Share this page!

Wolfie Christl Profile picture
Twitter logo
May 2 22 tweets 9 min read
2 years ago, we observed Grindr sharing exact location data with 8 data brokers in the 'advertising' space, including MoPub, back then owned by Twitter.

Now the WSJ found that this data has actually been available for sale, via MoPub, since at least 2017:
wsj.com/articles/grind…
In 2019/2020, we examined how Grindr secretly shares data with third parties, led by the Norwegian Consumer Council, together with @thezedwards, Mnemonic and @NOYBeu.

Here's a chart showing the data flows from Grindr to third-party companies we observed:
Based on the GDPR complaints we filed, the Norwegian data protection authority started an investigation, and then fined Grind almost €7 million for sharing personal data with third-party companies without a legal basis in 2021:

For example, we observed Grindr sharing sensitive personal data including device identifiers, exact GPS coordinates and information about the fact that the data comes from a Grindr user with MoPub, which facilitated further data sharing with yet other third-parties, and so on.
According to its terms, MoPub reserved the 'right' to share the data with 170 partners. One partner claimed to share it with another 4259 partners …this is why our report was titled 'Out of Control'.

In 2019, MoPub's partner list also included UberMedia:
web.archive.org/web/2019060623…
We assumed the shared data is widely available on today's opaque personal data markets, but couldn't find solid evidence.

Now the WSJ found that UberMedia (UM) is one of the data brokers who bought and sold data on Grindr users obtained via MoPub, according to anonymous sources.
Twitter doesn't deny MoPub's data sharing, but told the WSJ it had contractual restrictions in place. Sure!

UberMedia's new owner also doesn't deny the data sharing, and just told the WSJ that "every single entity in the advertising ecosystem has access to the information" 🤡
And even worse, UberMedia data was "at the time being used by federal government contractors in national-security programs, and people working on those projects saw large amounts of Grindr data, according to people familiar with the matter".

Relax, it's just digital advertising!
But the data didn't contain names! Data companies always say that and it's just totally pointless.

The data we observed Grindr sharing contained unique device IDs, so-called 'Advertising IDs', which can be used to link digital profiles on a person across thousands of databases.
Almost certainly, UberMedia obtained and sold Grindr data including linkable device IDs, which can be used to monitor, follow and target people across the digital world.

This is at least what their docs suggested in 2019/2020:
web.archive.org/web/2020103018…
And even if the data would not include *linkable* device IDs, it is trivial to infer a person's home address, workplace and other patterns from GPS location data, and then automatically cross-link it with other information available from data brokers.

It's just personal data.
Obviously it's sensitive personal data.

In 2021, an ugly conservative outlet bought commercial location data to spy on years of the life of a high-ranking catholic priest, out him and make him resign, framing homosexuality as 'sexual misconduct'. They claimed it was Grindr data.
Back then, Grindr "said it didn’t believe it was the source of the data but acknowledged it was theoretically possible that an advertising partner might have collected it", according to the WSJ.

Of course, other fanatics or governments across the world may have also bought it.
What's sensitive depends on the affected person and context.

Many if not most apps share personal data with third parties. Most people are not even aware of the scale and depth of uncontrolled data sharing that is the basis of today's surveillance advertising.

This must end.
Grindr claims it has now "cut off the flow of location data to any ad networks, ending the possibility of such data collection today", according to the WSJ.

...perhaps as a consequence of the €7m fine in Europe, a quite large share of Grindr's revenue.

This is the way to go.
I cannot verify if this claim is true.

According to @ExodusPrivacy, Grindr still includes data-harvesting code from Google, FB, Amazon, AppsFlyer/Salesforce, Fyber, Vungle, PubNative, Braze, and from AppLovin, who recently acquired MoPub from Twitter:
reports.exodus-privacy.eu.org/en/reports/com…
@ExodusPrivacy Uncontrolled data sharing cannot be the basis for our future digital economy and society.

The only way to fix this mess is regulation plus effective enforcement, not least because apps+services increasingly share data directly, which is not observable from outside their systems.
If we want to have services that rely on data on our everyday lives to provide us with useful functionality in the years to come, if we want everyone to participate in info society, and THIS IS WHAT WE WANT, we must be sure that data-processing entities do not misuse their power.
This means surveillance marketing as it exists today must cease to exist. Apps, device vendors and other digital service providers must - and will - find other business models.

To achieve that they must know that their business may cease to exist if they misuse their data power.
In GDPR land, the law had already been providing ways to make that happen since 2018, if only it was effectively enforced against apps, service providers, data brokers, and tech oligarchs.

What if other European regulators would finally follow the small, brave Norwegian DPA…
Anyway, even if well-enforced, the ambiguity of a technology-neutral law that requires case law developing over years is perhaps too slow for a 'move fast and break things' industry. I'm afraid the DSA's rather weak provisions on surveillance marketing are a wasted opportunity :/
In the US and in other regions on the planet the situation is even worse. But really, the law is the only way unless you want to drive digital technology and information society to the wall.

And forget 'notice' and #darkpattern 'choice'.

Let's start shaping tech, as a society.

• • •

Missing some Tweet in this thread? You can try to force a refresh
 

Keep Current with Wolfie Christl

Wolfie Christl Profile picture

Stay in touch and get notified when new unrolls are available from this author!

Read all threads

This Thread may be Removed Anytime!

