Danish Authorities Investigate OkCupid Data Dump
The country's Data Protection Authority launched an investigation into students' publication of nearly 70,000 OkCupid users' personal information.
Earlier this month, two Danish students dumped data on 70,000 OkCupid users, including sexual preferences, turn-ons, and usernames. Although the information was already available on the dating site, the students faced widespread criticism for collecting and publishing highly sensitive information en masse without anonymising it, which meant that individuals could potentially be identified.
Now, Datatilsynet—the Danish Data Protection Authority (DPA)—has decided to to investigate the OkCupid incident.
"The Danish DPA has taken up the case on its own initiative," Signe Vestergård Abildskov, a clerk from Datatilsynet, told Motherboard in an email. Datatilsynet's remit is, naturally, to make sure that data protection laws are followed; in this case, the Act on Processing of Personal Data.
Emil O W Kirkegaard, a master's student from Aarhus University, and Julius D Bjerrekær, who studies sports science at Aalborg University and physics at Aarhus, collected the dataset between November 2014 and March 2015 using a scraper—an automated tool that saves certain pages of a webpage.
That scraper targeted basic profile information such as username, age, gender, religious opinions, and location. But it also archived answers to the 2,600 most popular multiple-choice questions on the site, such as whether users like to be tied up during sex, take drugs, or what their romantic preferences were.
The pair then used this data as part of a self-published paper, which looked at, among other things, whether it was possible to work out users' general cognitive ability based on their answers.
The DPA's investigation is still in its infancy. Abildskov said the DPA had sent a letter to one of the students, which included questions on the collection, storage, and release of the OkCupid data.
"If data about individuals' purely private matters (sensitive information) is processed in a research or statistics project, the project must be notified to the Danish Data Protection Agency and must obtain the agency's authorisation," the Datatilsynet website reads. That includes sexual and religious matters, and "other similar information related to one's private life," the website continues.
When asked to confirm whether he had received such a letter, Kirkegaard declined to comment. He previously referred to his critics as "social justice warriors."