UnHinged: OSINT and the Fight for Safety on Dating Apps

When dating apps fail to protect women, OSINT helps police step in.

“In the baking sun… Natalie Dong stood outside the glass headquarters of the popular online dating platform Tinder, in downtown Los Angeles, with a poster board draped from her neck. It read: ‘MY RAPIST IS STILL ON TINDER.’” – Brian Edwards, Elizabeth Naismith Picciani, Sarah Spicer and Keith Cousins, Columbia Journalism Investigations [Source: ProPublica]

In 2019, sexual assault survivor Natalie Dong stood outside the headquarters of Match Group, the online dating conglomerate operating Tinder, Match.com, Meetic, OkCupid, Hinge, Plenty of Fish, OurTime and others. When her rapist continued to use Tinder as a hunting ground, she felt powerless to do anything else. 

This year, The Dating Apps Reporting Project undertook an 18-month investigation in partnership with the Pulitzer Center’s AI Accountability Network, the Markup, the Guardian and the 19th. They found that little had changed. Other women were still going through what Natalie had endured.

These situations – and offenders – recurred across multiple users of Match Group’s apps. The platform would ‘match’ a woman with an unassuming man, innocuous but a little ‘creepy’. Then a date goes well; then an invitation to his apartment. He would offer a drink – then the woman’s memory blurs. She loses control of her body. Sometimes, now, her attacker starts to film what he’s about to do.

“She met the 34-year-old doctor with green eyes and thinning hair at Highland Tap & Burger, a sports bar in a trendy neighborhood… What transpired over the next 24 hours, according to court testimony, reads like every person’s dating app nightmare.” – Emily Elena Dugdale, Hanisha Harjani and The Dating Apps Reporting Project [Source: Guardian]

The victims describe headlocks, struggles – he was kissing her forehead; she fought back to free herself and managed to escape. Holding the shoes she left behind, a rapist followed his victim out into the street, trying to force her back inside.

Through dark spots and gaps: vomiting in the car on the way home, and for hours after that. Then waking up, soaked to the bone on the bathroom floor, the door key still in the external lock. Other survivors tell more overtly violent stories of “choking and hair-pulling”, injuries, bruises, lost time and “a guilty look” on their rapist’s face. 

These women would report their assaults to a Match Group app: Tinder, Hinge or PlentyOfFish. Always – nothing would be done. 

Usually, Match Group already knows these men are rapists. In one case, the app had already logged two other women’s reports of rape against one user. In time, at least 15 women would report that he had raped or drugged them after ‘matching’ on dating apps run by Match Group. As in this case, arrest is often the only thing that gets rapists off these apps. 

Studies corroborate that something is very wrong in the Match ecosystem. In 2022, a Utah study found hundreds of app-led sexual assaults in their region, largely swifter and more violent than those that began in any other context. Dating app rapists were also more likely to target vulnerable victims, with 60% reporting mental illness. 

‍“How much would you personally pay to stop just one person being sexually assaulted by a date, one child being trafficked or one vulnerable person being driven to suicide by a predator? I feel that if I asked members of our staff that question individually, they would put a high value of their own money on it… but as a group nobody is ready to hear that yet.” – An anonymous Match Group employee to superiors. [Source: Guardian/The Dating Apps Reporting Project]

‍

‍CJI and ProPublica’s 2024 survey of dating app users also exposed this rotten underbelly. Seeking data from ‘those affected by sexual violence’, 188 (mostly) women reported assault, harassment or matches with known abusers. Most attacks happened on the first in-person meeting: in dorms, apartments, parking lots. Most assaults were perpetrated by unregistered predators, but 10% of the group had matched with a sex offender convicted of rape or assault – because Match’s free platforms don’t require a registry screening. 

Most victims met their attackers on Tinder, OkCupid, PlentyofFish or Match. Match Group owns them all. Of the 71 women that had reported a sexual assault to a Match Group platform, only 37 had ever heard back. Worse, only 11 were able to obtain a police report. 

