July 14, 2020 • Insikt Group®
Editor’s Note: The following post is an excerpt of a full report. To read the entire analysis, click here to download the report as a PDF.
During Pride Month, Recorded Future’s Insikt Group partnered with [email protected], the LGBTQIA+ (Lesbian, Gay, Bisexual, Transgender, Queer, Intersex, Asexual) Employee Resource Group at Recorded Future, to conduct research into a range of cyber threats facing the LGBTQIA+ community on an international scale. The aim of this research is to raise awareness and visibility, and to provide pragmatic recommendations to help equip the LGBTQIA+ community in combating the threats that they face around the globe.
Recorded Future investigated data security risks associated with multiple social and dating apps that are popular with the LGBTQIA+ community, and how those apps were being discussed on dark web and underground sources. We also conducted research into the international targeting, surveillance, and censorship of the LGBTQIA+ community across Russia and Eastern Europe, the Middle East, Asia, Latin America, and Africa.
We researched Tinder, OKCupid, Grindr, SCRUFF, and HER and identified known security risks associated with these platforms. SCRUFF is doing the most proactive work to secure the data of its users, including randomizing location data and issuing alerts when users travel to countries that criminalize homosexuality, cutting ties with ad- and location-data brokers, and establishing in-house ad and analytics operations to avoid third-party sharing. By contrast, OKCupid, Grindr, and Tinder have been found to collect user data — including users’ exact location, sexual orientation, religious beliefs, political beliefs, drug use, and more — and share that data with at least 135 different third-party entities.
Recorded Future observed multiple instances of broadly defined cyberattacks (including targeted cyberattacks, censorship, and surveillance) targeting LGBTQIA+ communities and individuals in Russia and Eastern European nations. Surveillance and censorship was widespread across Russia and Eastern Europe with many nations passing restrictive legislative policies against open expression of LGBTQIA+ content online.
Members of the LGBTQIA+ community in the Middle East have been met with limited freedoms and protections against discrimination and endured online attacks, surveillance, and censorship. In many countries, governments have used domestic telecommunications companies to block pro-LGBTQIA+ apps and websites. Further, Recorded Future has found that law enforcement and, very likely, intelligence agencies have deployed the use entrapment to expose members of the LGBTQIA+ community for imprisonment and torture.
Similar activity was observed affecting LGBTQIA+ individuals in various Asian countries in the past five years, specifically Azerbaijan, China, Georgia, India, Indonesia, Malaysia, Myanmar, Pakistan, Singapore, South Korea, and Sri Lanka. Many of these attacks were instigated by the state for censorship or surveillance purposes, or by individual actors motivated by financial interests or social stigma.
Over the past decade, Latin America has been a bright spot for LGBTQIA+ rights, and the region now leads the Global South in terms of legal protections for the community. However, violence against the LGBTQIA+ community, albeit not state-directed, is still a significant issue. The region’s religious tradition and history of authoritarianism has kept much of the LGBTQIA+ community on the fringes of mainstream society, and many governments do not make a coherent effort to report or even respond to violence or other issues facing the community. The lingering social stigma towards the LGBTQIA+ community and the growing influence of evangelical Christian groups in Brazil and Central America pose the greatest threats to LGBTQIA+ rights in the region.
Across much of Africa, the LGBTQIA+ community is perceived as a threat to society that states are combating through organized crackdowns, surveillance, and censorship. In some instances, African governments are partnering with private sector surveillance organizations to target “high risk” groups, which includes the LGBTQIA+ community. Entrapment by law enforcement agencies and criminals is a common theme observed across Africa, with the outing of LGBTQIA+ individuals posing a significant threat due to strict anti-LGBTQIA+ legislation and socially conservative views among the public.
Looking ahead, further data exposures from social and dating apps popular with the LGBTQIA+ community, such as those that affected Grindr and Jack’d, are likely. These apps will almost certainly continue to share data with third parties and only user pressure, or a substantial fine for breaching data privacy laws, is likely to make these apps reconsider. Compromised account credentials and user data from social and dating apps will continue to be posted on dark web and underground sources. This offers an extortion opportunity for cybercriminals who could purchase leaked credentials to obtain intimate personal details and photos of individuals.
Nation-states will continue to target, surveil, and censor the LGBTQIA+ community for as long as they view the community as an external threat to security, society, or morality. Criminalizing the community will continue to encourage criminal acts against the community.
Users should exercise caution when using apps that use location data and learn more about the privacy policies of specific apps (Tinder, OKCupid, Grindr, SCRUFF, HER), paying particular attention to the apps that do not obfuscate geolocation data in countries with a poor stance on LGBTQIA+ rights. Users should also follow general best practices for cybersecurity, such as using multi-factor authentication and password managers like LastPass to manage long, unique passwords that are not reused across multiple accounts.
Editor’s Note: This post was an excerpt of a full report. To read the entire analysis, click here to download the report as a PDF.