Outsourcing optimize

Online dating services: Risking more than a broken heart

People looking for companionship are trusting online services more than ever. Is that trust misplaced? Michael Kassner looks for the privacy and security gaps in online dating.

I'm single. But I have friends, and depending on which ones I'm with, either they're jealous or consider me to be a lonely guy. As of yet, I haven't figured out who's right.

Perfect storm

The "should Michael date" debate came to a head recently; both sides were represented at a gathering I attended. One well-intentioned friend started the melee, suggesting that I join an online-dating service being that I'm a digital kind of guy. A member in the opposite camp volleyed back -- signing up takes forever. There have to be at least 10 forms to complete.

I was about to ask how the person rebutting knew that. Thankfully, for once I decided keeping my mouth shut should overrule curiosity. It got me thinking though. That's a lot of sensitive information traversing the "wild and woolly" Internet. How safe a trip is it?

Investigative mode

Sensing a way out, I told my helpful friends -- hinting at my sacrifice -- it's my duty to insure all Personally-Identifiable Information (PII) is safe from prying eyes. So, I'll check it out.

I didn't have to look far. The Electronic Frontier Foundation (EFF) is all over this. From their perspective, there's work to be done. In the post "Six Heartbreaking Truths about Online Dating Privacy", Rainey Reitman points out the areas of concern for my pro-online-dating friends.

Here's the scoop. Reitman divided deficiencies into categories. Below is an overview of each:

Your dating profile -- including photos -- can remain visible after cancelling the account. It seems lots of people have a change of heart and decide to reactivate their account. So most dating services hang onto the profile long after the person has left.

Another concern involves photos and how they are stored. Many dating services off-load photo storage to Content Delivery Networks. Joseph Bonneau, Ph.D. candidate at Churchill College at Cambridge UK, explains:

"The main website provides an obfuscated URL for the photo to anyone it deems has permission to view it. But, removing the photo from the main website didn't always remove it from the Content Delivery Network. This means that Content Delivery Networks can maintain caches of sensitive photos even after users "delete" them, leaving photos vulnerable to being rediscovered or even hacked in the future."

Vulnerabilities exist, particularly among mobile dating sites. One example was a security flaw that allows an attacker to locate dating-service members -- using GPS technology -- without them knowing. Profiles can be  indexed by search engines. Apparently some -- not all -- sites publicize profiles, meaning they can be indexed by search engines. Reitman mentions that WikiLeaks' Julian Assange fell victim to this because of his Okcupid profile. Pictures can foil attempts at anonymity. Until reading this article, I haven't paid much attention to how good photo-identification services have become. You can try all you want to anonymize your profile, but if there's identifying information associated with a picture you upload, it's all over.

Reitman suggests using either TinEye or Google Image Search to see what information is provided with the photos you intend to upload to the site.

Your data is helping online marketers. This is a sticky subject. I've tackled it numerous times. Depending on which side of the fence you land, targeted advertising is either good or bad.

There is one area you should be concerned about -- that is the selling of supposedly sanitized databases to third-party marketing firms. Regardless of the anonymized claim, when multiple databases are melded together, it is possible to isolate individuals. Dr. Arvind Narayanan a privacy expert at the University of Texas convinced me of this when I was working on "Electronic databases: What's new with privacy concerns."

Online dating sites do not use HTTPS. The EFF examined eight popular online-dating sites with regards to HTTPS. Here are the results (courtesy of EFF).

Only one, Zoosk, uses HTTPS by default. EFF mentioned some of the sites use HTTPS for logging in, then shut it off. That's not good as sensitive traffic is still exchanged after the login.

The chart also shows which sites serve portions of their content unencrypted. That's not good, images or profiles could be transmitted in the clear. Again, only Zoosk used a secure connection for all traffic.

