Users Promised Nude Photos Would be Kept Private When Company Knew Photos
Were Vulnerable to Exposure
Online Buddies Required to Pay $240,000 and Make Substantial Changes to Improve Security
New York Attorney General Letitia James announced a settlement with Online Buddies, Inc. (Online Buddies) for failure to protect private photos of users of its ‘Jack’d’ dating application (app), and the nude images of approximately 1,900 users in the gay, bisexual, and transgender community. Although the company represented to users that it had security measures in place to safeguard users’ information, and that certain photos would be marked “private,” the company failed to implement reasonable protections to keep those photos private, and continued to leave security vulnerabilities unfixed for a year after being alerted to the problem.
“This app put users’ sensitive information and private photos at risk of exposure and the company didn’t do anything about it for a full year just so that they could continue to make a profit,” said Attorney General James. “This was an invasion of privacy for thousands of New Yorkers. Today, millions of people across the country — of every gender, race, religion, and sexuality — meet and date online every day, and my office will use every tool at our disposal to protect their privacy.”
Jack’d has approximately 7,000 active users in New York and claims to have hundreds of thousands of active users worldwide, and is marketed as a tool to help men in the LGBTQIA+ community meet and form connections, date, and establish other intimate relationships.
The Jack’d app’s interface has explicitly and implicitly represented that the private pictures feature can be used to exchange nude images securely and, more importantly, privately. App users are presented with two screens when uploading photos of themselves: one for photos designated as “public” and another for photos designated for “private” viewership.
The Jack’d app gives users the choice to post photos on a public page that is viewable to all users, or a private page that is not viewable to anyone who users have not unlocked photos for.
The app’s public photos screen displays a message stating, “[T]ake a selfie. Remember, no nudity allowed.” However, when the user navigates to the private photos screen, the message about nudity being prohibited disappears, and the new message focuses on the user’s ability to limit who can see private pictures by specifically stating, “Only you can see your private pictures until you unlock them for someone else.”
The Jack’d app contains settings to unlock and re-lock private pictures, indicating that users are in complete control of who can and cannot view private photos. Additionally, Online Buddies’ marketing — including videos on the company’s official YouTube channel — explicitly stated that the app helped some users privately exchange intimate information.
Online Buddies specifically violated the trust of its customers by breaking the app’s user privacy policy, which says the company takes “reasonable precautions to protect personal information from…unauthorized access [or] disclosure.” This agreement was crucially important with Jack’d users since 2017 customer polls showed that these customers cared most about privacy, partly in response to increased bullying and hate crimes against the LGBTQIA+ community since the 2016 U.S. presidential election.
Privacy and security have proven to be especially important to users in the Black, Asian, and Latinx communities because of the greater perceived risk of anti-gay discrimination within each respective community. A June 2018 study by the University of Chicago surveyed a nationally representative sample of more than 1,750 young adults, aged 18-34, about discrimination, finding that 27-percent of whites reported “a lot” of discrimination against gays in their racial community, compared to 43-percent of Blacks, 53-percent of Asians, and 61-percent of Latinx. Approximately 80-percent of Jack’d users are individuals of color and had reason to fear discrimination from the exposure of their personal information or private photographs.
The investigation by the New York State Attorney General’s Office confirmed that Online Buddies failed to secure data — including users’ private photos — that the company had stored using Amazon Web Services Simple Storage Service (S3). The investigation also confirmed that senior management of Online Buddies had been told in February 2018 of this vulnerability, and of another vulnerability caused by the failure to secure the app’s interfaces to backend data. These vulnerabilities could have exposed certain personally identifiable information for Jack’d users, including location data, device ID, operating system version, last login date, and hashed password. Together, the culmination of these vulnerabilities created a risk of unauthorized access to a user’s private photos (which may have included nude images), public photos (which may have included the user’s face), and personally identifying information (including their location, device ID, and when they last used the app).
While Online Buddies immediately recognized the seriousness of its vulnerabilities, the company failed to fix the problems for an entire year, and only after repeated inquiries from the press. During the period that Online Buddies knew about the vulnerabilities but had not yet fixed them, the company also failed to implement any stopgap protections, establish logging to detect any unauthorized access, warn Jack’d users, or change representations about the privacy of their private photos and the security of their personally identifiable information.
Between February 2018 and February 2019, Jack’d had approximately 6,962 active users in New York State, of whom approximately 3,822 had one or more private photos. Given the sensitive nature of private photos, investigators within the New York State Attorney General’s Office did not review specific images and thus could not determine exactly what proportion of such photos were nudes. However, after conferring with those familiar with Jack’d and other similar apps, investigators gathered that roughly half — or approximately 1,900 Jack’d users in New York — had private images that could be nude photographs.
As part of the settlement with the New York State Attorney General’s Office, Jack’d will pay the state $240,000, as well implement a comprehensive security program to protect user information and ensure that any future vulnerabilities are addressed promptly.
No comments:
Post a Comment