Russia has millions of internet users. But if you want them to use your search engine, network on your social media platform, or use your messenger to share their favorite memes, then Russia wants you to know one thing: You have to play by its data-sharing rules.
Tinder is the most recent platform to get the message. Last week, the Russian communications censor Roskomnadzor added the popular dating site to a list of 175 companies that it says have agreed to store user data and messages in Russia and to share that data with Russian government and intelligence agencies.
Apple is not on the list, but reportedly already stores some of its data in the country. Other non-Russian companies on the list include video-sharing site Vimeo and China’s WeChat. Other apps like Snap and Telegram say they were placed on the list without their knowledge and without signing any kind of agreement. Natalia Krapiva, legal counsel at digital rights group Access Now, says the Russian government chose Tinder to send a message: “This is a way to show bigger companies to comply.”
In April, Russia fined Facebook and Twitter 3,000 rubles each (a whopping $46) after they refused requests to store data on Russian servers. While the fines are laughably low right now, there are reports that Russia is threatening to raise them significantly, charging as much as 1 percent of a company’s annual revenue in Russia for an infraction. That’s no joke for a company like Tinder, which, according to the analytics firm App Annie, is the seventh-highest-grossing app for iPhone users in Russia.
Krapiva speculates that Russia is enforcing its data-sharing policies by exerting pressure on smaller companies that are easier targets—and will feel the impact more acutely—than behemoths like Twitter and Facebook.
Unlike China’s Great Firewall, Russia doesn’t yet have a foolproof way to block online services. Russia tried to block Telegram in 2018 after the encrypted messaging service refused to turn over user data. But it wasn’t able to block Telegram without blocking access to many other, unrelated websites. After more than a year, the government still hasn’t found an effective way to keep Russians from using the service. But Suzanne Spaulding, a senior adviser at the Center for Strategic and International Studies warns, those holes won’t last. “Over time Russia is going to get better at this,” she says.
The Tinder request is part of a string of restrictive actions the Russia government has taken in recent years to control who uses the internet and how. Most recently, Russia moved to bolster its firewall. Last week, Roskomnadzor told VPN services that they will be blocked if they give users access to websites that have been banned. In May, it passed a law that would allow Russia to build its own internet and disconnect from the rest of the world. In March, the Russian Parliament adopted rules that allow the government to imprison anyone who spreads disinformation or insults a politician online. Russia is part of a growing trend on countries that are exercising more control over the internet. India’s government proposed new rules in February that would allow the country to control content on Twitter, Google, Facebook, and other sites. Both Sri Lanka and Sudan have shut off access to social media platforms this year.
In the crowded and competitive world of social media apps, any kind of blocking—even if it isn’t 100 percent successful—could still impact Tinder’s success in Russia. “Whether you've been blocked by the government, or just having a bad day with connectivity—most of your customers don't care,” says Danny O’Brien, an open internet advocate at the Electronic Frontier Foundation, “They'll just move to a service that is available all the time.” He says that Telegram has been able to survive because it already had a base of devoted users in Russia who looked for ways to avoid the government ban. Less popular sites might not weather those disruptions as well.
Tinder has been tight-lipped about its agreement. “We received a request to register with the Russian authorities, and, as of now, we have registered to be compliant,” says a Tinder spokesperson, parrying questions about what kind of data might be shared and which users would be exposed. “However, this registration in no way shares any user or personal data with any Russian regulatory bodies and we have not handed over any data to their government.”
The Tinder agreement is related to a 2015 law that requires “organizers of information,” such as social media platforms, to store user data in servers within Russia. For now, Tinder’s registration only acknowledges that it is storing the data in Russia. But O’Brien says the move is about Russia “asserting broad jurisdictional control over personal data.”
Because Tinder is an American company, prior to the law, Russia couldn’t legally access that data without working through the American judicial system. Now, because the information is hosted within the Russian Federation, law enforcement agencies can access that data without submitting to a lengthy international judicial process. “In technological terms, it doesn’t matter where this data is kept. In legal terms, it kind of matters.” O’Brien says. “But the real question is what, practically, can governments hold over companies to get them to do what they want.”
The Russian government says its rules are crucial counter-terrorism measures, but human rights advocates say the laws allow the Russian government to seek out and target marginalized groups, political dissidents, and members of the LGBTQ community. Oleg Kozlovsky, a Russia researcher at Amnesty International, says that corruption is widespread in Russia’s law-enforcement agencies and that it’s “not unlikely” that information about Tinder’s users’ private communications and sexual orientation could be leaked and even used for blackmail. “There is effectively no oversight, judiciary or public, of how this information is accessed and used by the secret services,” he said in a written statement.
Angela Sasse, a professor at University College London who has studied privacy on dating apps, says that users are also more likely to divulge personal information on dating apps to increase their chances of getting a date, revealing political views or preferences they wouldn’t share elsewhere. Seemingly innocuous details can help decode your passwords, target you with more sophisticated phishing attacks, or be used to start a relationship to entrap you.
“There are some clear national security implications,” says Spaulding, who is concerned the data could be used against Americans with security clearances living in Russia. Spaulding describes the agreement as another example of Russia’s kompromat tactic, in which the government collects compromising or embarrassing information on political figures and uses that information pressure them.
Tinder has already played a part in these complicated political games. In November 2018 a Ukrainian college student name Nataliia Bureiko published a Facebook post that accused Oleksandr Varchenko, a top Ukrainian police official, of sexual harassment. The post included purported screenshots of Tinder conversations between the two, in which Varchenko threatened Bureiko when she refused to have sex with him. The allegations exploded into an overnight, nationwide scandal. But they were false.
Bureiko later apologized and claimed she gave someone access to her Facebook account for $50, but the incident shows how powerful that kind of character assassination can be. It also shows how difficult it can be to determine if those conversations are real. If Russia can claim it has access to Tinder user data, then Spaulding says any allegedly compromising conversations or information the government reveals from the site “doesn’t even have to be true.”
Spaulding and O’Brien also point out that making the public aware that Russia has access to Tinder’s data makes it easier for the Russian government to create fake scandals using faked data. O’Brien says the issue is “as much about appearances and the ability of Russia to show that it’s flexing its power” as it is about the country’s actual capacity to protect that data.