By Tim Fitzsimons
Just a few months after a Chinese gaming company acquired Grindr, a gay dating app, employees of the app learned that the Trump administration was investigating the deal over national security concerns, according to two people familiar with the company.
The Committee on Foreign Investment in the U.S., an interagency group led by the Treasury Department that oversees foreign acquisitions of U.S. companies, began investigating Grindr as early as July 2018 because of concerns about the security of sensitive user data collected by the app, which included the HIV status of millions of gay people around the world, the sources said. Sources familiar with the situation say employees learned of the investigation from internal company documents and in a July 20, 2018, meeting with Grindr executives and representatives from a newly hired public relations firm.
Grindr, which has more than 3 million daily users, was wholly acquired by China’s Beijing Kunlun Tech Co. in January 2018. The deal immediately caused concern among national security experts and privacy advocates, who worried that China could harvest potentially embarrassing or sensitive private data from the app for espionage purposes. For example, China might be able to find out the HIV status of U.S. military or security personnel who use Grindr.
Reuters reported last Wednesday that Kunlun is trying to sell Grindr under pressure from the Treasury’s foreign investment committee over national security concerns. Committee officials did not respond to NBC News’ requests for comment or acknowledge that it had opened an investigation.
A spokesperson for Grindr declined to comment on the federal committee’s investigation and said in an email that the company “never disclosed any user data (regardless of citizenship) to the Chinese government nor do we intend to.”
The sources, who spoke with NBC News on the condition of anonymity to discuss sensitive company matters, said the federal investigation bolstered their own concerns about new leadership that had been installed by Kunlun. One source said they forwarded internal communications, some of which were shared with NBC News, to the company’s human resources department and the Grindr compliance employee tasked with managing the company’s response to the committee’s investigation.
The sources who spoke to NBC News did not offer any evidence that Chinese officials surreptitiously accessed Grindr user data but said changes to internal company communications put in place by Scott Chen, who was named Grindr’s chief technology officer shortly after the app’s sale to Kunlun, meant they were unable to ensure that the app’s data remained secure. Chen is currently president of Grindr.
Those changes included moving some company communications to WeChat, a Chinese messaging app that has caused concern among privacy advocates, the sources said.
“Scott [Chen] was increasingly restricting access to any kind of information, transferring everything over to WeChat and conducting all communications in Chinese, so it was very hard to keep tabs and help effectively police” data security, one source said.
The sources said some of those changes were rolled back after the foreign investment committee began its investigation, but added that the struggle to ensure data security is a continuing problem within the company.
But then something happened that increased the concern employees had about the company’s commitment to data security: Chen proposed a partnership with a team of HIV researchers with connections to the Chinese government.
On July 3, 2018, Chen informed three Grindr employees that Yiming Shao, an HIV researcher for China’s equivalent of the U.S. Centers for Disease Control and Prevention, was interested in working with Grindr. To facilitate this project, Chen wrote an email to the employees — obtained by NBC News — that suggested putting a full-time “intern” in Grindr’s West Hollywood, California, headquarters to do research and work on a paper about HIV prevention that would be co-published with the company.
“They are attracted by our brand, reach and data,” Chen wrote in the email. “We need to be extremely careful about their data request. Yiming is head of HIV prevention in China CDC. We can’t let people say this is about ‘sharing user data with the Chinese government.’”
One source who saw the emails said company employees believed that putting a person from Shao’s team in Grindr’s headquarters would put user data at risk. Employees sent the correspondence to Grindr’s chief compliance officer, who was handling the CFIUS investigation.
Dr. Susan Little, an HIV researcher and a professor in residence at the University of California, San Diego, accompanied Shao to Grindr headquarters on Aug. 6, 2018, for a meeting about a research proposal — one Grindr had previously ignored. Little had pitched Grindr on using “de-identified” user data to recruit study participants and provide sexual health education information through the app. But in an interview with NBC News, she said she never proposed putting a researcher in Grindr’s office.
“We were never going to get any participant data, any user data, directly in our hands,” Little said.
Asked about Chen’s proposal, a Grindr spokesperson said that the company never pursued the project outside of initial discussions.
“Grindr and the Grindr for Equality team periodically engage in discussions with highly respected national and international health organizations and researchers, including to help stem the spread of the deadly HIV epidemic,” the company said in an email. “Regardless of emails you may have regarding a very preliminary internal discussion, Grindr has never engaged any intern associated in any way with the Chinese government.”
The federal investigation of Grindr adds to growing concern among politicians and cybersecurity experts about China’s efforts to collect data on U.S. citizens. The worries have led to increased scrutiny about Chinese ownership of popular apps.
Sens. Ed Markey, D-Mass., and Richard Blumenthal, D-Conn., said in a statement last week that they agreed with the Committee on Foreign Investment’s decision to push for a sale of Grindr.
“We’ve previously raised concerns about Grindr’s privacy practices because this application serves uniquely vulnerable groups and collects highly sensitive information, including HIV status and sexual orientation,” they wrote. “In the wrong hands, this information can be misused in ways that threaten the safety and well-being of LGBTQ users around the world. These concerns are heightened when there is a risk of adversarial foreign actors being privy to the data in question.”
Tom Kellermann, chief cybersecurity officer at Carbon Black, a Massachusetts-based security company, said social media apps like Grindr are a target for the Chinese government because they could contain private data about people in potentially sensitive positions.
“Probably one of the greatest benefits of them having a footprint is their access to U.S. military personnel who are using Grindr, and maybe doing so in a private fashion,” Kellermann said. “This should be a very serious concern for anyone in the LGBT community who has connected.”