This is a bit of an incorrect read on what this leak is. Gravy gathers location data about people from multiple sources but not directly from consumers. Gravy’s customers buy this data.
As far as I understand, this is a list of locations and apps used by a person, but without much context. A typical response to this has been something like this:
> Grindr has never worked with or provided data to Gravy Analytics. We do not share data with data aggregators or brokers and have not shared geolocation with ad partners for many years. Transparency is at the core of our privacy program, therefore the third parties and service providers we work with are listed here on our website.
Note how carefully written this is to imply they don’t share any data at all, but they stop short of saying “we don’t share any data with ad partners”, just geolocation data.
But for companies like Gravy, their whole business is about getting data.
So it’s not at all implausible (or even unlikely) that this represents an event where a user opened Grindr (conceivably sold to Gravy by one of Grindr’s ad partners following an impression), and the same individual’s location was determined by some other method (for example, IP address geolookup, or bought from a company which IS supplying data to Gravy directly and has location permissions).
Take the leak with a grain of salt, sure, but it’s looking reasonably genuine to me.
>So it’s not at all implausible (or even unlikely) that this represents an event where a user opened Grindr (conceivably sold to Gravy by one of Grindr’s ad partners following an impression), and the same individual’s location was determined by some other method (for example, IP address geolookup, or bought from a company which IS supplying data to Gravy directly and has location permissions).
There's a pretty big difference between "grindr sells your inferred information from IP" and "citymapper sold your location data". Even though the latter technically could be limited to the former, it's pretty obvious that most people think it's selling your precise location as determined by GPS or whatever. Just look at the other replies to my comments if you don't believe me. This is important, because not all "location data" is the same. People are far more likely to be creeped out by precise location data than ip location data, and you're basically constantly transmitting the latter every time you use any app/website.
> We (...) have not shared geolocation data with ad partners for many years
Mobile operating systems don't have good (if any) support for opening things in subprocesses with restricted permissions from the rest of the app. So if Grindr loads an ad, that ad runs with Grindr's permissions. Same for any analytics code that ad uses. So if Grindr gets geolocation, even temporarily, so does every ad partner they have, whether they like it or not.
And the thing is, ads are a bottomless pit of third-party JavaScript. Nobody trusts nobody in the ad space, so everyone wants their own trackers doing their own client-side data collection. So Grindr doesn't have to know anything about Gravy Analytics, they just have to have an ad partner decide to use them and bam, they're compromised.
>Mobile operating systems don't have good (if any) support for opening things in subprocesses with restricted permissions from the rest of the app. [...]
>And the thing is, ads are a bottomless pit of third-party JavaScript. [...]
If it's actually javascript, attempting to grab location would result in a weird location prompt[1] that shows even if you granted the app location permission. It's still conceivable for a random SDK to go rogue and exfiltrate location data, but it's unlikely that an ad in a webview would be able to.
That's the whole reason companies like Gravy exist—they call it 'location intelligence', they make inferences about location based on various things they do have access to, rather than necessarily directly collecting it from the user using GPS location tracking.
As far as I understand, this is a list of locations and apps used by a person, but without much context. A typical response to this has been something like this:
> Grindr has never worked with or provided data to Gravy Analytics. We do not share data with data aggregators or brokers and have not shared geolocation with ad partners for many years. Transparency is at the core of our privacy program, therefore the third parties and service providers we work with are listed here on our website.
Note how carefully written this is to imply they don’t share any data at all, but they stop short of saying “we don’t share any data with ad partners”, just geolocation data.
But for companies like Gravy, their whole business is about getting data.
So it’s not at all implausible (or even unlikely) that this represents an event where a user opened Grindr (conceivably sold to Gravy by one of Grindr’s ad partners following an impression), and the same individual’s location was determined by some other method (for example, IP address geolookup, or bought from a company which IS supplying data to Gravy directly and has location permissions).
Take the leak with a grain of salt, sure, but it’s looking reasonably genuine to me.