Valentijnsdag is voor velen een mooie dag, maar voor veel vrijgezellen zijn dit soort dagen ook erg eenzaam. Tijdens periodes van feestdagen schiet het gebruik van online dating apps als een raket omhoog doordat eenzame mensen op zoek gaan naar een match. Maar waar moeten we op letten als het aankomt op beveiliging? Op welke wijze beïnvloedt swipen je privacy? Wat voor invloed heeft je online gedrag op je echte leven?
Tijdens deze aflevering van Cyber Security Sauna komt Sean Sullivan langs om ons bij te praten over de invloed die Tinder en andere dating apps hebben op je beveiliging en privacy. Luister hier of lees verder voor het engelse transcript. En vergeet je niet te abonneren, een cijfer te geven en een review achter te laten!
Janne: Welcome, Sean.
Sean: Hello, Janne.
As a security professional, what are your overall thoughts on using dating apps?
It’s complicated. Overall, I guess years ago, it was dating sites, websites where you have to provide a bunch of information to fill out a profile. Dating apps, by and large, have gotten to the point where it’s a matter of a very simple profile and then very quickly swiping left and right, I think was pioneered by Tinder. So there’s less that you have to give in order to get into it. And it seems to have become far more popular than anything based on the website where the profile, where you had to give it a whole bunch of likes and dislikes to match you up. So it’s complicated. If you want to actually meet somebody, I mean, if you don’t want to be alone, you’re going to use a dating app these days. It’s much more socially accepted than these websites from a decade ago. But then it’s also very easy to like use these things to find out who people are in real life. So it’s complicated by the fact that how do you use them wisely?
So how do you share enough information to get to know someone but not overshare, not share too much about yourself? Where’s the line?
Well, I think the line is like…carefully is kind of the key word. And I think we can discuss different tools that allow you to go from one site to another site, to another site, or from one app, to a site, to another site, and do open source intelligence, basically. So I would suggest if you’re doing something like a Tinder type of app, you create photographs specifically for that app. Because reverse image searching can be very easy to do. And even if it’s not something you can reverse image search, if you use the same photograph on a dating app that you use on your Facebook profile, it doesn’t take me long when I try to test this, to make a match within like five minutes tops. First name plus a photograph. These apps are based on proximity, location. So if you’re searching for somebody with the first name, in your city of residence, and you’re using the same photo on a dating app you’re using on a Facebook profile, you can pretty easily find the Facebook profile.
Sure. Image analysis is a part of it, but you’re also talking about identity management.
Yeah. Well, in your case, I guess you went full tin foil hat when using these kind of apps.
I did, yeah. So I set up my Tinder. It’s based on a Gmail address I generated for this purpose. There’s a Facebook profile that’s tied to that Gmail address. There is a prepaid phone number that’s tied to both of these and that’s also used in Tinder. So these have my first real first name, but everything else is vague or –
It’s not a lie, but it’s not giving all the truth because you just want to give certain pieces of information. Real first name, general demographics, the Facebook. Whereas I quit using Facebook actively like eight or nine years ago, deleted the bulk of any content I’d ever generated there.
But when you’re talking about identity management, this is the thing. So if you use the same photograph on Tinder with Facebook, and then it’s easy enough to find somebody because they’ve used the same photo…Unless their name is something really common, like Sarah, or if you’re looking for a Mary or something. So you find their first name and their photograph on Facebook, then you’ve got the last name. People generally have their Facebook profiles well managed so that you just can’t see everything. But with the first name and last name, LinkedIn then provides you their profession. And if you’ve got a lot of pictures of you partying on Tinder and you’ve got a very professional job that requires a certain sort of image, that’s where things could break down. So people have to make choices. They need to present themselves consistently across platforms, because it’s very easy for someone to do their homework.
You’re also touching upon one piece of advice I think might be relevant to people. I would see a lot of profiles that show personality but don’t contain personal information. So people just write something that’s quirky, or you know, relevant to them but isn’t personal. They just say something that they think is funny and maybe people with a similar sense of humor would find funny, but that is not personal details.
