Cybersecurity case study: Bumble
Bumble is a popular online dating application that shows a randomized set of user profiles based on gender preference, location, and other user-specific preferences, including height, religion, or astrological signs. Akin to other popular dating apps like Tinder, Hinge, or OkCupid, Bumble has a simple interface, where users swipe left or right depending on their attraction to others.
Bumble has attracted more socially-conscious user interactions, as women are the first to initiate conversations in male-female pairings. Because of its innovative approach, user-friendly format, and possibilities for more selective dating preferences, Bumble has increased in popularity, generating $240 million in revenue in 2019 from 75 million users. (Anranshoe, 2018; Curry, 2021)
Bumble collects the following information when you create an account and agree to its terms of service: name, username, email address, mobile number, gender identity, date of birth, sexual preference, location, and social media lists if users log in using a third-party account such as Facebook. Bumble states on its website in case of a data breach, they “disclaim any representation or warranty, whether express or implied, with respect to any breaches of security, damage to your device or any loss or unauthorized use of your registration or other data.” (Bumble; n.d)
This policy leads to further questions of safety and whether Bumble has effectively developed its company strategy regarding cybercrimes or data breaches.
Based in California, Bumble is classified as an e-commerce website. This classification means that Bumble is an internet service selling goods and services through the transfer of information and money. Bumble has cited California’s Dating Service Law for what is known as a cooling-off period and an Automatic Renewal Law, limiting subscriptions with automatic payments and renewals. Ethical issues facing Bumble include informed consent of the users’ participation in the app and quality of the data, including privacy and research issues. The quality of the data stored by Bumble pertains to users’ involvement and knowledge of the information. (Coburn, 2020, Neupane, 2019)
Bumble follows the California Consumer Privacy Act in the United States, Information Commissioner’s Office in the United Kingdom, and European data protection laws for information the company collects. The California Consumer Privacy Act allows citizens to demand that companies disclose what information they store on their users and request the company to disclose this information when appropriate. The Information Commissioner’s Office in the United Kingdom is an independent regulator that promotes transparency and the regulation of information and privacy. The office regulates Freedom of Information Act (FOIA) requests, environment information regulations, and various privacy and electronic act regulations. (Bumble, n.d; Paul, 2019; TechTarget, 2008)
In their initial public offering S-1 filing in January 2021, Bumble acknowledged risks to their intellectual property and information systems posed significant threats to both users and the development of the company’s security framework. One could therefore argue Bumble may not be doing enough to protect its users from data breaches. A study conducted by Independent Security Evaluators, an organization based in San Diego, found that even if users had been banned from the service, they could still access the network through backdoor hacking, acquiring sensitive data about users, including pictures. This evaluation points to Bumble’s susceptibility to hacking, cybersecurity threats, and other unwanted interference. If the hacker were located in the same area as a user, or if the hacker used a VPN proxy to simulate false proximity, he or she could target Bumble users by spoofing accounts and triangulating the users’ coordinates. (Gilbert, 2021; Brewster, 2020)
The National Security Agency (NSA) defines cybercrimes as “adversary activities taken by a threat actor against a specific target/target set prior to gaining, but with the intent to gain, access to the victim’s physical or virtual computer or information system(s), network(s), and/or data stores.” (NSA, 2018.)
Cybercrimes impact the way e-commerce websites do business. The potential losses including the cost in changing operating procedures and systems, identifying risks, and lost sales. In order to subvert cybercriminals and protect users from such data breaches, Bumble, like other e-commerce websites, must establish a policy to develop an overall strategy for monitoring suspicious user activity, pinpointing possible points of entry for data breaches, and set a company policy for developing preventative protocols before any major breach were to happen. Working alongside agencies such as the NSA, FBI, and other state and local organizations, Bumble and other e-commerce companies must establish how to navigate potential threats efficiently, judiciously, and safely.