PDF

Twitter may remove this content at anytime! Save it as PDF for later use!

Try unrolling a thread yourself!

how to unroll video
  1. Follow @ThreadReaderApp to mention us!

  2. From a Twitter thread mention us with a keyword "unroll"
@threadreaderapp unroll

Practice here first or read more on our help page!

More from @WolfieChristl

Wolfie Christl Profile picture
May 3
FB trying to improve 'civic discourse' on the platform with intrusive profiling+experiments while selling maximized engagement is like an open heart surgery with a chainsaw while punching the patient in every corner of the body.
Regarding profiling+experiments, from the FB docs leaked by Haugen and published by Gizmodo:

While I may even agree with the mission in this case, a private data giant calculating 'civic targeting risk scores' without democratic oversight is…problematic.
documentcloud.org/documents/2156… Image
Users who have a 'high value' for political actors, based on the 'frequency of political ads impressions' and the 'observed premium that political advertisers are willing to pay'. Image
Read 4 tweets
Wolfie Christl Profile picture
Apr 30
Creating public digital infrastructure is not without risks.

But 'governments' are not monolithic entities, there are different ways to organize public infrastructure, and the less we risk, the more likely we'll end up just with authoritarian tech platforms and a security state.
We need more public digital infrastructure from cities to states to supranational, in different societal areas, based on open technology, with different democratic governance mechanisms, relatively independent bodies, checks, balances.

And yes this may include data processing.
There's always the risk of corruption, capture, misuse, function creep, for example, in the name of security.

This is what we must fight against, but if we're always afraid of the risks that may arise of public digital infrastructure, the situation will just get worse and worse.
Read 5 tweets
Wolfie Christl Profile picture
Apr 29
How people who work in the adtech/data industry rationalize what they do, from a Reddit thread about John Oliver's segment on data brokers:
reddit.com/r/adops/commen…

1) #whatabout
2) #whatabout bigtech?!

"Anti-data broker activism is shilling for big business"

...and while data is anonymized and aggregated anyway, privacy is over THINK ABOUT QUANTUM COMPUTING! 🙄
3) "I can understand the argument that people may not know this" BUT all of the data obtained is freely given and/or agreed to be collected!

And ya know, "the internet is not a right and there is no obligation to use it".
Read 6 tweets
Wolfie Christl Profile picture
Apr 26
Wow this internal FB document is dynamite, a straight and clear confession that Facebook's whole business is based on a massive GDPR violation at the most fundamental level.
Purpose limitation is one of the most basic principles in the GDPR. A company can generally only collect personal data for a *specified* purpose.

If a company cannot specify the purpose it collects personal data for, it is simply not allowed to collect or process it. Image
"We do not have an adequate level of control … over how our systems use data, and thus we can't confidently make … commitments such as 'we will not use X data for Y purpose'"

From the summary of the internal doc "written to advise leadership" in 2021:
documentcloud.org/documents/2171… Image
Read 15 tweets
Wolfie Christl Profile picture
Apr 25
Die Landesdatenschutzbehörde Baden-Württemberg stellt den Schulen die Rute ins Fenster. Auch nach mehrjährigen Pilotprojekten mit dem Kultusministerium konnte keine Möglichkeit gefunden werden, Microsoft 365 gesetzeskonform einzusetzen. Sie müssen den Einsatz bis Herbst beenden.
"Trotz umfangreicher Bemühungen seitens des LfDI im direkten Gespräch mit Vertretern von Microsoft war es nicht möglich, eine vollständige Übersicht über alle Verarbeitungen personenbezogener Daten (auch zu eigenen Zwecken seitens Microsofts) zu erhalten"

baden-wuerttemberg.datenschutz.de/ms-365-schulen…
"Es wurden bei den Messungen des LfDI Übermittlungen an über 500 Server von Microsoft registriert. Die Zwecke für diese Übermittlungen sind nur zum kleinen Teil dokumentiert"
Read 6 tweets
Wolfie Christl Profile picture
Apr 22
Anomaly Six, a private intelligence firm that sells to the US military, claims to have access to commercial GPS location data from 3 billion mobile devices mapped to 2bn email addresses, according to materials provided to @tech_inquiry and @theintercept:
theintercept.com/2022/04/22/ano… Image
@tech_inquiry @theintercept Detailed and very worrying report based on a video recording of a sales presentation Anomaly Six gave to Zignal Labs, a social media monitoring firm with ties to government and special access to Twitter data. Image
I told The Intercept that even if Anomaly Six’s capabilities are exaggerated or based partly on inaccurate data, a company possessing even a fraction of these spy powers would be deeply concerning.

I mean this is data from smartphone apps, consumer services, digital advertising.
Read 18 tweets

Did Thread Reader help you today?

Support us! We are indie developers!

This site is made by just two indie developers on a laptop doing marketing, support and development! Read more about the story.

Become a Premium Member ($3/month or $30/year) and get exclusive features!

Become Premium

Don't want to be a Premium member but still want to support us?

Make a small donation by buying us coffee ($5) or help with server cost ($10)

Donate via Paypal

Or Donate anonymously using crypto!

Ethereum

0xfe58350B80634f60Fa6Dc149a72b4DFbc17D341E copy

Bitcoin

3ATGMxNzCUFzxpMCHL5sWSt4DVtS8UqXpi copy

Thank you for your support!

Follow Us on Twitter!

:(