Comparing Privacy and Security Practices on Online Dating Sites
|HTTPS by default||Free of mixed content||Uses secure cookies or HSTS||Delete data after closing account|
|Plenty of Fish||Vague|
|Adult Friend Finder|
Please read below for more details about the sites' policies on deleting data after an account is closed.
HTTPS by default
HTTPS is standard web encryption–often signified by a closed lock in one corner of your browser and ubiquitous on sites that allow financial transactions. As you can see, most of the dating sites we examined fail to properly secure their site using HTTPS by default. Some sites protect login credentials using HTTPS, but that’s generally where the protection ends. This means individuals who use these sites can be vulnerable to eavesdroppers when they use shared networks, as is typical in a coffee shop or library. Using free software such as Wireshark, an eavesdropper can see what data is being transmitted in plaintext. This is particularly egregious due to the sensitive nature of information posted on an online dating site–from sexual orientation to political affiliation to what items are searched for and what profiles are viewed.
In our chart, we gave a heart to the companies that employ HTTPS by default and an X to the companies that don’t. We were shocked to find that only one site in our study, Zoosk, uses HTTPS by default.
Free of mixed content
We gave a heart to the websites that keep their HTTPS websites free of mixed content and an X to the websites that don’t.
Uses secure cookies or HSTS
For sites that require users to log in, the site may set a cookie in your browser containing authentication information that helps the site recognize that requests from your browser are allowed to access information in your account. That’s why when you return to a site like OkCupid, you might find yourself logged in without having to provide your password again.
If the site uses HTTPS, the correct security practice is to mark these cookies "secure," which prevents them from being sent to a non-HTTPS page, even at the same URL. If the cookies are not "secure," an attacker can trick your browser into going to a fake non-HTTPS page (or just wait for you to go to a real non-HTTPS part of the site, like its homepage). Then when your browser sends the cookies, the eavesdropper can record and then use them to take over your session with the site.
Session hijacking was once (wrongly) dismissed as a sophisticated attack; however, Firesheep, a straightforward and freely available online tool, makes this type of attack simple even for individuals with mediocre skills. Any site that provides insecure cookies at login could be vulnerable to session hijacking.
HSTS (HTTPS Strict Transport Security) is a new standard by which a web site can request that users automatically always use HTTPS when communicating with that site. The user's browser will remember this request and automatically turn on HTTPS when connecting to the site in the future, even if the user didn't specifically ask for it.
We gave a heart to the websites that use secure cookies or HSTS, and an X to the websites that don’t.
Delete data after closing account
Here are the details you need to know about each dating service's policies. We have individually contacted each of the companies listed below to ask them to clarify their policies on deleting data after an account is closed; we’ll update this chart if we learn more from the companies.
Note that this text is taken from their policies as of the publication of this post, and these policies can change at any time!
Withdrawing Your Consent. You may notify us at any time that you wish to withdraw or change your consent to our use and disclosure or your information. We will accommodate your request subject to legal and contractual restrictions.
You may use the following options for removing your information from our e-mail database if you wish to opt out of receiving promotional e-mails and newsletters.
- Click on the “unsubscribe” link on the bottom of the e-mail;
- Send mail to the following postal address letting us know which promotional e-mails you wish to opt-out of: eHarmony, Inc. P.O. Box 3640 Santa Monica, CA 90408 USA
- For the eHarmony Singles service, select our Help link from your account home page and search our FAQ's to find the answer you are looking for, or send us an e-mail and our Customer Care agents will be happy to assist you; or
- For any services that allow you to control which e-mails you receive, go to the e-mail settings page from your account home page, and un-check the undesired promotions.
Adult Friend Finder