Yeah. I think generally that’s what I’ve experienced as well when I used the app, when I used Tinder back in 2017. I think people, at least based in the Helsinki area where we’re both familiar with, seem to use it with a lot of common sense and fairly well, and they don’t give too much information away that could then damage their professional reputations. That’s just the concern that I have though as a security-minded person. So asking, what are the security implications to think of here? Reputation management, identity management certainly comes into play and it is very easy to go from a small market like this to be able to find someone by just using an image first name.
Again, it’s not that difficult to use Facebook search, limit it to a city, find a match on the photo, get the last name, go to LinkedIn…And particularly in this market, Finns have very search-engine-optimized names. So there’s a lot of people around here who have a very unique first and last name combination. And so when you do a search for them on the web, you’re going to find stuff out about them. So that’s just kind of the case here. Other places, like New York City, if you’re searching for Sean Sullivan, you’re probably going to come up with a bunch of them. And so like going from one platform to another platform to another platform, you’re going to get a bigger and bigger hit. So this is probably advice that’s best suited for smaller regions, smaller cities. These are the things that people need to be mindful of.
So not all apps are created equal. We’re talking about Tinder here as sort of shorthand for all dating apps, but there’s different kinds out there. In what way do you think they’re different from each other in terms of how they handle user data, encryption, authentication, permissions, things like that?
Well, this is where I’m drawing on some of your experience in conversations we’ve had, because I only ever used Tinder in 2017. You’ve used a few different apps. There was one that was particularly location-based, right?
Right. So right out of the gate, that one, you probably have an understanding, is looking for location data plus location history. So it’s going to have to secure location history in its back end, or hopefully it’s securing the location history in the back end. Whereas others are just trying to make matches of people in your general area. But then things like Tinder, which was asking for friends lists from Facebook in the past, I mean it was also then providing features that might actually try to push you towards peers that you know of. And so when you’re trying to think of, what are the security implications of this, what are they securing on the back end? Are they taking this data, storing it in their back end? Are they keeping that secure?
There was research in the past, particularly on Tinder about what is being encrypted when it goes from your app to their backend. Everything to do with your personal information seemed to be well secured, but some of the images that were being sent to your phone for you to swipe on were not. And so someone listening in on the wire as a man-in-the-middle could see what type of profiles you were looking at, men or women. And in some geographies, it might not be politically okay for you to be looking at men if you’re a man.
Oh, so maybe you could draw some conclusions based on how long I’m taking to look at each picture and maybe even there’s some sort of difference in response when I’m swiping left or right.
Correct. Cause one data goes towards the app and quickly, the next bit of data comes to it. So you can assume, I would think that you quickly dismissed the last bit of data. And if you take a little bit longer to move on to the next one, then you can assume you looked at that one more carefully and start to sort of profile you. In some jurisdictions this could be dangerous because of political reasons. So people using apps in places where they don’t have all the same real world freedoms as we do…in the past, things like this that weren’t fully encrypted could be an issue. So for sites like that, a VPN might be useful so that you don’t have men in the middle being able to look at the traffic.
Even if things are fully encrypted, you can still kind of make inferences from the packets, unless there’s a stuffing, just buffers in the packing. If it’s a simple thing, like yes or no, left or right, that’s a binary kind of thing, and you start to recognize the pattern between “left is encrypted like this and the right swipe is encrypted like that.” And even if it’s an encrypted packet, the size of the packet fits the pattern and you can start making inferences based on those. So I think the apps have a big challenge in front of them if they want to make sure that nobody listening in on the wire, if they want to prevent them from being able to make pattern recognition inferences. They’ve got to pack a bunch of extra spaces in there, and that’s like a challenge. Or else, you know, they need to encrypt everything kind of an a bundle…Yeah, it’s a challenge basically is what I’m saying. And then like for the individual users, probably don’t trust that the app provider is doing all that. Maybe get a VPN if you live someplace where it’s politically sensitive whom you’re looking for.