Also of concern, not one of the tested sites used secure cookies. Blog author Marcia Hofmann explains why that's bad:

"If the cookies are not "secure," an attacker can trick your browser into going to a fake non-HTTPS page (or just wait for you to go to a real non-HTTPS part of the site, like its homepage). Then when your browser sends the cookies, the eavesdropper can record and then use them to take over your session with the site."

Hofmann also mentions that stealing information stored on cookies is easier than ever with the advent of Firesheep, a Firefox extension designed to capture unencrypted cookies and display the information in the web browser.

Things to check

First and foremost, EFF suggests reading the site's privacy policy before you sign up. Look specifically for:

  • How the data involved with deleted profiles is treated.
  • How the site informs members of changes to the privacy policy.
  • How to limit access to site members if profiles are made public.

I personally don't read privacy policies, they're cryptic by design. If I have a question -- no matter how slight -- I call and get clarification. How the service provider handles my inquiry in itself is an indicator.

If you have concern or are dissatisfied, Reitman suggests filing a complaint with the Privacy Rights Clearinghouse's Online Complaint Center.

Final thoughts

I just emailed the research for this article to my friends advocating online dating. It will be interesting to see what their next step will be.

About

Information is my field...Writing is my passion...Coupling the two is my mission.

70 comments
JCitizen
JCitizen

I'm WAY late to this discussion; but here goes. I've had better luck simply posting to forums such as this. I've met several very nice ladies that way! I will probably never go back to these regular sites; but I am tempted to try the Christian dating sites. I bet they are the worst for security though! LOL! :D

burtmoss7643
burtmoss7643

That's why I don't just believe anything anyone says about dating sites I try to get information from independent sources who have had experience with different sites before I commit to joining. A number of these dating sites charge a monthly fee but there are free sites available that many people don't know about that offer much of the same functionality as the limited trials that most of the paid sites offer. I remember joining one site paid site and communicating with a woman that I was trying to get to know but it quickly became obvious to me that it was some type of scam she was running, that wasn't the case with all the women on the site and not to say that this doesn't happen with others sites because it probably does. So what I normally do is try free sites or sites with free trials to get a feel of which ones work for me and which ones don't before I commit. I look for sites that have a good reputation and history before I just jump into the paid membership This is a site that was referred that offers good information on some of the better free sites out there http://topproductreviews1.org/dating/top-dating-site-reviews , in many cases they have researched the sites or been members themselves and offer their opinions about which ones they feel are worth the time. They provide the same feedback for other sites as well their recommendations seem to correlate with most user experiences.

RipVan
RipVan

They showed me profiles of other co-workers on dating sites. They found them using basic searches. And the things they said about them!!!!! I am very late replying to this thread, but if anyone does see it, just make sure you DON'T put in a picture. Yes, the sites tell you that your chances of a reply are diminished. But your chances of NO RIDICULE among your co-workers just went WAY UP!!!

andrew232006
andrew232006

Whenever I post something online I expect it to be public. You really don't need to expose any personal information to use a dating site.

britnat
britnat

Thanks Michael, but this is barely scraping the surface of what awaits lonely "hopefuls" out there. If a user is ever insane enough to use a credit card - at best he/she will find it difficult to "terminate" the membership. It is simply renewed automatically, and your card debited. You can scream, perform, threaten - you'll never get your money back. Read the "User Agreement" to see why. And worst case? Close the account or live in fear. Then there are the sites that originate from Eastern Europe, Russia and Ukraine. These, (and many others) are simply "honeypots", booby trapped with trojans and other "drive-by" nasties, real and virtual. You should see what happens when these get loose on a corporate network or PCs loaded with personal data. And, as far as images / personal data are concerned - once posted these become fair game for all sorts of nastiness. Then there's "Internet Insanity". People who wouldn't be seen in public in a bikini get "persuaded" into putting "private" nude pics up for "friends" - whom they've never met in person. Low res risque photos can be "enhanced" with some very clever software. The results are amazing. These pics are reused by bogus members - to hook other unsuspecting users. And, Murphy's Law, these pics have a way of being stumbled on by business associates. End results - smashed relationships (personal and professional), loss of "face", indignity, and permanent fear of being stalked. These comments are based on investigations done for clients. Full stories are book length. Saddest part - many victims are naive, lonely, middle-aged women. End of story.