“There are definitely registered sex offenders on our free products…” – A Match Group spokesperson [Source: ProPublica]

Match Group is aware of the problem. As part of their investigation, the Dating Apps Reporting Project uncovered one Match-affiliated app’s employee manual on fraud, abuse and harassment cases. The slim two-page section on sexual assault complaints recommended what employees should do – “answer quickly, respond empathetically” – but also what they shouldn’t do: “send victims to police.”

Is Match Group’s hesitation rooted in a fear of being held accountable? When police are armed with OSINT – and OSINT Industries – that exposure is a certainty.

Meet Peter*, an Intelligence Officer.

Inaction by Match Group and similar companies in LA and Silicon Valley has a ripple effect throughout the world. A five-year review of police reports by the UK’s National Crime Agency found that dating app sexual assaults had increased as much as 450%, from 33 to 184 cases. By 2021, reports reached four figures and are even higher today. 

These statistics, however, reflect only the 16% of attacks that get reported.

The reason for this is not only Match Group’s poor reporting and moderation policies. Victims often have to contend with an inability – due to the makeup of Match Group’s apps – to effectively identify who their attacker was in the first place. 

On his force’s Rape and Serious Sexual Offence (RASSO) Team, Intelligence Officer Peter*’s work is to identify those who assault victims in the UK, and bring them to justice. Unfortunately, as many law enforcement officers are finding out worldwide, Match Group has made this task as difficult as possible. 

"During multiple tests, we successfully created new accounts without needing to change the user's name, birthday, or profile photos…" – Natasha Uzcátegui-Liggett, Statistical Journalist [Source: Mashable]

Not only do Match’s free apps require very little information to sign up, but bans are easily evaded on any company’s platforms – even if, like the minority of attackers, a man has a criminal record. On Tinder, Dating App Reporting Project researchers made accounts with the exact same name, birthday and profile photos used on banned accounts, and could continue using them across a range of Match and non-Match apps. From here, an account traceable to a rapist is easy to delete. An attacker can make a new account, or multiple to harass a victim. If that doesn’t work, he can simply purchase a new phone for less than 30USD. Most ban evasion tactics involve using false details, or even foregoing details altogether, making vital connections even harder to make. 

If victims make reports to platform owners before police, there is a chance a lifetime ban will take effect that simply encourages evasion. As evinced by forums that dicsuss tactics, abusers and ‘incels’ have even found ways to manipulate lifetime ban policies to their advantage, devaluing the system by making ‘revenge reports’ against victims, trans women, women of color, and women who just turned them down. If a victim so much as gets blocked, apps like Tinder immediately sever all connections between the two accounts – destroying any evidence or identification leads in the process. 

“Any time they are a c*** to you… The moment you receive a text that isn’t moving things forward in a way you want, just report… When I report regularly, I just type ‘gaslighting’ as the reason, and then add ‘made me feel uncomfortable’ (the catch-all that can’t be proven).” 

“I got banned a couple years ago but had some success tonight…” 

‍“Join Bumble, that’s where everyone who gets banned goes… Get a new phone, get banned again later… [Women]’re all damaged online anyways.” 

– Comments from Reddit threads on ‘r/Tinder’ and ‘r/SwipeHelper’. [Source: Stylist/Reddit]

If Peter wants to have any chance of achieving a successful conviction, he needs to rebuild the connections that rapists seek to sever; to use scraps of information like usernames, phone numbers and emails to identify suspects.

Peter found out about OSINT industries from a law enforcement colleague at last year’s Birmingham Internet, Intelligence and Investigations Conference. Since, our tool has been key in his RASSO Team’s success, providing profile pictures and names for identification, and drawing out usernames and social profiles from phone numbers and email addresses that are not known on our police systems. 

This officer reached out to us to explain how OSINT can turn the tables on dating app rapists – and even Match Group itself.

