Last month, I had dinner with a few friends. One of them had recently started a position at Zoosk, an online dating mobile app. The conversation ranged between living in San Francisco in your 30s, expensive rents, and startup culture — until it reached the white hot debate surrounding online dating apps and their success rates. I casually mentioned that I had used Zoosk before and that it was okay, although it didn’t end in any real dates or anything.

It was here that a friend of mine mentioned that he has “backdoor” access to the site’s CMS and can thus look me up on Zoosk’s internal database. Whether he was serious or just joking, without saying a word I decided to finish my veggie ramen and drop the conversation.

However, what he said stayed in my mind.

A few days ago, I was interviewed for a fellowship position at Ranking Digital Rights, for their mutual project with Consumer Reports aiming to assess online privacy and security level of certain products including IoT devices, online apps, and services. After hanging up the call, the memory of the dinner with my Zoosk friend came to my mind. This time, with the knowledge I gained from the Digital Standard website and the Ranking Digital Rights indicators, I decided to test two services that I, myself, had used for dating: Zoosk and Tinder.

In what follows, I’m going to imagine that I have never used these products before and put myself in a first-time user’s shoes, walking her through the application download and setup. However — unlike in the past — I’m now looking at these products through the lens of privacy and security standards.

Throughout, I will imagine that this first-time user is non-technical, nor a digital rights advocate. She is just an ordinary person who has concerns about her online privacy, and, to some extent, cares about the companies’ way of handling users’ data and respecting their human rights in general. Let’s also assume that she only wants to use the IOS app version of these products.

1. Downloading on the App Store

Is the App free? If so, hold on.

Zoosk and Tinder both are available to download for free. In general, if apps are free, most likely their business model relies heavily on ads. This should give you a pause. Take a moment to reflect on the ways these companies advertise to you: do they share your data with third party marketers? What kinds of information is shared with third-party ads? These data aren’t always easy to come by. But if you’re looking for answers, the place to start is with the privacy policy. We will go over these policies a bit later in this blog.

Reviews

The first thing I took a look at before downloading the apps was the user reviews available on the App Store. Here are some from both apps that raise concerns about the safety and privacy of the users:

Zoosk’s users: “Lots of fake profiles, don’t waste your time and money” “Agree with the other reviewers. Stay away. Bot messages and tons of unpaid (real, fake or abondoned) users that you never really get to chat with unless you pay insane extortion fees. Should be pulled from the store. I want a refund” Tinder’s users: “Tinder is probabely 99% bots/fake accounts. It’s not worth your time since you’re going to be swiping left 29X in a row through all the fake accounts …”

Observation: Prepare yourself for scammers, bot, and fake accounts. Based on the reviews, it seems Zoosk users complain more about the scammers than Tinder. There are certain behaviors associated with fake account and scammers who want to rip off. It is important for the companies to address this issue on their Safety Tips page.

Version History

Always download the latest version of the app to avoid bugs and previous security hazards. Zoosk and Tinder are both good in terms of updating their version, in both cases pushing out updates a couple of times per month. But looking at the history of the versions does not show any details about the specific improvements made. To be fair, “bug fixes and minor improvements” is a common refrain in the version histories of most major apps – but due to their reliance on highly personal information, dating applications have an obligation to be more transparent than the norm. For example, I was hoping to find specific details of updates involving improvements to encryption, adding two-factor authentication, etc but neither Zoosk nor Tinder recorded any details about this.

Privacy Policy and Terms of Use

Those lengthy legal documents that you need to have a law degree to actually read? Sure, they can be hard to decipher. But it’s only by reading the fine print that you can know how much the company in question respects your right to privacy. As mentioned above, dating apps are heavily dependant on advertising. Zoosk and Tinder are no exceptions. The cookies embedded in both apps (and their third party advertisers) track an enormous number of data points used in targeted advertising, many of them highly personal. I’ve included a full list in this Spreadsheet.

Digital Rights advocates are working hard to make companies write easier to understand privacy policies in a more readable format. In this regard, Tinder’s privacy policy beats Zoosk because it employs less formal language and offers more clarifications and examples. However, none of the services provide adequate transparency and disclosures about how they handle government and other third party requests, or even whether they notify users about those requests.

2. Creating an account

Activation

Zoosk: You can either use your Facebook account or your email address to create an account on Zoosk. Tinder: Tinder only lets you authenticate a username with your Facebook account.

Upon creating an account with Facebook, Tinder guide you to its “Swipe with Friends” page and expose your Facebook friends. By default, your identity is exposed for your friends as well unless you hide it on privacy setting.

