Raw Dating's Encryption Lie: A Case Study in Regulatory Failure

A dating app that promised end-to-end encrypted messaging left users' GPS coordinates, birth dates, and sexual preferences accessible to anyone with basic web skills for potentially years. The kicker? Raw Dating never actually implemented the encryption it advertised.

The breach, disclosed by security researcher Ulysses Saicha, exploited what's known as an Insecure Direct Object Reference vulnerability—essentially the web security equivalent of leaving every filing cabinet in the office unlocked with labels on the front. Anyone who accessed Raw's API could sequentially request user profiles without authentication, downloading precise geolocation data, profile photos, sexual orientation, and relationship preferences for the app's entire userbase.

Create a free account

Unlock unlimited access and get the weekly briefing delivered to your inbox.

Register free

No spam. No password. We'll send a one-time link to confirm your email.

The encryption claim alone should trigger enforcement action, but with the company now defunct, affected users have little recourse beyond watching their data circulate indefinitely.

Entry-level failures with expert-level consequences

IDOR vulnerabilities rank among the most basic security failures in web development. The Open Web Application Security Project lists them in its top ten most critical risks, alongside SQL injection and cross-site scripting. Preventing them requires implementing proper authentication checks—verifying that User A requesting Profile B actually has permission to view it.

That Raw's engineers either didn't know to implement these checks or chose not to raises uncomfortable questions about the company's technical foundations. The app operated for approximately 18 months before shutting down. During that period, according to Saicha's disclosure, any technically literate person could have harvested the entire user database.

Raw co-founder Brock Shinen told TechCrunch the company 'patched the issue shortly after being notified' and had 'additional safeguards in place'. Neither claim offers much comfort. The timeline remains unclear—when was the vulnerability introduced, when was it disclosed, and was there any evidence of exploitation before the patch?

The 'additional safeguards' assertion deserves particular scepticism given that Raw apparently advertised encryption it never implemented. Either the company deliberately misled users about a core security feature, or leadership didn't understand their own product's technical specifications. Neither scenario inspires confidence in whatever safeguards supposedly existed.

Location data and the stalker problem

Dating apps inevitably collect sensitive information. Sexual preferences, relationship history, private messages—all standard. But Raw's exposure of precise GPS coordinates elevates the risk considerably.

Most mainstream platforms obscure exact locations, showing approximate distance ('2 miles away') rather than coordinates accurate to within metres. This design choice reflects basic threat modelling: dating apps serve users actively seeking to meet strangers, including some users with abusive ex-partners, LGBTQ+ individuals in hostile environments, or high-profile people requiring discretion.

Precise location data transforms speculative risk into concrete danger. A hostile actor with access to Raw's API could have identified users by sexual orientation, tracked their exact movements, and correlated location patterns to identify home addresses or workplaces.

The exposure is particularly egregious given Raw's apparent positioning as a privacy-conscious alternative. Users who specifically chose the platform based on encryption promises were systematically placed at greater risk than if they'd used a mainstream app with proper security infrastructure.

Regulatory implications and the compliance gap

Raw's failure arrives as dating platforms face intensifying regulatory scrutiny. Match Group (MTCH) disclosed $625,000 in fines related to a 2024 Irish Data Protection Commission investigation into Tinder's data handling. Grindr (GRND) paid €5.5M in 2023 for GDPR violations related to sharing users' HIV status and location data with advertising partners.

Those enforcement actions targeted platforms with hundreds of engineers and dedicated compliance teams. Raw appears to have operated without basic security competence, let alone a meaningful privacy programme.

The UK's Online Safety Act, which came into force in stages throughout 2024, requires dating platforms to conduct risk assessments addressing content-based and user-safety harms, including location exposure risks. Ofcom's draft codes of practice, published in November 2024, specifically mention dating apps as high-risk services requiring enhanced protections. The EU's Digital Services Act imposes similar obligations on platforms accessible to European users.

Raw's closure conveniently pre-empts enforcement, but regulators should take note of the compliance gap. Platforms can launch, collect sensitive data from hundreds of thousands of users, operate with negligent security practices, and fold before accountability arrives. The barrier to entry for launching a dating app remains low; the barrier to launching one safely evidently remains lower than it should be.

What happens to the data

The immediate vulnerability may be patched, but the data exposure persists. Saicha disclosed the flaw responsibly, but nothing prevents others from having discovered it independently during Raw's 18-month operation. Any downloaded datasets remain in circulation indefinitely.

For affected users, recourse is limited. They can't demand deletion from a defunct company. They can't sue an entity that's already closed. They can't even confirm whether their specific data was accessed, since Raw apparently lacked the logging infrastructure to know.

The incident should prompt uncomfortable questions for app store operators. Apple and Google both require privacy disclosures and review apps for policy compliance before approval. Raw clearly violated its own privacy promises, yet remained available on both platforms until voluntarily shutting down.

Dating app operators—particularly smaller platforms attempting to differentiate on privacy—should recognise that marketing encryption you haven't implemented isn't just negligence. It's potential grounds for enforcement action under consumer protection law, GDPR's accountability principle, and the advertising standards frameworks in most jurisdictions. The industry's trust deficit is real, and incidents like Raw's confirm that some platforms genuinely cannot be trusted with the data they collect.