Bumble could conduct internal risk analyses in order to understand where hackers can breach user data, and where hackers are easiest able to manipulate trusted processes in the app’s code. Mimicking legitimate user experiences and comparing those experiences to illegitimate or suspicious activity could allow app developers to pinpoint and simulate what a hacker’s interaction with the app would look like at any given time. When data breaches occur, actions are taken by hackers to avoid detection, blending into normal user activity. If Bumble wants to ensure that it maximizes the safety and security of its users, it could obfuscate its user data or require users to sign-in using two-factor authentication, ensuring that legitimate users are accessing accounts, and allowing the app to verify location based on GPS positioning tools in cell phones. Although hackers will always attempt to subvert these extra security measures, two-factor authentication and other safety protocols will allow for an extra layer of deterrence against hacking or other data breaches. Further layers of encryption could also be used on the app developer side of company policy.
Information security measures have similarly been taken by Tinder, whose website claims that “trained agents may review interactions that are flagged by our automated tools or in response to a user report. We may use these examples to train our technology to improve our ability to find and remove similar content.” (Tinder, 2021)
On another level, Tinder has introduced additional security measures for users, including pose verification, which compares photos uploaded to the app to a real-time selfie, and face verification, which uses similar technology to that of Apple’s Face ID. Incorporating user-end security measures will ensure that risk is mitigated on the user side, allowing for Bumble app developers to focus on targeting suspicious activity before it leaches into data breaches or other forms of cybercrime.
Bibliography
Anranshoe (2018, Nov. 13). Bumble: Is machine learning the future of online matchmaking? Retrieved March 12, 2021, from https://digital.hbs.edu/platform-rctom/submission/bumble-is-machine-learning-the-future-of-online-matchmaking/
Brewster, T. (2020, Nov. 16). Bumble vulnerabilities put Facebook likes, locations and pictures of 95 million Daters at risk. Retrieved March 12, 2021, from https://www.forbes.com/sites/thomasbrewster/2020/11/15/bumble-vulnerabilities-put-facebook-likes-locations-and-pictures-of-95-million-daters-at-risk/?sh=4457ddd33ddf
Bumble’s privacy policy (n.d.). Retrieved March 12, 2021, from https://bumble.com/privacy
Coburn, T. (2019). Bumble stumbles: State policy interests override dating app’s contractual forum. Retrieved March 12, 2021, from https://www.jdsupra.com/legalnews/bumble-stumbles-state-policy-interests-75697/
Craig, B. (2012). Cyberlaw, The Law of the Internet and Information Technology. Boston: Pearson
Curry, D. (2021, March 10). Bumble revenue and usage Statistics (2020). Retrieved March 12, 2021, from https://www.businessofapps.com/data/bumble-statistics/
Gilbert, B. (2021, Jan. 15). Bumble just filed for its ipo and it revealed a list of risk factors that investors should be aware of — from debt to competition. Retrieved March 12, 2021, from https://www.businessinsider.com/bumble-ipo-risk-factors-from-s-1-2021-1#2-risks-related-to-regulation-and-litigation-2
“National Security Cybersecurity Report.” Defense.gov, media.defense.gov/2019/Jul/16/2002158108/-1/-1/0/CTR_NSA-CSS-TECHNICAL-CYBER-THREAT-FRAMEWORK_V2.PDF.
Neupane, S. (2019, Sept. 13). Dating apps and some basic ethical issues while doing research on them. Retrieved March 12, 2021, from https://medium.com/@19627508/dating-apps-and-some-basic-ethical-issues-while-doing-research-on-them-1b29f23965d8
Paul, K. (2019, Dec. 30). California’s groundbreaking privacy law takes effect in January. What does it do? Retrieved March 12, 2021, from https://www.theguardian.com/us-news/2019/dec/30/california-consumer-privacy-act-what-does-it-do
TechTarget (2008, Jan. 10). What is the Information Commissioner’s OFFICE (ICO)? — definition from whatis.com. Retrieved March 12, 2021, from https://whatis.techtarget.com/definition/Information-Commissioners-Office-ICO
“Tinder Terms of Service.” Tinder, 12 Mar. 2021, www.help.tinder.com/hc/en-us/articles/360050248791-How-are-my-interactions-with-other-members-processed-by-Tinder.
