Women’s ‘red flag’ app Tea is a privacy nightmare
Technology
127
Beiträge
61
Kommentatoren
1.5k
Aufrufe
-
I think of the "bad" dates I would want to be able to warn other women of that didn't rise to the level of calling the cops. The guy who ordered triple the food and drinks I did and skipped out on the bill. The guy who flat out lied about multiple things and then got irate when I politely excused myself from the date. The MAGA weirdo who went on an unhinged rant about how I needed to submit to him because God said so. I imagine some men have comparable experiences with some anti-social women. The experiences coming to mind were not illegal, but were absolutely things I want to spare my fellow humans from.
I would prefer the dating apps themselves have some mechanism for disincentivizing anti-social behaviors. It would have to be more than a simple 5-star rating.
I wonder how it would work IRL to offer the ability to write a few sentences in response to prompts about a date. The written review is not published as-is, but is used in grouping of many reviews to give a summary about a person. Like the summary product reviews on Amazon now. "Bill's dates found he was prompt and polite. Some dates expressed discomfort at some of his political views" and "Bob's dates warn he is often late and is quick to use foul language to describe women. Multiple dates report no intention to communicate with Bob further". "Ben's dates report he has skipped out on the bill repeatedly, and sends unsolicited dick pics. Multiple dates have blocked him".
The group summary gives a buffer so the person reviewed doesn't know which specific date said what. And ensures the summary doesn't include negative comments about a person unless multiple dates of theirs independently report similar experiences.
Of course a bad actor could ditch their dating profile and start fresh any time they build up enough negative reviews to make their summary look bad. And of course the reviews and the summaries would have to be secured tighter than "Tea" is.
The experiences coming to mind were not illegal, but were absolutely things I want to spare my fellow humans from.
What about a guy who had a panic attack in the very beginning and couldn't stop talking about his deceased dad, then about aunts and uncles, then about the dog, then about architecture, then didn't get the hint because of all the shaking, got petrified when hinted at an alcohol element in the continuation of the meeting and in the end didn't even understand a very direct hints at "only silence can save this" and having at least a sleepover?.. Who only became kinda normal after taking a sedative next morning, still shaking.
Just describing one negative experience I have provided in the past, and that while yeah, it wasn't too cool - maybe lifelong shame is not what I deserve for that ...
(Yes, I know that girl was a hero)
The group summary gives a buffer so the person reviewed doesn’t know which specific date said what. And ensures the summary doesn’t include negative comments about a person unless multiple dates of theirs independently report similar experiences.
That can't be done without somehow verifying identities of all the people involved. Unless the review app is the same as the dating app. Then there are various technical variants, like some cryptographic connection between the reviewed person's identity, the token representing one date, and a temporary identity for the reviewer, used to sign the review message. Something like that.
But that only for the entity doing the summary, which will have to be trusted with the original reviews. And that "buffer" will remove any kind of verification, unless it's something egghead-smart like a smart contract forming the review on every client, which means every client can also see the original reviews. So I dunno.
Of course a bad actor could ditch their dating profile and start fresh any time they build up enough negative reviews to make their summary look bad. And of course the reviews and the summaries would have to be secured tighter than “Tea” is.
Honestly things like this should work like some hybrid of Briar and Freenet. Just entrusting it to a centralized service is as stupid as using Facebook. And in this specific case Briar model is kinda fine - if you synchronize with everyone using the application. You don't need to have the reviews from everyone about everyone, just about people roaming the same general area.
-
I feel that the app filled a need of women we should not ignore. But the app, both this specific app and also the overall concept, is just too rife with downsides to be workable.
So we, as men and as society need to reevaluate why women feel the need for such an app, and reinvest in the criminal justice system to hold victimizers more accountable.
It’s okay to call this app and similar Facebook groups unacceptable. But that’s not enough, we must also call for stronger protections for victims of criminal behavior.
The criminal justice system... At this point any more investment is just a waste.
That said, we're being shortsighted. The criminal justice system is far too corrupted and easy to pervert. It has way too many levers the powerful can exploit to get away with almost anything. The powerful want it that way, so the government wants it that way, and so thats the way it is. We need to burn it ALL down. And relying on naive public satiating actions like useless protest, or the belief that this can be all be fixed though voting, when shit is this far-gone, is counterproductive.
-
This post did not contain any content.