So is it just enough to inactivate your account or should you just delete it permanently?
Well, from my testing it seems like, you know, “make my account not visible,” at least with Tinder (this is the only thing I have personal experience with) seems to be sufficient that I’m not discoverable if I’ve made myself not discoverable.
The people you’ve matched with, they still see your information there.
Yes, apparently so, right? So that’s the thing. So then it’s past matches. When I started dating my girlfriend, I unmatched everything. She’s the only match I’ve got left in that account and I kept that because I kind of wanted a reminder of when we actually first went on our first date. But at this point I’m thinking maybe I actually don’t want to just be not discoverable, inactive. I think I’ll just actually go ahead and delete the stuff because it’s not terribly difficult to set it up again. So I think it’s probably practical if you’re done with these apps to remember to go back and clean up the apps and delete them, not just delete them from your phone, but actually go into the account settings and delete the profiles as well. Because otherwise there’s permalinks that are around, even if you unmatch from people, your profile might still be visible somehow if someone finds a vulnerability in the system.
Yeah, I’m not 100% sure that I didn’t give permission somewhere in the EULA for Tinder to use my likeness in attracting single females to their service.
What, in advertisements?
Yeah, that’s a good question, actually. I don’t think Tinder could get away with that because they’re too big and people would notice that you’re somehow, you’re in an advertisement. But all of these other startups, yeah. That’s something actually to be taken into account. You’ve used multiple apps, or you’ve tested multiple apps, right?
Oh, yeah. All of them.
Did you check out the terms and conditions when you were looking at them?
Of course. I would never accept a EULA without reading it thoroughly. (Facetiously)
Right. Well, but then when you set up the different accounts, did you give them all equal permission to whatever they were tying into?
Yeah, pretty much, because it was all my, my fake Facebook profiles.
Yeah. Okay. That’s right. So you didn’t even worry about it.
No, they’re like, you know, we want to see your friends list. I’m like, yeah, there’s nobody on it. So feel free.
Yeah, and I wonder how many of these services though have algorithms in their backend that say like, this guy’s got zero friends, so don’t show him to people that are eligible because this guy’s probably a bot.
Because that’s the thing, if you share the friends list, you’ve got zero friends, what is their algorithm supposed to make deductions about that particular profile?
That is interesting, because I did notice that there was a difference in my success rate in these different apps. There were apps where I could just get no play whatsoever. And I don’t know why that was. Was it something about that app? I also did like A/B testing, so I had different profile pictures, different profile texts in each. So maybe it was something related to that, but yeah. It might’ve just as easily been something like that and I’d never know.
Yeah, it could be something very arbitrary. It would make sense though for these sorts of apps like to do quality control. I think generally, sociologically, the average individual has about 150-ish friends or something on a Facebook profile. And so if accounts show up that have zero friends, I could easily see like some dating service saying, well that’s a red flag, right? This guy’s obviously like, could be a real account, but it’s someone who is clearly not wanting to share too much and therefore, should we push him forward as much into the people that can be swiped on left and right?
They don’t play with us, so let’s not play with them.
Right. So you can’t tell that until you actually test with your real Facebook profile. And that’s the complications of this kind of app. You want to be secure, like I said, you went full tin foil hat. But that could be working against you, and you’d never know.
What about the companies running these apps? Are they actually interested in helping me find a partner, or are they just in it for the information harvesting? What’s in it for them?
Well, Tinder’s an offshoot of Match.com, which has been in the dating business forever. So I think they’re just in the business of dominating everything related to dating, anywhere. I’ve heard interviews with the CEO. I don’t know about data harvesting, I think they want to be the place that you go when you’re looking for a date. They want to keep you engaged, and ultimately, a bunch of them want to upsell on the different things if you’re not finding a match that leads to a relationship.
That’s the thing. I joined this service because I wanted to meet someone. So it’s in my interest to be there as little time as possible, as little effort as possible. Find somebody, live happily ever after. But it’s in the company’s best interest maybe to keep me there. And get me to a place where I’m desperate enough to pay for the premium service, and sort of subscribe to it for a six month period or something.
I don’t know if “desperate enough” is the word I would use, right? Like, you know, it’s a matter of…there are a lot of people that are very busy, and they want additional aspects of this app to help them filter things more quickly. Because it’s a wide range of people using the app, from people that are like, “I’m just looking for a date this Friday, I’m not looking for anything more than that” to people like “I’m just out of a divorce, it’s been a year, I’m looking to find somebody and I’m a very busy person.” You can find people that are like CEOs of software startups here in Helsinki on Tinder and they’re probably paying for the paid account because they don’t have time to waste. That’s why they’re a CEO of a software startup. Right? You know, so they’re using the app in a totally different way.
Most of these apps have a built-in chat where potential couples can connect. But at some point if things go well, people will want to make the jump to a different form of communication, a third party service or something else, give the phone number or something. What should people think about before they make that jump?
What’s that new service tied to in the real world? So if you trust someone or you’ve connected with someone well enough that like, right, “I’m going to give them my phone number,” I mean, that’s pretty obvious what you’re giving them at that point. The ability to find you on multiple apps. WhatsApp is phone number-based. So if WhatsApp seems to be a method of communication that you prefer, that’s something that you’re now choosing to give out. You had the prepaid phone number that these things are based on. So in theory you could have like a multi-SIM phone and have two phone numbers attached to the same device. You could use that as one way of providing a means of communication that doesn’t tie back to your first and last name and everything else. But I guess some people chose Messenger, Facebook Messenger, which, if you’ve got your Facebook profile properly locked down, doesn’t reveal your email address or phone number. It might reveal your real world identity, but in most cases that’s probably not a problem. So that’s what people above 30 seem to do.
Now, people under 30, just in their Tinder profiles, they just seem to advertise their Snapchat and Instagram accounts, which are based purely on handles, and doesn’t give anything else away about real world identity unless they’ve done something with the images that you can then do open, you know, open source intelligence digging. But you know, they seem to have differences in how they use it, younger people. Snapchat seems to be the thing that they’re advertising in the bio right up front. So whether you swipe left or right, you could still like go send them a Snapchat message. So I think they’re probably using it differently, in terms of what choices they’re making about like how do I communicate outside of this app?
I think WhatsApp in my experience was…you use the built-in chat until you had like a face-to-face introductory date. And then if you felt good about the person, WhatsApp or Messenger seem to be the –
Pretty much, yeah.
Yeah. But there’s a real world implication to being willing to share that. And I think that’s the consideration to make.
What should people think about when it comes to the workplace? Should people be using these dating apps on their work phone? Should they avoid mentioning where they work in their profiles?
I find in my experience, probably your experience as well, that most people tend to not put their place of work. They tend to put their title and field. Tinder has a field that has education, has job. I’ve never actually seen someone put explicitly their workplace.
I’ve seen that once or twice.
Yeah? Okay. They seem to have more like, just a general category of like CEO, founder. But they don’t actually say like, what the name of the software startup is. It’s not difficult to find, again, with tools like Linkedin. Or they put something in their bio that kind of gives a hint. We talked to a colleague here, and she found it useful to put what field she works in, like “IT professional” versus exactly what her job title is and what company, cause it then seemed to act as a filter for how people sort of said hello to her, that was a useful from what she said to us.
But I think it depends again where you are. It’s not difficult, given Facebook and LinkedIn and the ubiquitousness of it. It’s like everywhere, everybody’s on it. So even providing a category, it’s not hard to do the homework and figure out like, okay, this is the company that this person works for. Still wouldn’t recommend putting it into the profile though. I think in my experience, it’s not needed in order to make a connection. And so don’t give the information to these apps.
