The wildly popular gay dating app “Grindr” is facing accusations that a glitch in its system is giving away the actual location of its users to anyone with a Web connection.
The charge, first reported by NDTV — which I tested and found to be accurate — is that someone not even signed in to the phone/tablet application can find the location of any Grindr user to within about 100 feet.
Among the locales in which gays were detected by my test of the security breach: Turkey, Jordan, the British House of Commons, and the DC headquarters of the Republican National Committee.
(Update: Using the Grindr security glitch, I just found three gays in Kampala, Uganda; and a colleage found two inside the Russian state Duma (parliament), and one inside the Kremlin itself.)
(Update: The security glitch has now exposed the locations of nearly 200 gay men in Iran, a country in which gay men are hanged.)
Grindr has responded, claiming that the ability to identity the location of its users isn’t a security flaw, but rather, something they intended all along. That claim might come as a surprise to Grindr’s users, who, like me, probably had no idea that they were divulging their exact location to anyone.
Online privacy while gay
Now, why would knowing someone’s location be a problem?
First, there’s personal safety. Sometimes you just don’t want everyone knowing where you live, especially strangers you chat with online.
Second, sometimes you value your anonymity because you’re not “out.” Many gay people are not out of the closet, either because they just aren’t comfortable having everyone know they’re gay, or because they live somewhere where it’s not safe being gay (such as Russia, Africa, certain parts of America, etc.) They could also be a minor who’s not out to their parents.
How Grindr determines location
Many Grindr users give permission for their general location to be known to other Grindr users – and I emphasize “general.” Depending on the options the user selects, the app will show the distance in feet, meters, miles or kilometers between the user and any other nearby users.
For example, here’s someone 2 miles away from me. Note that while Grindr tells me the person is 2 miles away, I get no additional information as to where they’re located, so I really have zero idea where the person actually is. I can’t even guess what town he’s in, as there are probably 3 towns within that distance from where I am:
But while the app shows that you’re, say, “1000 feet” from a nearby user, it does not show the direction of the other user. Thus, while you know that he’s 1,000 feet away, he could be north, south, east, west, or anywhere in a 360 degree arc; making it impossible to know where he actually is.
The “flaw,” however, uses triangulation to permit anyone to determine the actual location of that user within around 100 feet. And as one reader notes below, that’s all you need to out someone, especially someone who lives in a rural area:
Wow, I just tried this on myself. I’m currently in a very rural area, and it pinpointed to my exact location. Because there’s no address anywhere near 100 feet of me, anyone can find exactly where I am.
Very alarming! I’m not closeted and don’t generally feel threatened here. But for any homophobe or sociopath to be able to anonymously determine how to get to my front door or window is very disturbing… I’ll likely discontinue Grindr until I see this resolved.
I tested the triangulation via a Web site posted by an anonymous person. The site permits you to zoom in on a map of the US or Europe and find which Grindr users are online, and where they’re located on the map. In my case, the Web site was able to find me on a map within 100 feet of my actual location. (I tried other continents, but was unsuccessful.)
In contrast to some reports online, when I turned off the “show distance” setting in Grindr, my blue dot did in fact disappear from the Web page. It then came back when I turned “show distance” back on.
Examples of locations of Grindr users
Here are some examples of Grindr users the site was able to find in the US and Europe.
Here’s Chicago’s downtown:
Here’s the neighborhood just south of Paris’ Place de la République:
And Palermo, Sicily:
And Turkey (I’m intentionally not zooming in all the way, so it’s not entirely clear where these people are):
And Jordan (intentionally blurred):
Israel and Gaza:
And here’s, apparently, an intrepid employee of the Republican National Committee in Washington, DC.
Grindr says it’s not a bug, it’s a feature
Per Joe My God, Grindr has apparently responded to the concerns, saying that this isn’t a security flaw:
“We don’t view this as a security flaw. As part of the Grindr service, users rely on sharing location information with other users as core functionality of the application and Grindr users can control how this information is displayed. “For Grindr users concerned about showing their proximity, we make it very easy for them to remove this option and we encourage them to disable ‘show distance’ in their privacy settings. “As always, our user security is our top priority and we do our best to keep our Grindr community secure.”
Well, that’s a bit disingenuous.
When I’ve used Grindr, or any online app that estimates my distance to another user, I never imagined that someone could use the app to find my actual location within 100 feet. So when Grindr users make a decision as to whether to “show distance,” they’re not necessarily making an informed decision to “show location” as well.
And I seriously doubt that any Grindr users were aware that showing their near-exact location (and to someone who doesn’t even have an account on Grindr and isn’t even signed in) was a “core functionality of the application.”
It’s actually kind of creepy.
Also note that the not-a-bug doesn’t just show anonymous blue dots. It shows you the name and picture associated with the user’s profile, when you click the blue dot. For example, here’s Chicago again, when I clicked on the blue dot at Wabash and Monroe:
Personally, I find Grindr’s answer disturbing. I don’t sign in to Grindr in order to let people track my near-exact location as I move around town, and I doubt most of Grindr’s users do either. Especially Grindr’s users in Russia, Africa, and lots of other places where it’s downright deadly to be gay.
I’m also awfully curious how this comports with Europe’s notoriously strict privacy laws.
This is a security flaw, and it needs to be fixed now.