Shiraz, Iran — population 1.3 million:
Sowme’eh Sara, Iran — population 36,000:
Isfahan, Iran — population 3.8 million (again, this is zoomed out for their protection):
Amir of Tabriz, Iran — population 1.4 million:
Grindr’s recent claim that the security breach isn’t a glitch, but rather an intentional feature, rubbed many the wrong way. First, Grindr’s statement:
“We don’t view this as a security flaw. As part of the Grindr service, users rely on sharing location information with other users as core functionality of the application and Grindr users can control how this information is displayed. “For Grindr users concerned about showing their proximity, we make it very easy for them to remove this option and we encourage them to disable ‘show distance’ in their privacy settings. “As always, our user security is our top priority and we do our best to keep our Grindr community secure.”
A friend who has a PhD in physics from MIT begged to differ. Here’s what he sent me, in response to Grindr’s claims:
Grindr is violating its users’ security and privacy, and they are doing it by design. Grindr’s design permits anyone with a computer connection to make a map showing the locations — accurate to about 100 feet — of every Grindr user in the world.
I believe Grindr when they say this is something they “intended all along”. Any service which permits anonymous users to access a distance to other users from an arbitrary position nearby, and permits those users to submit multiple locations, empowers the users to triangulate locations of identified users. It is a design flaw – from the point of view of security and privacy – to permit this capability. Grindr gives users the ability to suppress this — by turning off “Show Distance” under “Settings…Privacy”. But a user shouldn’t have to take proactive steps themselves to fix the unanticipated security and privacy risks that Grindr poses: Grindr should be proactive in protecting their users’ security and privacy, and right now, they are not. The Grindr app poses a danger to their users’ security and privacy, in its design.
Here’s a few ways how using this app poses a danger to their users’ security and privacy. In Iran (and many other countries), it is illegal to be gay — and often, in those countries, they’re not tied up on issues like a burden of evidence, the mere implication being enough. The police force in Tehran can make three internet queries to Grindr, and they will have the location and photograph of every Grindr user in Tehran, accurate to 100 feet. They can then send out officers with these photographs and locations, start knocking on doors, and showing the photographs around, until they find the user — which, with only 100 foot large region, will be very quickly. In a day, the police could round up every Grindr user in Tehran, and they’d be executed soon thereafter.
There are a couple of ways Grindr can overcome this “threat to privacy-by-design”. One way is to remove “distance” entirely from the fields provided. That would make it impossible for third parties to make a map of users. That would be the best way. Grindr can still respond to queries from legitimate users with, say, the 50 closest other users, but not provide the distances. That would completely thwart nearly all distance-based security/privacy threats.
Another way is to make a decision, and by design, not give out location accuracy to better than, say, 1 mile. However, one flaw of this approach is that it makes an assumption about what is “safe” — and 1 mile may be safe enough in a dense urban environment, where a 100,000 people might live, but could still be dangerous in a sparse rural environment.
Another way is to give Grindr users options: “How accurately do you want others to know where you are?:” and give options: 100 feet, 1 mile, 10 miles, “Do not show”. In each case, Grindr’s broadcasted “distances” would only be accurate to the stated distance, and would thwart triangulation to an accuracy better than the stated distance.
Finally: Grindr should *include* in their app the ability to map out other nearby Grindr users. Grindr says this information is available by design, but what we’re seeing now is many Grindr users did not work through that this meant anyone, anywhere can see exactly where they are. By providing users a map with the locations of other nearby users (with pictures), it would inform their users what information about them is actually being broadcast by grindr, so that their users could take action to protect themselves, like degrade how accurately others can see their location, or turn location services off entirely.
Stay tuned. I’ve got a whole lot more stories coming.