liljim
liljim

I have belonged to several dating sites, at various times. I have successfully negotiated dates on them which came out very well. However, it irritates me to no end when I am inundated with emails from "interested" dating candidates, that want to date me as soon as I pay for the dating service. One look at the contact and my own marketability tells me they are not legitimate. Why would a 28 year old knockout blonde or redhead want to date a 63 year old divorcee with limited economic attraction? It does not make any sense, unless these ladies are rewarded for scamming lonely posters to signup and pay to be scammed. I have had these experiences with Zoosk, eHarmony, OKCupid Yahoo personals, and Lavalife. As soon as I receive even one of these bogus interest emails, I kill my profile. But a search of these websites seem to continue to show my profile as active!! These companies are cynical exploiters of the lonely. Lonely men and women are all too vulnerable and the idea that commercial enterprises are interested in exploiting them just makes me sick.

pgit
pgit

Geez, I fell off my chair when I read this: "I personally don???t read privacy policies, they???re cryptic by design." But thatnkfully you redeem yourself immediately: "If I have a question ??? no matter how slight ??? I call and get clarification. How the service provider handles my inquiry in itself is an indicator." Nevertheless, it is important to read, and be able to read THROUGH, all EULAs, privacy policies, terms of use etc etc. That stuff is there for a reason and, most unfortunately, carry an inordinate amount of weight in todays (grossly) over-lawyered world. Too bad there aren't better classes on how to read around boilerplate to filter out the meat in 'legal notices.' The problem is the teacher would have to be one massively jaded, cynical person, such as myself. :) I dealt with government regulation compliance in a big way, so I have a good foundation in reading this kind of garbage. You're right, it's very intentionally muddied, and for the most cynical of reasons a paranoid mind could concoct. (plus ten) I have to say, in all the world of legal notices, internet related terms are the most convoluted, overwhelming and open-ended (non-specific) of them all. It's the wild west indeed. Unfortunately the lawyers landed on this frontier before the homesteaders and paved over the whole space with broken glass. This one is tough, because as you conclude, people get conditioned to just give up and take whatever benefits they perceive. And in the dating game, I have to say the folks I've known who've used it have benefited immensely from it. I have never personally spoken to someone who used on line dating and had a bad experience with it. Given the results, I think the forces of nature will rapidly erode privacy to where there will be no grounds on which to legally fight back against invasion of privacy. Eric Schmidt was right. Now, within a year or two, the deployment of drone aircraft by every dog gunner, code enforcer or 2 bit police force will drive privacy to extinction. For now, you can just unplug the internet, but by the end of 2015 it's all over, unless people wake up and toss the present control freaks out of the seats of power. Fat chance, that, eh?

radleym
radleym

Please don't use "as of yet" - there is no such grammatical construct. It's properly "as yet". Thank you. The Committee to Stamp Out As of Yet

dayen
dayen

Seanferd see the problem clearly it worries me that people don't remember lose lips sink ships. I am about security the more the better the less that go outside of the network the better, I better not find people on my network doing online dating, and if it on their home computer they better not have any files from work nor remote access. policy no work at home !

jp-dutch
jp-dutch

1) You can force https yourself by using the Firefox add-on https everywhere. 2) On the site I used an alias and a separate email-account, used only for dating. Both of them not related to my real name. The rest of my info was correct, ofcourse! 3) In my profile I did not mention my address, only the city. If you live in a small community indicate that you live in the neigbourhood of a city. 4) If you meet somebody, establish true identity and meet in a public place. NB 2 years ago I met my present wife on a dating site, so good luck!