Nightmare: A Survivor’s Story and the Fight for Justice

“Women have a good experience while they’re in the product. They feel safe. They feel secure. Etc… [sic]” – A dismissive memo from Bernard Kim, ex-CEO of Match Group [Source: Markup/The Dating Apps Reporting Project]

Match Group’s Hinge app markets itself as a platform for meaningful long-term relationships, not hookups. It claims it promotes ‘thoughtful’ no-swipe interactions, a Nobel-prize winning algorithm based on compatibility, and smooth conversations from personality-based questions like “two truths and a lie” or “my most irrational fear”.

For women, fears on Hinge are not irrational. Peter recalls one victim’s story. Laura’s* story began like a lot of love stories: with a ‘match’ on Hinge. It ended, like Natalie Dong’s and so many other women’s stories, with indelible trauma. 

After exchanging messages and getting along, Laura had understandably decided to meet with her ‘match’ for an in-person date. Like so many other Hinge users, things were going well now they’d met. Her date seemed normal, approachable, well-intentioned; Laura agreed to go back to his hotel room to keep the date going.

She had made it explicitly clear upon arriving upstairs that she didn’t want anything sexual to happen. Despite Laura’s clear refusal, this man had come to dehumanize her. He disregarded how she felt. He overpowered her physically, forcibly pinned her down, and proceeded to sexually assault her by penetrating her vagina without her consent. By the end of their first and only meeting via Hinge, Laura had become the victim of a rapist. 

Although deeply shaken by what had happened to her, this survivor had the strength to report her assault. However, Hinge and her attacker had made sure she had as little information about her rapist as possible. The only details Laura was able to provide to police were his profile picture, and a first name: ‘Louie’.

Without a full name, address, or other identifying details, the investigation presented even an intelligence expert like Peter with significant challenges from the outset. The chances of a response from Hinge or Match Group were practically nonexistent. Few police forces, let alone overseas, have the time or resources to fight tech giants for data that they will be slow to provide, if at all – particularly considering Match Group’s attitudes to police reporting and information-sharing. They may be willing to share data with advertisers, but not with law enforcement.

‍“It’s the after the fact that bothers me… How is that not aiding and abetting?” – Kerry Gaude, survivor of sexual assault via OkCupid. [Source: ProPublica]

However, the victim still needed justice. Peter’s team began at the hotel where the assault had occurred, interviewing witnesses and scouring hotel records for anything that could be construed as a lead. It was in these records that ‘Louie’ had made himself known. A guest by that name had made a booking at a time coinciding with Laura’s attack; he may have been evading Hinge’s policies, but not Peter’s investigation. Witness accounts could help Peter to estimate a date-of-birth for the rapist whose phone number was easily retrieved from his attempt to lay the perfect trap. 

This was far from the case’s conclusion. ‘Louie’s’ phone number, while useful, would require further investigation to determine ownership. It could belong to a prepaid, unregistered ‘burner’ device, or appear registered under another name. This was a “loose suspect” for Laura’s attack. Additional intelligence was needed to make the team’s ID concrete enough for an arrest.

It was here that Peter and his team turned to OSINT, and to OSINT Industries’ tool.

“Without using the OSINT industries tool we would not have got these details, and it would have taken police a lot longer to identify the suspect which would have prolonged the investigation…” – Peter*, Intelligence Officer. [Source: OSINT Industries]

Possessing a phone number for ‘Louie’, Peter inputted an OSINT Industries phone search. The result: a range of accounts, including a Telegram account registered to full name ‘Louie ****’. On this Telegram account was a familiar profile picture. Suddenly, the investigation took a significant leap forward.

This digital evidence could build the concrete connection required for a positive ID on the man responsible for Laura’s attack. Peter recovered the image of ‘Louie’ that Laura had downloaded from his Hinge app profile, and juxtaposed it with this new Telegram image. With a high degree of certainty – it was a match. The same man had uploaded both. ‘Louie’ was ‘Louie ****’, and these digital footprints were his. 

