Privacy Fears Renew After Deleted Match.com Profiles Mysteriously Reappear

Match.com
  • Contributed by:
  • Views: 227

Halloween has come early for Match.com. The venerable dating site made headlines last week for an outbreak of zombies -- zombie profiles, that is.

A report from The Verge revealed that a glitch has resurrected an unknown number of deleted Match profiles from the dead. In an interview, former Match user Jason Debiak explained his surprise when, over breakfast with his wife and daughter, an email announcing 10 new matches on a decade-old, deactivated account appeared in his inbox.

“I log in, and there I am, from 15 years prior, with less gray hair,” he said. “And my whole profile is there, everything.”

He’s not the only one. A Match Group spokesperson since confirmed that a “limited number” of old profiles were accidentally reactivated on the site. Any account affected has reportedly received a password reset, but the incident is troubling at a time when discussions around cybersecurity, data retention, and privacy have reached fever pitch.

Match.com’s current privacy statement says that the company can “retain certain information associated with your account” even after it has been shut down. It’s a common practice for dating services to retain user data for researching and marketing purposes (or as Match.com’s privacy policy obliquely puts it, “record-keeping integrity”).

The Verge cites a 2009 ComputerWorld report in which Joseph Essas, eHarmony’s then-VP of technology, said, “We have an archiving strategy, but we don’t delete you out of our database. We’ll remember who you are.”

Herb Vest, founder and CEO of the now-shuttered site True.com, said in the same report: “The data just sits there.”

Match Group owns numerous dating services, including Tinder, OkCupid, and Plenty of Fish, all of which use similar language in their privacy statements. OkCupid affirms that it retains data from disabled accounts. Tinder and Plenty of Fish both claim that data is retained “only as long as we need it for legitimate business purposes and as permitted by applicable legal requirements.”

“There probably are good reasons to keep deleted profiles for some period of time — for example, to prevent or detect repeat users or fake users, etc,” Albert Gidari, consulting director of privacy at the Stanford Center for Internet and Society, told The Verge. “But that doesn’t mean forever.”

Thirty-two states -- including Texas, where Match Group is headquartered -- have enacted data disposal laws that require “entities to destroy, dispose, or otherwise make personal information unreadable or undecipherable.” Thirteen states, also including Texas, have laws that require companies to act in accordance with reasonable cybersecurity practices.

The language is vague at best, and most users are unaware of both the laws protecting them and the privacy terms to which they agree. The sudden appearance of undead dating profiles is a stark reminder of the need for privacy in the digital age.

Match Group told The Verge that a new privacy policy will roll out “in the next month or so” to comply with the EU’s General Data Protection Regulation (GDPR). Under the new policy, all revived accounts will be deleted, though the company yet to clarify what “deletion” actually means.