Why did the app had the government IDs and credit card data to begin with? The app looks like an obvious phishing scam/ Honeypot situation.
-
Wouldn't some sort of proxy in between the bucket and the client app solve this problem? I feel like you could even set up an endpoint on your backend that manages the upload. In other words, why is it necessary for the client app to connect directly with the bucket?
Maybe I'm not understanding the gist of the problem
Exactly, it's not necessary. It's bad / lazy design. You don't expose the DB storage directly, you expose a frontend that handles all the authentication and validation stuff before accessing the DB on the backend. That's normal Client-Server-Database architecture.
-
On one hand, yes. On the other, women have, based upon crime statistics, legitimate reasons to avoid putting themselves in a situation where they may be assaulted or murdered for reporting problematic and/or worrisome behavior.
I don't think creating an incel style circlejerk is the best solution.
-
Good lord, please tell me you did not just use ted bundy to describe what you think women like in men?
also did you just lore dump to a complete stranger? we're having a casual conversation.
i never said anything as insane as "Systematically doxxing and libeling men is a risk we're just going to have to take". i said doxxing should be avoided, if you'd read any of my comments.
who is this long winded comment for, exactly?
please tell me you did not just use ted bundy to describe what you think women like in men?
I did, because he was. Two different ways.
-
Bundy's modus operandi was to approach women in public as a handsome, charming stranger. I'm pretty sure women like handsome, charming strangers; the entire female dating strategy seems to be geared toward attracting handsome, charming strangers. Ted Bundy was able to attract dozens of victims like that. There's an inherent danger in attracting strangers, because sometimes strangers are psychopaths.
-
Ted Bundy got a LOT of fan mail from women while he was in prison. Love letters, marriage proposals, nude photos. A shocking number of women saw his picture on the news alongside words like "murder trial" and "death sentence" and said "That's the man for me." He pulled some weird stunt to "get married" and he fathered a child from prison. This isn't unique to Ted Bundy, lots of mass murderers and serial killers have groupies, from Charles Manson to Dylan Klebold.
i said doxxing should be avoided, if you’d read any of my comments.
You came across as pretty lukewarm to me. "Yeah doxxing is a problem I guess." You can't have a Don't Date Him Girl website without doxxing. Doxxing is how they work.
-
-
This post did not contain any content.
A more ironic outcome couldn't have happened
-
A lot of people have speculated that.
According to their statement their code was written in Feb/2024 and predates "vibe coding"
What intrigue me is this:
I'm confident vibe coding was not to blame in this particular case,
So they used vibe coding, they are only saying that they think/hope that it is not the cause of the break (and maybe also of the second one)
And if vvibe coding is not caused then they are even more incompetent.
-
I don't think creating an incel style circlejerk is the best solution.
I agree. Some sort of solution is necessary but this probably isn't it.
-
please tell me you did not just use ted bundy to describe what you think women like in men?
I did, because he was. Two different ways.
-
Bundy's modus operandi was to approach women in public as a handsome, charming stranger. I'm pretty sure women like handsome, charming strangers; the entire female dating strategy seems to be geared toward attracting handsome, charming strangers. Ted Bundy was able to attract dozens of victims like that. There's an inherent danger in attracting strangers, because sometimes strangers are psychopaths.
-
Ted Bundy got a LOT of fan mail from women while he was in prison. Love letters, marriage proposals, nude photos. A shocking number of women saw his picture on the news alongside words like "murder trial" and "death sentence" and said "That's the man for me." He pulled some weird stunt to "get married" and he fathered a child from prison. This isn't unique to Ted Bundy, lots of mass murderers and serial killers have groupies, from Charles Manson to Dylan Klebold.
i said doxxing should be avoided, if you’d read any of my comments.
You came across as pretty lukewarm to me. "Yeah doxxing is a problem I guess." You can't have a Don't Date Him Girl website without doxxing. Doxxing is how they work.
skipped everything about ted bundy cause wtf you're obsessed, man. maybe join a bundy dating app?
also let me make it clear since you missed it last time (even though you quoted it). I think doxxing is bad and should be avoided. fuck's sake man. i am a commenter, not a politician. i read this stuff over breakfast. take it easy ffs.
not everything has to be a huge debate.
-
-
I feel that the app filled a need of women we should not ignore. But the app, both this specific app and also the overall concept, is just too rife with downsides to be workable.