We did talk about phone numbers before, but Tinder for example, uses phone numbers as an authentication method. You can get a new prepaid phone number in minutes. What about that?
So a prepaid SIM is useful, as long as you’re remembering that like, keep it active so it doesn’t get reassigned to somebody else. Because if it is your second factor of authentication (and it might be useful as a second factor, as it’s like an unknown number that only you keep track of), it has its weaknesses. If you set up say, Signal or something, on a SIM card like that, I think that is the factor of authentication. And you lose that phone number and it gets reassigned to somebody else, they’ve got access to all sorts of things there.
Have you come across any scams in these dating apps?
Romance scams. There are women that are clearly like in their thirties who are advertising themselves as 50, and I’m pretty sure that’s, I think in the terms of espionage, that would be called a honey trap.
Right. So occasionally as you’re swiping through, from our point of view, like men looking for women, you will find women who are clearly not the age they’re advertising themselves to be. And they’re young, and they’re Asian and they’re clearly trying to start up a conversation with someone who, “Okay, yeah, I was looking for somebody in my demographic but, okay. No, she’s advertising herself to men my age by trying to assume that age.”
So those kind of scams probably very quickly go over into the romance scams that you find being sent out via email and on other dating profile sites. Like Match.com, I think, would have these kind of things where people assume the identity of somebody who’s supposedly living abroad, and it gets into a conversation, and then they’ve got medical expenses and oh, they would come visit you, except I need like a plane ticket and I need money for that. That also certainly exists on Tinder. Sometimes it’s more overt, like I said, with the older age of the woman being advertised. But you can also tell within other numbers, women that are advertising the age they actually are, but there’s not a single photograph that looks like anywhere from Helsinki.
Yeah, they’re using Tinder Plus to locate themselves in that city, looking to start a conversation with somebody, probably for romance scams.
I want to share something with you, I found when I was doing research about this stuff. A company called Scamalytics created scammer profiles about a year ago. This is what a typical scammer profile – they looked at like a couple of hundred different profiles and created, like, this is basically what it’s more or less like. And the male scammer profile was typically in their late forties, had a higher income, if there was like income brackets, they’d be in the highest bracket. They had some sort of a degree. Typically were like widowers or divorcees and the photos were often taken at a slight distance. The female profile, and this is what I guess you and I have seen, is someone in their late twenties, typically, you know, maybe a higher income as well, either has a degree or is a student for a respectable degree, never been married, typically skimpy clothing with a lot of cleavage. And once, apparently this is something when you get to talking to them, they surprisingly have a very similar background to yours and typically only like a single image, because it’s easier to fake a single image then a bunch of images. Does this sound like your experience as well?
Yeah, the ones that were advertising their age differently didn’t have many photos, just kind of the one or two.
Yeah. Did you ever have any interactions with what you thought was a scammer?
Actually I’ve tried swiping right on some of those things to see if they would match with me and interact. But I know I didn’t get any hits.
Me neither. Yeah, cause I did that on purpose a couple of times but didn’t get any hits. But apparently –
Occupational hazard of using the app to actually meet somebody, but then you can’t avoid tinkering with the system to see what kind of frauds I can uncover. (Laughing)
Yeah. But apparently what you would get is short messages that don’t seem to have a lot of context. So they’re just taken out of context, just like really short generic ones that fairly quickly lead into a like a URL or an email address or another social media profile or something. And then you start running into all these excuses on why they can’t meet you or call you or have a live video chat or something. And it’s maybe around that time that you should start, you know, doing Google image searches and things like that.
Yeah. And that’s actually very much how the spam sort of works, which is very prevalent these days. Romance spam is out there that other colleagues that are tracking that kind of thing, and that’s the same approach to it. It’s spam with a URL, the URL links to something that then tries to interact with you via chat and put you in touch with somebody, and then that person tries to get you convinced that they’re an identity, like, oh, they live abroad and single.
Yeah, I guess that’s the typical story. When somebody asks you money, somebody you’ve never met in real life starts asking you for money for whatever pretext, maybe alarm bells should be ringing at that point.
