Online dating is a fast-growing industry and from my perspective as a security researcher and privacy activist, dating sites are a great way for me to go and get data on people that you don’t get otherwise. Looking at a corporate bio or a LinkedIn profile of a person, you get a very clean, almost antiseptic view of who they are. When you go to the dating sites, you learn so many things about them including stuff that they probably never even revealed on Facebook. What they like to drink, their sexual activities, restaurants – you get a complete profile of the person. On the attack side, it’s a great way to go and get information on a person. And then it gives us social engineering or other attack vectors. On the defense side, what I find frightening about dating sites is people reveal so much. And once they’re in a relationship, or they pull up the account or they stop paying the dues, the information never goes away.
The second more prevalent danger with dating sites is the sheer number of them. If you will notice, 10-15 years ago, there may have been one or two dating sites that existed, however now there are thousands around the world, each one claiming tens of millions of members. Most people join between 1 and 5 dating sites when they are actively looking, but in reality, your data will be on several hundred to several thousand dating sites around the world, because every dating site start-up either buys, steals, or sucks in the data from other dating sites to bulk their member portfolio. If you look on television, especially in the evenings and late nights, almost every other commercial is for a dating site. They all claim millions of members. If you actually do some analysis you’ll find there is a lot of overlap because either people join multiple sites or because each site copies content from the others. And if you update something on – let’s say you’re on Match, and I’m speaking as an example – let’s say on Match you put in you like chocolate. Great. And then you go and change your mind a few months later: “You know what, I really don’t like chocolate, I like coffee.” So let’s replace coffee and chocolate in my example with something a bit more embarrassing or a bit more adult. We have found numerous cases of executives and business owners being compromised because either they put something out there on their dating sites that they would normally not admit to in public, or on LinkedIn, or on the corporate bios, or to the people they were dating, and it’s ended up on these hundreds of dating sites without their knowledge.
Most people never think about deleting data once they release it, and the dating sites make it very, very painful, almost impossible. Let me rephrase that. They make it impossible to delete your data. You have to come through a lot of hoops. And as a result, people don’t bother because it is not in the dating site’s interest to have their membership counts drop. They all brag, “We’ve got 50 million fishes in the sea for you.” One of my favorite examples is when Julian Assange was doing WikiLeaks, you couldn’t find much about him online because he had led a very, very clean low profile except for leaking the data, or helping publish leaked data. We found more embarrassing data by Julian Assange off of dating sites than the rest of the internet combined. And this is happening in every country, in every jurisdiction. If I’m going to find something embarrassing about anybody, first place to look for that is on Facebook. Second, we look at dating sites.
Whether it’s dating sites, LinkedIn, or Facebook, do not put anything online that you wouldn’t want to explain in court to a judge. We all have done something that we are not proud of that we would prefer the world not be made aware of. These things we all do as adults or have done as kids should never be spoken of inside of a courtroom. Don’t be as blatantly open online. There is no anonymity. If you are in a smoky, crowded bar or a restaurant, you can say things to your potential spouse or potential date and not put it online. Do not put it in an email and do not put it online. Whatever you say now can and will come back to haunt you years or decades into the future.
If you have questions or concerns about your privacy and security, please contact me at raj@brainlink.com.
Related articles: