tl;dr
Block Contacts is a new feature in Tinder that lets users avoid certain people on the app, even if they hadn’t matched. Using this feature, a user can share with Tinder the contact information of whoever they would like to block. Tinder will then use this information to prevent blocked contacts from seeing each other on the app. We verified that the app only shares the contact info of the blocked contacts, and not the entire contact list. However, users should be aware that Tinder collects the full name, email addresses, and phone numbers of every blocked contact.
Block Contacts
Tinder is a popular online dating app. It’s the original “swipe and match” mobile dating app which every other dating app has copied been modelled after. Recently Tinder introduced a new feature called Block Contacts, which lets users avoid certain people who may be using the app. There are a variety of reasons why one would do that. For example, some don’t want to see or be seen by exes or co-workers.
So how does it work?
If you’re using Tinder and would like to block someone, all you need to do is share their contact information with Tinder. You can do this manually by entering the person’s name, email and/or phone number. Alternatively, you can grant the app access to your phone’s contacts and simply pick who you want to avoid. Now, any Tinder user who’s registered with a blocked e-mail or phone number will be hidden from you, and likewise you will be hidden from them.
It’s a nice, and perhaps necessary, feature. But has Tinder implemented it in a way that respects user privacy?
Privacy Concerns
Whenever there is handling of user information, such as contact information, many questions immediately arise. Let’s explore some of the privacy concerns about this feature.
The Entire Contact List?
Tinder offers the convenience of selecting which contacts to block from the phone’s contact list. To do that, a user needs to grant Tinder access to the phone’s contact list, which are protected by the operating system (iOS or Android). When granting such a permission, some would be concerned whether app is actually uploading their entire contact list to Tinder’s servers. This is a reasonable concern, especially since it did happen in the past. Thankfully, Tinder has assured users that the app uploads the contact information of only those selected to be blocked. Tinder also specified what information gets sent: name, email and/or phone number.
If you opt-in to the feature, we use your contact list so that you can quickly and easily select contacts you’d like to avoid on Tinder. Each time you visit Block Contacts, we’ll pull your list of contacts from your device so that you can pick who you would like to block. When you leave the feature, we’ll only keep the contact information for the people you have blocked (name, email and/or phone number). We’ll use this information to help prevent you from seeing your blocked contacts and from them seeing you (assuming they created an account with the same contact info you uploaded).
https://www.help.tinder.com/hc/en-us/articles/360039684672-Block-Contacts-
Can we verify that?
Yes, we tested the feature while watching the app’s network traffic. Doing so allows us to see exactly what the Tinder app is sending to a server when using the app. We used ProxyMan, a web debugging proxy which allows us to capture and analyze HTTPS traffic. Lucky for us, Tinder does not use certificate pinning, which makes it easier to inspect network traffic without needing to modify the app.
We used an iPhone in our test, and created several dummy contacts in the built-in Contacts app. Each dummy contact has a profile photo, full name, date of birth, multiple email addresses, phone numbers, addresses, etc. We included all these details in our dummy contacts to see what info ends up shared with Tinder.
(On a side note, we would like to thank Ronald Duck, Senior Duck Manager at Duck GmbH, who kindly volunteered to share his contact information with us for this test.)
Then we opened Tinder, went to Blocked Contacts, and gave it access to the phone’s contacts. The app listed all the contacts but only displayed the name, email addresses, and phone numbers of each contact. It left out all other information, such as profile photos and addresses. So far, the app had not uploaded any contact to any server; they were only displayed locally in the app.
Then we picked a contact and marked it as blocked. Still, no contact was uploaded. The moment we hit “save,” the app uploaded only the contact we selected. No other contacts were uploaded.
Here comes the interesting part. The app uploaded the full name, all the email addresses, and all the phone numbers of that contact. Notably, it left out all other details. This is what the Tinder app sent to the server:
Concerns for Registered Users
To sign up to Tinder, you need one phone number, one email, and a nickname. If you are a Tinder user and another user blocks you, this means there is a good chance Tinder knows your real name (or any other name you go by). Worse, if the user who blocked you keeps multiple emails and phone numbers about you in their contact list, Tinder will know that too.
Moreover, a key aspect of the Blocked Contacts feature is that blocked contacts won’t be notified when blocked. So, you won’t even know what other users uploaded about you and what information Tinder associates with your profile.
Concerns for non-Users
You don’t use Tinder? The Blocked Contacts feature can be used to block anyone’s contact information, even if they’re not associated with an active Tinder account. That means if someone blocks you, even without an account, Tinder will still store your contact information to prevent you from seeing them — in case you join Tinder in the future. There’s also no way to know if your contact information had been shared with Tinder.
Unsolicited Advice to Tinder
Block Contacts is a nice feature, but is it really effective?
If the blocked contact uses an alternative email or phone number, the feature is rendered useless. It is not uncommon that users keep secondary phone numbers and emails for use in such apps. Tinder is requesting users to upload private information for a feature that may not be effective.
To make this feature privacy-preserving, Tinder can only upload hash values of phone numbers and emails. For example, instead of uploading +1-555-555-1234, the app uploads something like this:
12a23f43cea186f3fa0b730eda6ea02d480aa77f8b848c0ddeb5f14c6e7b2555
Moreover, the name of the contact is irrelevant as it is not required when creating a Tinder account. It can be completely dropped.
A Word to Tinder Users
Although the Block Contacts feature is practical, it comes at a privacy cost. You can still use it while protecting the privacy of your contacts. First, don’t share your contacts with Tinder. By picking a contact from the contact list, the app uploads the real name of the contact, all of their phone numbers, and all of their emails. The better option would be to enter that information manually. Tinder requires you to enter name, phone number, and an email. As Tinder doesn’t require users to enter their real names when they create their accounts, the name does not play a role here. So, just enter any name other than the real name of the contact.
Keep in mind that if the person you’re trying to block uses Tinder with a different phone number or email than what you enter, you won’t be able to block them.
Final Thoughts..
Your contact list contains personal information about people you know, and it should be handled with care. Tinder, just like other social media platforms, runs algorithms to provide targeted ads and offers. Any data you share with such platforms will eventually feed these algorithms. It’s your own decision to share your own data, but your contact list contains data that belongs to your family, friends, and colleagues.