Should, but I’ve heard many good reporting, I’ve even heard some podcasts on this kind of romance scam from a more traditional dating website. And people that are 55 and above can fall for this fairly easily because it’s a well-practiced kind of scam. And one of the things I was noticing using Tinder – I did a lot of swiping left yesterday – but in terms of if I narrowed the band of the demographic of 18 to 25, 25 to 35, 35 to 45, at least in Helsinki, Tinder skews quite heavily 30 and older. And compared to 2017, in 2018 when I was doing research, it seems to be more people that are 50 and above on Tinder these days. And so I would actually be concerned about romance scams.
So if your mom or your father is on Tinder these days, they might need to know about this kind of thing, that it’s not difficult to fake a profile. It’s not difficult to take an image, and with these sort of tools that let you geolocate yourself someplace, they can claim that they have some sort of connection to Helsinki but not really be from Helsinki, or they can claim to be in like, you know, whatever city in Wisconsin you’re in, but they’re not really there. And depending on their familiarity with technology, that might not be something that they’re understanding right away. And so it might be worth actually sussing out, if your parents are using these kinds of apps, are they familiar with the sort of scams out there?
Apparently there’s also a psychological mechanism where once you sent money to one of these profiles, you’re sort of committed a little bit. So you’re in for some money already, so you keep sending more in the vain hope that this turns out to be a real deal and that you just haven’t been scammed out of all this money. So you think you might be sending good money after bad, but you’re still sort of committed.
Yeah. There’s an emotional connection that’s made, and then the first request for help isn’t very big. And then you make that and then you’re lying to yourself at that point, or you’re kind of not wanting to know the truth. I think you’re absolutely right. Once you’ve paid into it, that cements it even more because it’s like, I don’t want to believe that I’ve been abused in this sort of way.
Maybe something we could encourage people to do is, if you think what you’re doing might be interacting with a scammer maybe you could take some of the information you received from the person and sort of just type that into Google and see if anybody else is reporting scammers doing stuff like this.
In the States, for example, the FBI, it’s like the internet crime center, I believe, is kind of the keywords that you can find. And they have these very well-known scams laid out and how it works. And email-based scams and other types of social networking scams like puppy adoptions and things. Whereas then the American Association of Retired Persons, they also have very big lists of what’s the most prevalent type of scams, whether it’s tax fraud rebate scams, tax rebate fraud rather. And/or like these sort of romance scams. And so like going to those websites, or pushing your parents to those websites, if you have parents of a particular age who are trying to use these sort of dating apps, I don’t know that they need to be worried about their real world security, but their financial security and how easy it is to scam people and get access to their funds via online banking should be a big concern.
What I found interesting about this scammer research was that the company seemed to feel that people who have more information, their profiles, like multiple pictures of them in different situations or people who have a Spotify account linked or an Instagram account linked are less likely to be scammers. Which I guess our intuitive OPSEC position would be to share as little as possible. But maybe that sort of puts us a little bit in the same basket as obvious scammers.
Yeah. I think, for instance, if you’re using the profile that doesn’t have any friends and only has a couple of images, their algorithms will make assumptions about you and it probably would fit closer to a bot or a scammer, because it’s a lot of investment to attach it to a legit Spotify account, to a legit Instagram account. And then once the account gets identified as a spam or a fraud account and it gets shut down, they will remember the Spotify account, Instagram account that was attached to that disreputable Tinder profile. And so if someone comes back and tries to reuse the same Spotify and the same Instagram, that’ll be an issue. This is where keeping track of the Facebook profiles, the hijacked Facebook profiles could be used to create fake Tinder profiles for spam and fraud. That’s actually something to be concerned about in terms of like, you using the platform, and it looks legitimate, and they’ve got Spotify, they’ve got Instagram, but be wary of what they’re trying to do on Tinder. If they start asking for money or start asking for any sort of resources, real world resources from you.
