Is your own personal Ashley Madison nightmare just a click away?

Renowned cybersecurity expert offers Imstilljosh readers tips for staying safe on dating sites and apps

Like this journalist’s Facebook page

By now, most of us probably know at least one person related to the Ashley Madison hack. And boy is it ugly.

But let’s face it. Gay men invented the idea of the hookup site/app. And many of us use them all the time.

If one of the sites were hacked, not only could the whole world possibly find out you’re gay, but also whether you’re a top or bottom, into kink or body contact, etc.

For many, they also could find out your HIV status.

What if gay sites were hacked like Ashley Madison? Would #HIV positive ppl be outed? @DavidHeitz reports Sunday! pic.twitter.com/FdI431U8PC

— Josh Robbins (@imstilljosh) September 5, 2015

For many years now, there has been a push to disclose your status on online dating sites/apps as a way to protect yourself in the event of an HIV criminalization case. The laws may be arcane, but going to jail for not disclosing your HIV status, even if a person isn’t infected, is making headlines every day.

And some sites, such as Positive Singles and Volttage, are specifically for people with HIV searching out others with HIV. If one of those were hacked, your status could become known simply by your association with the site.

“The hacking of social hook-up sites is yet another cautionary tale about the inability to protect against hacking, particularly in view of increasing sophistication among hackers,” Mayo Schreiber Jr., deputy director of The Center for HIV Law & Policy, told Imstilljosh. “For anyone watching any part of this, it is hardly surprising that Ashley Madison was hacked, nor would most of us expect them to have a more sophisticated security system than the U.S. government.”

Indeed, the U.S. government has been hacked by the Chinese. Planned Parenthood also has been hacked.

Russian Grindr’ targeted by Kremlin?

An operator of a Russian gay hookup site already has claimed his site was hacked, but some have questioned whether it was just a publicity stunt. He reported the alleged hacking in an email to Towleroad. In that case, it was surmised that the Russian government hacked the site and deleted thousands of profiles to prevent gay people from hooking up during the Olympics in Sochi.

Sean Sullivan is a security advisor with F-Secure Labs, a global cyber security company. Reached by Google Voice Friday morning at his office in Finland, Sullivan told imstilljosh that one way to have your information breached on a gay hookup site is by clicking on third-party ads.

Sullivan said this already has happened. He said an unscrupulous advertiser used Grindr’s platform to automatically dial international numbers when iOS users clicked on the ad. You can read John Leyden’s report in The Register of the U.K. by clicking here.

Sullivan said that once these malicious ads have your cell phone number, they have your identity, too. “You don’t know who’s on the other end, is it a criminal or an unfriendly regime?” Sullivan said. “And a homosexual audience generally wouldn’t complain about such fraud.”

Although ads sold directly by Grindr would prompt users that a call was about to be made, Sullivan said, this third-party advertiser did not. The advertiser piggybacked on the permissions users granted Grindr when they downloaded it.
Sullivan said Apple has been working aggressively to patch security issues, but added that with Android apps “it’s still the wild, wild west.”

Grindr, Scruff and Online Buddies (who operate Manhunt and Jack’d) did not respond to requests for comment by Imstilljosh.

Tips for staying protected online

So what can you do to protect your information from rogue hackers on dating sites and apps? Sullivan offered these tips:
1. Use a dedicated account for phone/app management that is separate from your “contact” accounts. This can be tricky for Android but it is not impossible. You can create a Google account without using Gmail. Here’s how you do it. Don’t use your name for email address.
2. Don’t use your email address for your user name when creating accounts, even though there has been a general push in that direction.
3. Consider using a Tor browser or VPN (virtual private network). Tor provides free software that users can download and thereby browse using a network of volunteer-operated servers.

“Individuals use Tor to keep websites from tracking them and their family members, or to connect to news sites, instant messaging services, or the like when these are blocked by their local Internet providers,” the Tor website states. “Journalists use Tor to communicate more safely with whistleblowers and dissidents. Non-governmental organizations (NGOs) use Tor to allow their workers to connect to their home website while they’re in a foreign country, without notifying everybody nearby that they’re working with that organization.”

VPNs work as a sort of firewall while you’re online. Here is a list of the best VPN services that recently was published by PC Magazine.
4. Don’t use your real name as your user name on dating sites.
5. Have different passwords (and user names) for all the different sites/apps you use. Write them down on a piece of paper and keep their in a secured part of your home to remember them.
Aren’t criminalization laws, stigma the real problems?
Meanwhile, there is a movement afoot advocating that health information needs to be better protected in this online age or people simply won’t use it. HIPAA requires certain breaches of health data to be reported, but it does not cover the vast network of sites that now contain a person’s health information, and certainly not dating sites/apps. A research letter in the April 15 Journal of the American Medical Association (JAMA) described the problem.

So to disclose or not to disclose?

Says Schreiber, “People living with HIV may be better protected from being criminally convicted under an HIV exposure statute as a result of having sex with someone on a hook-up site if they include their status in their profile. Most of the criminal statutes penalize non-disclosure, even when transmission has not occurred. “

But he adds the defense still may not be airtight, because the sexual partner may claim they did not see it or that the person with HIV assured him or her on hooking up that in fact he/she isn’t HIV-positive. “Anecdotally, based on the calls that CHLP receives, many arrests as well as many broad re-disclosures of a person’s HIV status occur when partners split up or by malicious former friends. In my time at the CHLP I am not aware of anyone calling whose status was hacked from a hook-up site.”

The broader issue, Schreiber said, is that putting the onus on HIV-positive people to “disclose, disclose, disclose” hasn’t worked anyway. He said decades of such rhetoric combined with felony transmission laws have proven “utterly ineffective in terms of dealing with the spread of HIV and other sexually transmitted infections (STIs) from a public health perspective.”