Michael Kassner
Michael Kassner

I particularly appreciate the link to the review site--more information is always helpful when deciding.

bboyd
bboyd

To bad you didn't want your picture on a dating site. Ha Ha see its funny. Oh and you have no decent way to get it removed. I just got all the info I needed from the company hard drives where HR stores info unencrypted in a spreadsheet. Why is it in a spreadsheet? How about because they needed an easy way to generate ID cards and it was way more convenient to sort that way. Plus over in accounting they had routing information so that if you needed to be reimbursed for travel it would be easy. Oh wait where did I get the rest of that info....I just got a free credit check! The above was a fallacious invention of my twisted mind

LedLincoln
LedLincoln

Andrew232006 I am hot Russian woman ready to marry if only you will post nude photo we exchange pics. [/lame joke]

Michael Kassner
Michael Kassner

The forms I saw exposed a great deal of personal information--pretty much a psych eval.

Michael Kassner
Michael Kassner

It looks like I can download the podcast. It was interesting to read about the EU giving Google grief about the new privacy policy.

Michael Kassner
Michael Kassner

To avoid any kind of reoccurring charge, I use a credit-card service that offers one-time numbers. If they want more, the business will have to ask me to setup a new charge.

JCitizen
JCitizen

on a whim, I got the same thing. So I switched sites - and got bombed even worse! I've never gone back. I was really only satisfying my curiosity anyway.

Zwort
Zwort

>Geez, I fell off my chair when I read this: >"I personally dont read privacy policies, theyre cryptic by design." >But thatnkfully you redeem yourself immediately: This can go a llittle way to helping: http://www.javacoolsoftware.com/eulalyzer.html It's important to read them. I read, perhaps here or on The Register that someone put a sneaky line in saying that anyone who read the EULA and contacted the product owner/writer would receive ??1,000. After a long time someone did.

Michael Kassner
Michael Kassner

If one of the regulars was going to call me out. My new-found attitude is the resultant of research for my next article--about how researchers are able to determine all sorts of things about the author just from writing style--pronouns in particular. Privacy legalese is meant to confuse. So, I don't let it. I have a good idea as to what works for me regarding privacy. I ask the questions, get answers, and save the document. Any issues, I have my case.

chris
chris

Well If I worked at your company, the no work at home rule would be fine with me. However I have never worked anywhere where I would not be expected never to do any work from home. Of course Using any kind of dating website from work is inexcusable as getting dates has nothing to do with work.

Michael Kassner
Michael Kassner

I have not read of any issues other than identity-loss occurring. That is bad enough though, if you are the victim.

Michael Kassner
Michael Kassner

I was hoping for a happy solution comment. And you gave one. Thanks. You do have it covered. The only area you did not mention was pictures. They are all telling.

Zwort
Zwort

Oh yes, add on components are vital, such as HTTPS everywhere, Ghostery, Better Privacy, Do Not Track plus, No Script, Site advisor, the Avast(!) bolt on, Perspectives, PrivacyChoice TrackerWatcher; sadly the Firefox development cycle was so quick that the writers of PhishTank SiteChecker and SSL Blacklist Local Database appear to have given up for the while. As with you, so with me. I do not register with my real name unless I have to (bank, professional society, gummint [...]). I use the Royal Mail find a postcode pages and a map to find matching street and postcode, even for this site. People should also resile from data indicating wealth. When meeting people, if doing so without 'air cover', it's a good idea to establish either an open text link or a time by which the date is over and comms can be re-established. Always use your own transport. Congratulations BTW. I'll see you in The Programmer's Arms for a pint of real ale!

Michael Kassner
Michael Kassner

I see the only trip-up is having to provide payment information. But, if someone is dedicated enough, I guess that would not be an issue.

bboyd
bboyd

Didn't I see you in a commercial?

Michael Kassner
Michael Kassner

Ever since Zappo had their fiasco, that kind of spam has multiplied big time.

