"The danger of retaining information longer [than is necessary] is that it opens the door for legal processes down the road," says Sablone.There's also a multitude of ways that information from a seemingly private profile can be revealed on the web.The Computer Fraud and Abuse Act, which makes it illegal to break into a computer to access information cannot apply to data aggregators because the person suing must prove a direct hit of ,000 as a result, Andrews says.The Stored Communications Act, which prohibits accessing stored electronic information, also doesn't do the trick, even though it seems like a natural guard against cookies and other mechanisms for pulling users' data."Ok Cupid says it can limit who sees your profile – for example, users who identify as gay or bisexual may opt out of being seen by straight people," said EFF technologist Seth Schoen in a press release.
While businesses routinely delete old records to protect themselves from future legal discovery requests, many online dating sites don't.
The spoke with an anonymous security expert who said that "they had no real security." The company is working to plug the security gap but has not come up with a solution yet.
The Grindr fiasco is an extreme example, but a catastrophic data breach is not required for personal information to haunt users in unpredictable ways.
All an enterprising computer vandal needs to do is be on the same open network as someone logged into their dating profile.
"Given the lack of security on most dating sites, it would be a trivial matter for someone with mediocre skill to spy on your activity or take over your entire account if you log on to many dating sites using shared wifi account, like when you are in a hotel, coffee shop, or library," Rainey Reitman, EFF's activism director, tells Alter Net.