With more and more data being handled by dating websites, Patchen Barss looks at the security challenges facing the industry.
San Francisco resident Chris Orris uses an electronic dating service called ‘Coffee Meets Bagel’ (CMB). The site, which draws on users’ Facebook information to recommend potential mates, enjoys a positive reputation. In 2014, CMB made Time Magazine’s top ten list of apps for people who want to fall in love.
“Last year I was matched with two different women at about the same time,” he says. “With one, we never clicked so we didn't meet up. The other, we went on one date, didn't click, and stopped talking.”
That should have been the end of the story, but a few months later, Orris got a disquieting surprise.
“I was on LinkedIn, and the "people you may know" section showed both of these women, along with their first and last names and everything else you'd find in their LinkedIn profiles,” he said. “I never had their last names before.”
He acknowledges that he had entered their telephone numbers in his phone, and theorizes that this action might have been the bridge between the two sites, but he doesn’t know for sure. Regardless of how the data spread, he wasn’t comfortable with the result.
“I had maintained a respectable level of anonymity, and LinkedIn (presumably through my Android phone) blew that away, offering me much more information on those ladies than they had shared,” he said. “I assume the same happened in the other direction.”
Privacy issues related to online dating exploded into the public consciousness in the summer of 2015 when a group of hackers calling itself “The Impact Team” stole and published user data from Ashley Madison, a website designed to help people arrange illicit affairs. Not only did this data breach reveal a great disparity between the site’s promises about privacy and users’ actual risk of public exposure, it also brought to light other confidence-shaking issues.
“Ashley Madison’s army of fembots appears to have been a sophisticated, deliberate, and lucrative fraud,” wrote Annalee Newitz, editor-in-chief of Gizmodo. “Whatever the total number of real, active female Ashley Madison users is, the company was clearly on a desperate quest to design legions of fake women to interact with the men on the site.”
With personal information leaking so easily out of dating websites, and with tech magazines forced to run articles with headlines like, “How to find out if you are dating a robot,” there are good reasons for users to be cautious about their privacy when looking for a mate online.
Dashlane, a company that offers password manager and digital wallet products, conducts industry surveys that rate basic website security features. Their latest data from the second quarter of 2014 puts dating sites at the bottom of the barrel.
Dashlane assigns numeric values to factors such as whether a site requires alphanumeric passwords, whether it locks accounts after multiple incorrect login attempts, and so on. They consider a score over 50 as the base for an adequate password policy. On average, dating sites had a score of -23.
Despite the sector’s dismal showing, analysts recommend users don’t simply resign themselves to giving up any hope of privacy and security when they date online.
“Users are much more aware and informed about data protection and privacy these days,” says Paul Henry, IT security consultant for Blancco Technology Group. “They’re becoming more skeptical and asking more questions to make sure their privacy is protected. I hope this continues to happen.”
While the Ashley Madison breach has prompted some sites to seek ways to improve their security, Henry says that users who value their privacy should rely on their own initiative, not that of the sites they’re using.
“Security is not the service that is being sold on these websites,” he says. “They are often more concerned with collecting, storing and using data to provide real-time matches and to help personalize their marketing efforts.”
A dating site’s iffy privacy protocols place all the more pressure on users to be careful about what they reveal.
Bostonian Jennifer Torode recalls running into what she thought was merely an annoying glitch on what she calls “a respected, paid online dating site.” The site’s registration system wouldn’t accept her personal email address. She used her work email temporarily while tech support worked on solving the problem.
The site’s messaging system hides users’ actual email addresses, but Torode quickly discovered how inadequately that protected her.
“The next day, I had my work email’s out-of-office autoreply on,” she says. “Anyone from that dating site who contacted me got a reply with my email signature containing my full name, mobile and landline phone numbers, work address and two of my colleagues’ contact info.”
Naturally, Torode wouldn’t make the same mistake again, but when she tried to alert the site about something she considered a “huge privacy concern,” she heard nothing back.
In 2013, 13 British dating sites created the Online Dating Association (ODA), in response to what they call “the need for the industry to step up and take responsibility for setting and maintaining standards.” Analysts view this organization, which now has 16 members, with wary optimism.
“While it is very hard for users to put much stock into the bold claims of privacy that some dating sites make, membership of the ODA ought to provide some sense of respectability in the eyes of the (apparently very few) users who appear to be concerned about whether a dating website is sufficiently ‘safe’,” says data protection consultant Martin Hoskins.
Still, he says, even savvy users should assume no guarantee of privacy – even if a site has good intentions, it still might not have the capacity for follow-through.
“The problem is that these websites are run by people who lack the resources that the global social networking sites can afford,” he says. “Naturally there is a higher risk of a personal data breach.”
In a recent survey from communications technology company Bandwidth, 97% of respondents rated personal safety in online dating as “very important”, but the gap remains between the value people place on security, and their willingness to take steps to assure it.
“It would be foolish to think that another Ashley Madison incident could not happen again,” says Hoskins. “People should be on their guard. If they decide to post images or personal details that they would not wish their closest relatives to see, they only have themselves to blame if, unfortunately, an incident occurs that results in over-exposure.”
Others tend to talk more in terms of responsibility than blame, but they still look to users rather than business owners or regulators as the most likely agent in maintaining privacy.
“Online dating can be a great way to meet that special someone. However, it doesn’t hurt to place a little more caution when using these sites or apps,” says Tony Neate, the CEO of Get Safe Online, whose website provides free resources designed to help people protect themselves and their businesses against fraud, identity theft, viruses and other online threats.
“As a rule of thumb, when using any online dating app or site, make sure your internet security software is up-to-date, and that you protect your passwords. Plus, when creating your online profile, keep personal information and contact details private.”
Britain’s Information Commissioner’s Office (ICO), an independent public body sponsored by the Department for Media, Culture and Sport, also encourages users to read the terms and conditions on dating websites before they provide any information.
“Clearly dating websites are going to need to take a lot of personal information from their customers,” Simon Entwisle, ICO director of operations, said in a statement. “But it’s crucial they let those customers know how their information is going to be used.”
Jennifer Torode says she’s more careful now, but that she just accepts certain realities about online dating.
“If you’ve ever read a privacy statement, it’s as long as my leg! And I have long legs,” she says. “People should know that privacy is not always guaranteed. I still use online dating sites but use them with caution and common sense. In a way, just being on a dating website, I expect less privacy.”
Chris Orris agrees – while he was a little surprised at how personal data moved around from site to site, he didn’t view it as impetus to do things differently.
“Basically, I've changed nothing,” he says. “I work in PR, so I've already made it a point to make most of my information easily searchable on the internet. To me it's a cost of doing business, but by the same token I'm extra careful with potentially harmful information on all networks, regardless of how private they are individually.”
In fact, Orris says, he kind of likes it when his online activities collide.
“My networks can leak information between one another and I don't see it hurting me,” he says. “In fact it can help. My targeted ads end up being much more relevant and interesting now than they used to be.”