So we, as men and as society need to reevaluate why women feel the need for such an app, and reinvest in the criminal justice system to hold victimizers more accountable.
It’s okay to call this app and similar Facebook groups unacceptable. But that’s not enough, we must also call for stronger protections for victims of criminal behavior.
I think there must be a way to deliver on the value of the app without it being the privacy/public exposure nightmare it sounds like. Speaking naively, perhaps a setup where you can only speak about a person with those who have actually matched with them.
-
Yup. It sounds like they were following security worst practices.
I get doing that in Dev for testing before launch, but in production? that’s insane.
Like it has to either be a junior developer playing the role of lead or some serious lack of web dev fundamentals haha
-
I think there must be a way to deliver on the value of the app without it being the privacy/public exposure nightmare it sounds like. Speaking naively, perhaps a setup where you can only speak about a person with those who have actually matched with them.
There’s no “matching” on this app, because men aren’t allowed. By its very design, you can’t avoid the unilateral one-sidedness.
-
There’s no “matching” on this app, because men aren’t allowed. By its very design, you can’t avoid the unilateral one-sidedness.
Sorry, I do understand that, I was just thinking of an improvement that might help. I thought having the same phone number might work too but that gets dodgier.
-
This post did not contain any content.
How many red flags do you need to collect before you get a free cat?
-
Why did the app had the government IDs and credit card data to begin with? The app looks like an obvious phishing scam/ Honeypot situation.
that's a great(terrible) idea for a sex trafficking psyop. just get yourself a female spokesperson and make it a platform that gives a voice to women who have survived abuse. they'll willingly give you all their information on where to find them and their psych profiles on how to manipulate them.
fucked up, but really shows how fucked up apps are in general and how much power we give to them over ourselves.
-
It was potentially defamation when it was just women...talking to one another, too. This seems like a pretty solid case of men looking at something women do to protect each other, and saying "...but what about the men who could be negatively affected in some cases?" I also think the tone in which this is being discussed is pretty revealing about Lemmy's demographics.
the app is called TEA - it is a gossip vector masquerading as a safety mechanism, and people are making all sorts of claims about innocent people they had a bad date about, including their full name, location, workplace, pictures of their face - and accusing them baselessly in some (or most) instances of violent crimes.
If you can't see how not only that wouldnt make women safer, but instead is a black mirror episode - there's something wrong.
People against this app aren't against women's safety, and they dont necessarily believe our current systems and protection are adequate - but getting lynched by half a city because of a jaded ex is not a solution and is a crime of its own.
I mean half the posts on similar Facebook groups complain about the men being "narcissists" yeah its a shitty personality trait but thats clearly not a fucking safety issue, its about gossiping and doxxing people.
-
This post did not contain any content.
Sounds MAGA level IT and dev.
-
I get doing that in Dev for testing before launch, but in production? that’s insane.
Like it has to either be a junior developer playing the role of lead or some serious lack of web dev fundamentals haha
I'd argue that it should not even be done in Dev. Dev, staging/testing, and prod environments should all be as close to one another as possible, especially for infra like datastores.
-
As I mentioned in other comments, I am a noob when it comes to web-sec; please forgive what may be dumb questions.
Is it really just permission rights "over-exposure" issue? Or does one need to also encrypt and then decrypt the data itself that must be sent to a database?
Also, if you have time, recommend any links to web/cloud/SaaS security best practices "for dummies"?
As I mentioned in other comments, I am a noob when it comes to web-sec; please forgive what may be dumb questions.
There's nothing to forgive. Asking questions and being curious is how you learn this stuff.
Is it really just permission rights "over-exposure" issue?
From what I've read, it's more fundamental than that. It's a basic architecture issue. The datastore was publicly accessible, which it should never be. If they had it setup according to best practices, with an API to proxy access and auth, the datastore's permissions would be of minimal consequence, unless their network was compromised (still best practice to secure it and approach with a zero-trust mindset).
Or does one need to also encrypt and then decrypt the data itself that must be sent to a database?
Generally, cloud datastores handle encryption/decryption transparently, as long as the account accessing data has authorization to use the key. They probably also didn't have encryption setup.
Also, if you have time, recommend any links to web/cloud/SaaS security best practices "for dummies"?
Here are some more resources:
