WSJ News Exclusive | Grindr User Data Has Been for Sale for Years

The commercial availability of the personal information, which hasn’t been previously reported, illustrates the thriving market for at-times intimate details about users that can be harvested from mobile devices. A U.S. Catholic official last year was outed as a Grindr user in a high-profile incident that involved analysis of similar data.

National-security officials have also indicated concern about the issue: The Grindr data were used as part of a demonstration for various U.S. government agencies about the intelligence risks from commercially available information, according to a person who was involved in the presentation.

Clients of a mobile-advertising company have for years been able to purchase bulk phone-movement data that included many Grindr users, said people familiar with the matter.

The data didn’t contain personal information such as names or phone numbers. But the Grindr data were in some cases detailed enough to infer things like romantic encounters between specific users based on their device’s proximity to one another, as well as identify clues to people’s identities such as their workplaces and home addresses based on their patterns, habits and routines, people familiar with the data said.

“Since early 2020, Grindr has shared less information with ad partners than any of the big tech platforms and most of our competitors,” said Patrick Lenihan, a spokesman for Grindr. He said the company pays a price for reducing the data shared, including lesser ad quality for users and lower revenue. Mr. Lenihan added: “The activities that have been described would not be possible with Grindr’s current privacy practices, which we’ve had in place for two years.”

Location-tracking data has increasingly been used for reasons beyond its intended purpose. Researchers earlier this year spotted signs of the Russian invasion into Ukraine before it was publicly known by watching Google Maps features that were designed to show traffic delays. Google later disabled those features to avoid them being abused in ways that could affect the safety of those on the ground.

Grindr in 2019 said it was the world’s largest social-networking app for gay, bi, trans and queer people, with “millions of daily users who use our location-based technology in almost every country in every corner of the planet.”

When the company originally began sharing location data of its users with the ad networks, the company’s executives believed the data didn’t pose these kinds of privacy risks, according to a former senior employee. At the time, advertising-industry executives had told Grindr that hyperlocal ads for establishments just down the street from their users were going to reshape marketing budgets, the former employee said.

The idea was that through what are known as real-time ad exchanges, users would be served targeted messages about the nearest restaurants, bars or hotels.

The way real-time-bidding works is that every time a smartphone user opens an app or website that has available ad space, the device shares data about the phone with an ad network to help micro-target ads. That data can include the precise geographic location of the phone, if the user has granted an app permission to know it, as well as demographic data about the owner and detailed logs about the phone’s status. Most users choose to share location with Grindr in order to be connected with other nearby users. That functionality is what made it attractive as an app when it was founded in 2009.

In a computerized process that plays out in milliseconds, advertisers bid on serving an ad, and the highest bidder wins. Consumers are largely unaware that the process occurs on their devices every time they load an app or webpage or how much data is shared with third parties.

Most apps participate in real-time ad exchanges that expose their details to hundreds or thousands of unknown parties. However, Grindr and other apps that are built to encourage users to share their location generate particularly specific data sets that can be used to reconstruct data about individual users.

Being gay remains a crime in a number of countries around the world and such data sets could put people in danger of prosecution and punishment, with the penalty in some countries being death. Grindr said it doesn’t serve ads in regions where being gay is illegal, which keeps those users’ information off advertising exchanges.

Even in countries where being gay is legal, it can still remain a blackmail threat for those not living openly. The U.S. government intervened to force a Chinese company into divesting itself from Grindr on national-security grounds in 2019—citing the risk of blackmail using the app data and the possibility of the Chinese government using the app’s data for surveillance purposes.

Those risks aren’t hypothetical.

Clients of mobile-advertising company UM have been able to purchase the bulk phone-movement data that included many Grindr users since at least 2017 and possibly earlier, said people familiar with the matter. Most location brokers strip the name of the apps that the data is sourced from in location data sets. In some of UM’s data, the company included the name of apps from which the location information was sourced.

UM, which was known as UberMedia before changing its name last year, was able to access Grindr data from the advertising network MoPub, according to people familiar with the matter. UM then made it available for sale to its clients.

Twitter Inc.

TWTR 0.17%

owned MoPub at the time, but last year it sold the mobile-advertising company for $1 billion.

AppLovin,

APP 1.47%

MoPub’s new owner, didn’t respond to a request for comment. UM was sold last year to Singapore-based Near Pte. Ltd.

Through a spokeswoman, Twitter said: “UberMedia was a MoPub partner. Like all partners they were subject to MoPub’s marketplace agreement and data use restrictions.” Twitter said its policies contained restrictions on the resale of data but declined to specify them.

“Every single entity in the advertising ecosystem has access to the information shared by Grindr and every other app that uses the real-time bidding system. That means thousands of entities have such access,” said a spokesman for UM’s new owner Near. The company also disputed that location-data stripped of personal information such as names, emails or phone numbers could be used to identify specific individuals.

Last year, a Catholic publication called the Pillar said it obtained commercially available data that allowed it to track Grindr usage by individuals. The U.S. Conference of Catholic Bishops said one of its senior officials resigned from his post after being approached about the findings identifying him as a user of the app.

A representative for the Pillar declined to comment.

Grindr at the time of the Pillar articles said it didn’t believe it was the source of the data but acknowledged it was theoretically possible that an advertising partner might have collected it.

It couldn’t be determined by The Wall Street Journal if the Pillar was relying on data from UM or another vendor. However, UM data were at the time being used by federal government contractors in national-security programs, and people working on those projects saw large amounts of Grindr data, according to people familiar with the matter. Beyond UM, numerous other advertising companies had access to the data as part of partnership agreements, some of the people say. UM also made its data available for resale by other location brokers, people say, making it difficult to track the flow of data after it left MoPub.

UM denied providing data to any U.S. government agencies. According to people familiar with the matter, the data were purchased by private government contractors—not managed by the government directly. A spokesman for the company said UberMedia’s contracts at the time prohibited using the data for surveillance, tracking or law-enforcement activity.

Write to Byron Tau at [email protected] and Georgia Wells at [email protected]