Yeah, or start asking questions that are not like get to know you questions, but maybe more questions for information that could be used to fraud you. Like, “I just hate bank X, don’t you?” Or, “Oh, that’s a lovely dog. What was your first pet’s name?”
Anything that sounds like a security question, you mean?
Yeah, I think I’d be wary of anybody that started off a conversation like that. In my experience though most people want to meet in real life pretty quickly as possible. And you go have a cup of coffee and then at that point you can kind of figure out like, right, this is not a fraudster. However, this is an easy city to meet people in for coffee. There are probably places in the world though where it’s like, you actually have a longer interaction online before you actually meet. People in those locations probably are more vulnerable to being targeted for an online scam.
As far as personal safety and security goes, I think just common sense, the same advice as we’ve always given to people is just meet in a public place. I found myself sort of trying to verify the information they’d given to me when I first met them. But also, I’m thinking, ask questions. It feels weird for me because I was looking for somebody who would be ready to get into a relationship, so a single person. So it would feel weird to ask like, are you single? But maybe that’s something that in this day and age you have to ask. No, just like somebody I met online and they seemed like they’re single, but I would just ask that anyway because like there’s not much you can do if somebody is willing to lie to you. But at least I’ve asked that question. So it’s not a lie of omission, like, “Oh, you never asked,” or “It never came up.” I just wanted to make sure that it did come up. Now if they made a conscious decision to lie to me, then that’s something I can’t help with. But like at least I asked the question.
Yeah. Well, with apps like Tinder, again, if that really were your concern, people probably shouldn’t try to lie on these platforms because it doesn’t take a lot of homework to actually like find the actual Facebook profile. And unless they’re OPSEC masters, they’re leaving cookie crumbs around that you can actually pretty easily find through a web search and there’ll be photos of them with a partner someplace.
So what would be your top do’s and don’ts for our listeners who are using online dating apps?
Personally, I think the podcast that was by Tinder, kind of explaining like smiling in photos and using clear pictures of your face, take a photograph without your glasses on, at least one so people can see your face, I mean they had lots of advice, you know, so if you want advice like that, like check out that podcast…DTR.
And I mean from my point of view, great, so I want some photographs of myself that makes it more likely that I make a match because the whole point of being there is to make a match. I took completely unique photographs just for that service because I didn’t want it to be tied to any other reverse image searching, connected to any other sort of profiles. I wanted the persona that was there to be there, and so I took new photos.
And we’ve got a colleague who, I was asking her about what did she use, and she felt she’s not very photogenic. And then when she found a photo she liked, she was going to use it regardless of whether it was unique to the dating app or not. She was aware of the consequences though. And I think she would easily know how to reverse image search and find that photo in use in multiple places. But she’s completely aware of the risks. So if you do that, do it knowingly.
I find people who try to obfuscate themselves by having bad photographs, or like even Photoshop sunglasses on them with the Instagram filters or whatever in order to obscure their face…That’s not exactly effective, I think, and I think there’s plenty of stuff that you can look at sociologically, it’s like, is it probably decreasing your chances of actually getting a match on this app? So if you’re that privacy-concerned, I don’t know, you’re fighting yourself, and why even beyond the app, or something like that. So photographs, don’t try to obfuscate them too much or else just don’t even be there, would be my advice, and make them photographs that are unique to that service, if you’re concerned about privacy.
Also like if you’re reusing your photos, maybe you should look into like for example, how much do you have to skew or tilt your photo before it stops showing up in reverse image searches?
Well, that’s if you’re a pro with the obfuscation, if it’s some image you really, really want that can’t be reversed. And that’s like what fraudsters will do on like LinkedIn these days, is skew images so that it’s harder to do the reverse image searches.
