This story combines problematic human behaviour with inadequate data protection. It’s a lethal combo, says Tim Green, director of MEF’s ID and Data programme.
As a man of a certain age, and one with an amazing wife, I am not in the target market for dating apps.
Never used one.
I say this with some regret. Dating apps get a bad rap, but I often think how amazing I would have been on them when I was a young man. Back then I was terrified of rejection and would very rarely chat women up. Apps get rid of that barrier. And also, putting modesty aside, I reckon I could be utterly charming in a message session.
So I read this week’s data scandal story (there’s always one isn’t there?) about Tea with great interest.Â
In case you didn’t know, here’s a recap.
Tea is an app in which women can anonymously post reviews of awful men they have encountered on dating apps. You can see why there’s a need for this. Ask any woman on the apps (I asked my daughters) and they’ll tell you about the married men, the creeps, the scammers and the narcissists.Â
They’ll also tell you about the tiresome ‘dating admin’. In short, you have to start and maintain a huge number of conversations before you meet anyone you like. So weeding out the w*nkers saves a lot of time.
We should be optimistic. There’s more attention than ever on identity-related questions. And the good news is that tech is rising to meet the twin challenges of safety and privacy.“
It’s the TripAdvisor of dating. And if you know anything about TripAdvisor, you’ll know just how easily the system can be abused.
Tea was an accident waiting to happen. This week it happened.
The app was around for a while, but surged to the top of the App Store this month. One account said it had 4 million users and a 525% spike in downloads in one week. This brought fresh attention to the app, and all the inevitable problems with it.Â
Yes, the app let women share stories of awful men. But it also gave spiteful women the chance to slander decent men.Â
As the Times described it: “This is simply vigilante justice, entirely reliant on the scruples of anonymous women.”
Lots of men started to see their profiles on the site and were understandably upset at the intrusion of privacy. And then the privacy issue hit the women too.Â
Tea’s verification process requested that women submit selfies or photo IDs before posting on the app. It promised their uploads would be “securely processed and stored only temporarily.”Â
But some weren’t. So when hackers targeted the site, they were able to access 13,000 selfies and photo IDs. They even created a now-deleted website where users could rate women whose selfies were stolen.Â
Let’s review:
- An applets women share profiles of awful men
- Some women shame decent men
- The decent men decry the privacy intrusion
- Awful men hack the app
- They create a site that shares profiles of (in their view) awful women
- The women (justifiably) worry about stalking and real-world targeting by terrible men.
And there’s more. It now seems as if this wasn’t even a hack. Security experts reckon Tea “used no security measures whatsoever and anyone could have found this information pretty easily.”
One of the complicating factors is that Tea was legally bound to keep some data for compliance purposes. It couldn’t merely delete it.
Yes, it truly is a parable of our times.
The truth is, these anonymous disclosure apps never end well. They are too open to abuse. In the past, products like Whisper crashed and burned sensationally.Â
But aside from the ethics, the Tea story raises questions about user verification and data compliance. In the last week, the UK has mandated age verification for users of adult services. This has focused mainstream attention on privacy-protecting identity systems.
It has been a qualified success. UK ID app Yoti said one of its customers reported that 40 percent of users verified with a Yoti digital ID or passkey to prove they were 18+.
Pretty much everyone agrees that the best long term solution to this challenge is tokenised zero knowledge proofs. In other words, I get an encrypted token proving my age from a reputable ID issuer. The trusted token tells the site or app: this person is over 18. That’s it. No other identifiable info. Zero knowledge for the ‘relying party’.
The AV system in the UK offers different ways to age verify yourself – with varying degrees of privacy protection (real or perceived).
We should be optimistic. There’s more attention than ever on identity-related questions. And the good news is that tech is rising to meet the twin challenges of safety and privacy.Â
As for the dating apps? Well I say to young people: just be careful out there. And if you can, go to a ceilidh instead.
Stay informed and join the debate at MEF.
Find out more about the themes discussed –Â Join the MEF ID & Data Interest Group.