Following this breakthrough, Peter’s team proceeded with further inquiries to compile all the necessary information for arrest and legal proceedings. The key factor had been OSINT, and more specifically that OSINT Industries phone number search. Hinge and Match Group’s inaction hadn’t prevented justice. A single phone number from a hotel ledger had delivered digital evidence that provided law enforcement with a first and last name, as well as a clear photograph, both of which were instrumental in what would usually be a long and painful identification process. From here, Peter’s team could take the only action that stops a dating app rapist: arrest.

Designed to Be Deleted: OSINT vs Match Group

“Corporations… have a responsibility to help ensure safe experiences for their users…” – Tracey Breeden, Head of Safety and Social Advocacy at Match Group [Source: Guardian]

It’s difficult to imagine Laura’s experience had police not had access to OSINT for justice. It is important to emphasize, however, that she is not alone, and that brave officers like Peter are only just harnessing this vital tool to combat tech negligence.

Hinge is just one of the forty dating apps owned by Match Group. 

As an $8.5bn global conglomerate, Match Group also operates Tinder (the world’s most popular dating app), OKCupid, Plenty of Fish and more. Match Group controls half of the world’s online dating market, operates in 190 countries and boasts millions of users. The other dating conglomerates are no less guilty of similar negligence, but Match Group is among the most blatant in the way it facilitates assault. 

Match Group’s official safety policy states that when a user is reported for assault, “all accounts found that are associated with that user will be banned from our platforms”, but it’s clear the company’s actions paint an uglier picture. That ‘Louie’ was able to hunt on their app is testament to their accountability; that Pete’s team  was not immediately provided with all evidence speaks to the necessity of OSINT, but also to the unfortunate reality that OSINT should not be necessary. OSINT tools like OSINT Industries are simply allowing police to do their jobs when a tech giant has stacked the cards against them.

Superior moderation or better background checking on Match’s apps could be a path to greater safety – in effect, OSINT before and not after the fact of assault. However, a Match partnership with Garbo, a startup for low-cost background checks, fell apart when it “became clear that most online platforms aren’t legitimately committed to trust and safety for their users.” Moderators tasked with scouring the platform for rapists in tandem with software flags report struggles too. Moderation software can process 60 complaints an hour, leaving employees an average of one minute per flag. These flags constitute, at the least, racist and misogynistic language, and at the most, traumatized victims of full-blown sexual assault. In this single minute moderators must decide for-or-against escalation, blocking – which may destroy evidence – and additional intelligence-gathering. At Hinge, moderators operate on this flag-per-minute timescale for all cases; at OkCupid, sexual assault claims have a 15-complaint-per-hour quota, and the ‘luxury’ of four minutes’ attention.

Naturally, Match Group’s stock price is dropping. As they claim “every person deserves safe and respectful experiences”, six users filed in February 2024 what they hope will be a class-action lawsuit, citing “addictive” features to encourage compulsive use of an app built “hook them… to keep them paying subscription fees – not to help them find love”. A central claim involves Hinge’s slogan: “designed to be deleted”. 

If not just to the app's gamification, this slogan might apply to an app like Hinge’s disregard of user safety; an app ostensibly focussed around intimacy, but arguably less proactive in its (albeit flawed) sexual assault prevention policy than notoriously unsafe ride-sharing apps. 

“I was like, ‘It was that easy?’... Why did I have to go down there to get you to do this?... It’s just another example of the world telling you that they don’t care.” – Natalie Dong, survivor of sexual assault via Tinder. [Source: ProPublica]

Returning to Natalie Dong, her protest outside Tinder headquarters ended when an employee offered her a bottle of water, and another collected the information she’d submitted time and time again. At last, days after arriving home, she received an email that her rapist had been banned from the app. A symbolically muted reaction from a Match Group subsidiary. 

It falls to RASSO Teams like Peter’s to pick up the pieces. Unlike Match Group, they do care. At least with OSINT Industries, they're more able than ever to do so.

“I don’t think they’re safe enough at the moment… They’re going to get worse… I’m hoping dating sites vanish.” – Michael Lawrie, ex-Head of User Safety and Advocacy at OKCupid. [Source: Guardian]

*Some names and information have been changed to protect identities.