Bioinformation, I would keep it generic. I think some of the advice from like the sociologist who worked for Tinder was like, if there’s details that you can offer that are like, bits of trivia about yourself, you can frame in terms of a question. You know, “ask me about my dog.” You can actually use your bio to steer the conversation ahead of time. So if you’re concerned about giving away too much information, you might find shorter works better. And you can actually say, here’s starter questions, you ask me this and that, we’ll have a conversation before you know it. That might be very effective. And then you’ve only got two sentences that you have to give away in terms of information. So probably less is more. And then like what you provide, you can actually provide in a way that steers towards the conversation that you want to have. So you can quickly assess whether or not this person is somebody want to meet in real life.
Now I’ve only got personal experience with one of these types of apps back in 2017 and then otherwise I’ve read a lot of research about others. But you’ve used a handful of these various ones. So do you have any advice in terms of which one outside of Tinder did you find usable or practical? Did it have enough people? Any, any?
I liked the OkCupid approach, which is a thing that asks you a bunch of questions. There’s a bunch of stock questions in there and you answer these and it sort of tries to find you a match who’s maybe thinking like you would think, or you know, if you’re a nonsmoker yourself, but you’re looking somebody who absolutely smokes, then they’re looking for a person who answered that in there. It’s a weird example, but whatever. So I thought that, you know…because it gives you some sort of understanding of who this other person might be. So I kind of like their approach. It does mean that you end up sharing more about yourself and about your views and beliefs and stuff like that. But it does lead to a better quality of matches in my experience. So I liked that.
Okay. But that seems to conflict with your approach of how you set up these sort of accounts to begin with using the –
It does. But I’m very mindful of the sort of things that I share in those questions. And also like a bunch of those questions are just like, you know, where are you in this issue? Like it’s obviously made for Americans. It asks me questions like, should teachers have guns in schools? And let me tell you, that is not a conversation that’s happening anywhere else in the world except in America. So it does have these kinds of questions in it, but, but most of them are pretty harmless like dating stuff. Like, what would be a better first date, meeting in a cafe or going on a walk in our forest, for example. That’s a meaningful question in a dating perspective. But it maybe doesn’t give you a whole lot of insight into how to best scam me.
But you didn’t mind being profiled even though you otherwise did a lot to avoid being profiled.
I did think about it a lot, but I knew that when I get into this dating game, I’m going to have to give up some privacy to get the results I want. So to me it wasn’t so much that I don’t want to be profiled, it’s I want to be controlled, exactly what information I’m sharing.
Okay, yeah. There’s been research from, I think it was like Harvard, I read years ago, that when filling out forms, a lot of people will fill out things that are optional. Just because the field is blank and it’s right there in front of you. Right. And so one advice I’d give towards creating accounts is always like, try to fill out the minimal amount, even though there’s a field for it, don’t enter the field. And if the service that you’re interacting with, whether it’s dating or like banking or whatever, you know that it goes red and says, “No, this field’s required.” And then you can kind of figure out like, all right, do I want to actually like continue this or not? Because like if required is a hundred percent, that’s signals one thing to me. Versus like, “Oh no, we need this one other piece of information that you didn’t provide.”
True, true. But at the end of the day, I did meet somebody I’m seeing on OkCupid and not on Tinder. So better quality matches right there.
Okay. So your advice would be like to, if it’s suitable for you, to be willing to expand on sort of just the basic yes/no sort of approach.
Well, the option really is to just go on a bunch of first dates, which I also did. And a lot of them were just people who were like, super nice, they’re perfectly fine, okay, but just nothing more. So it’s either time or information basically, that’s the tradeoff.
Yeah, I think I’d agree with that. I have met a lot of very nice people as well. But then you know, eventually you met the one that’s like, oh, she’s the one that I –
So the apps themselves can facilitate real world meetings very easily. Probably like, the best advice then, if that’s the easy part, if you find meeting face-to-face the hard part, look online for other advice as to how to overcome social anxieties.
Thank you for a really interesting conversation, Sean. It’s always great to have you on the show.
That was our show for today. I hope you enjoyed it. Make sure you subscribe to the podcast and you can reach us with questions and comments on Twitter at @CyberSauna. Thanks for listening.