Observation: One might say that activating Tinder account with Facebook ID gives legitimacy to the account and is an effective way to minimize being tricked by bots and scammers. But be aware that partnering with Facebook for the login process brings drawbacks in the context of a dating app. It has become normal to share so many personal and vulnerable pieces of data on Facebook and Instagram that the thought of a dating app automatically gaining access to this enormous body of information is sobering. So, be mindful about your Facebook privacy settings in addition to your Tinder privacy settings.

One practice that both Tinder and Zoosk might implement to avoid this issue is to add another layer of privacy to the process, retaining Facebook ID as a login method but creating a firewall between all Facebook and dating app caches of personal information.

Gender Preference

Zoosk: Upon creating an account, to respond to “I’m a …” you can only choose one of these four options: “Man interested in women”

“Woman interested in men”

“Man interested in men”

“Woman interested in women” Tinder: Tinder doesn’t want you to reveal your gender but to respond to its “Show me …” question you have three options: Men, Women, Men and Women.

Observation: By default, Zoosk excludes non-binary genders and bisexuals.

3. Using the App

Congratulations! You created your account successfully. But, before using the apps read the Safety Tips provided by both apps, it’s easy to access and has very good tips to avoid potential hazards.

Safety Tips

Zoosk: The Safety Tips page is accessible in-app, very straightforward and covers topics such as the benefit of anonymity, using strong passwords, detecting scammers, avoiding and reporting them. It also refers you to FTC page to learn more about how to stay safe online and offline while using online dating apps. Tinder: Tinder excels Zoosk in offering Safety Tips. The tips cover topics such as learning how to be safe online and offline, tips about your health and STD vaccination, and even advice about connecting to organizations such as National Domestic Violence Hotline and Planned Parenthood. In addition to the Safety Tips page, Tinder has a Community Guidelines page to educate users about online civility including avoiding hate speech, harassment, protecting children online privacy, nudity and violence.

Encryption

As mentioned above, both apps have access to your personal information and messages. Until now, there is not any evidence of either app implementing encryption procedures that allow for totally secure and undiscoverable messaging. Tinder, however, has implemented a private Bug Bounty, offering recognition and compensation for developers who find and report bugs and vulnerabilities of the app. At least based on their publicly available documentation, this is a practice that Zoosk doesn’t offer.

Data Retention

Neither of these apps shows how long your data stays with them. In this regard they summarize their data retention policy to the following statements:

Zoosk: ”You may also contact us for assistance using the details below if you want to access, remove or deactivate your account information. Nonetheless, Zoosk expressly reserves the right to maintain and store any information or other data where Zoosk reasonably believes in its sole discretion that such action is required to comply with any legal or regulatory obligations or for the detection or prevention of criminal or other unlawful activity or where Zoosk has a legitimate business reason to do so …” Tinder: ”We keep your information only as long as we need it for legitimate business purposes and as permitted by applicable legal requirements. If you close your account, we will retain certain data for analytical purposes and recordkeeping integrity …”

4. Deactivation

Do you want to delete your account like you have never ever used these apps? Forget about it. The unfortunate truth is that, under the policies currently in place at both Tinder and Zoosk, this is impossible. Based on these two companies’ privacy policies and terms of use, even after deleting your account some of your information continues to lurk on their servers.

Zoosk: Zoosk makes it very hard for users to delete their accounts. If you only use Zoosk’s app, in order to terminate your account, you merely have the option of “pausing” your account for limited or unlimited time. You can visit the Zoosk website to learn how to permanently delete this information, but it’s not possible via the mobile app and is unnecessarily difficult to accomplish. Tinder: Tinder is a little better than Zoosk when it comes to avoiding “dark patterns.” Tinder lets you delete your account in-app. However, it also encourages you to “Go Hidden” instead of permanently deleting your account and erasing all that valuable user data.

With this post, I’ve tried to offer a brief overview for anyone interested in the privacy protection of two of the most popular dating apps Tinder and Zoosk. As a former tech worker, I don’t want to paint every tech companies with too broad of a brush, nor do I want to believe that they are inherently evil. Therefore, I see it as my task as a user and an actor in this ecosystem to know my rights, raise my voice, and hold them accountable.

I was still left with a nagging question at the end of this research: was what my friend told me true? Can Zoosk engineers really access private user data at will? I tried calling Zoosk’s customer service numbers, but none of them allowed me to reach a human being, or even leave a message.

In the end, this is precisely the problem: in the absence of public accountability and customer-facing public outreach, it’s impossible to know the real-world boundaries drawn by apps that manage highly sensitive data.

Perhaps some day these companies will take transparency seriously.

Until that day comes, I recommend that all prospective daters swipe left on dating apps that conceal their use of customer data behind dark patterns and uninformative websites.