HAL 9000
HAL 9000

Deleting your post as there is no picture included. :D What's the point of the Net if I can not see Porn when I go anywhere. :p Col 0:-)

JCitizen
JCitizen

the Dragon form of Chrome by Comodo has a way better EULA than Google. I quit using their search engine, and switched to Bing. I still have a Gmail account but I never use it. I block Google analytics every chance I get.

Zwort
Zwort

You may not be aware of our current privacy scandal in the UK, so-called 'phone hacking'. People quibble with the term 'hacking', whereas others in (e.g) news:alt.2600 say that even social engineering is hacking. Anyhow, some 'famous' people did not change the four digit pass code/number for their voice mail & have some newspapers, e.g. the former News of The World and other newspapers went through their voice mail in the same way they do through bins. Discredited, the NoTW was shut down in an attempt to protect the rest of Rupert Murdoch's empire, but it looks as if most British newspapers have been at it. It it is electronic *always* change the password. Router setup, wireless networking, everything. I will not use wireless networking in my house, and do it through the plugs instead. I almost threw away a receipt the other day, only to notice that it carried an important item of personal information; I shredded it using my cross cut shredder. The waste goes to a council run unit, and I make sure that it is spread across all of the other shredded material. Someone suggested I use also my composter. They have a point. Security applies to everything, everywhere. I hate being photographed, and do my best to deter people from inflicting this on me. I started to think that the dislike by 'primitive' people of photographs may be founded on the same reasoning as mine.

JCitizen
JCitizen

Eulalyzer... I've been meaning to try that for quite a while!

Michael Kassner
Michael Kassner

I do a cursory read. I'm wondering how much more intently anyone reads them. And, all it takes is one simple sentence in the super fine print to disavow any responsibility.

pgit
pgit

That sounds fascinating. Pronouns are the red flag, eh?

JCitizen
JCitizen

But then we refuse to talk outside our country heritage; proper English be damned!

Michael Kassner
Michael Kassner

I see I have a lot to learn. Thanks for sharing your experiences.

bboyd
bboyd

We have so many anonymity functions that can be used. Small amount pre paid cards would serve that purpose. A friend of mine secures his bar tab with a card that contains 60cents. Then later on he pays cash.

JCitizen
JCitizen

I assume you mean electrical outlets. It is a handy way to transfer Ethernet connections without rewiring the house. I had a client who discovered that their organization was being surveilled through the electric lines, with keylogger technology. It turned out any script kiddy can buy the parts from radio shack to make it work!! I was floored!! These criminals are very gutsy! I've had clients actually catching the crooks placing battery operated wireless phone bases in their phone box on the house!!! The crooks also used their caller ID list to harass and intimidate, or other wise besmirch the reputation of the victim by placing phone harassment calls to random victims using the caller ID of the original target. They download this utility from the internet to jail broken track phones that can't be traced. I just can't believe the ingenuity of the devil! :-q ]:)

JCitizen
JCitizen

and have for consumers. Consumer's Union has a political action arm now; and we managed to get quite a few concessions in the last Consumer Protection Act. Privacy has been one of our issues.

AnsuGisalas
AnsuGisalas

it will take some doing, seeing as how the political machine has taken that power away through the smokes and mirrors of "two party rivalry".

Michael Kassner
Michael Kassner

That same attitude is shown with the Pin and Chip versus mag strip credit card liability.

AnsuGisalas
AnsuGisalas

Over here no amounts of private agreements (EULA, Privacy Policy, etc.) can take away an individual's right to privacy. The agreements simply can't remove responsibility from the soliciting party (the one asking for the data). If they want the data, they have to follow the rules. I like that, because it emphasizes the "don't ask about what you don't want liability over" policy, which is prudent in any case.

dayen
dayen

how do I monitor for that it outside my network is there a program to check for clients using a cell phone or other device to connect ?

Zwort
Zwort

...and what about people who use their smart phones or a dongle to connect their portable IT, during their breaks?

JCitizen
JCitizen

sounds like what I do all over the internet! :)