Life is surprising. One minute, I was a jet setting legal consultant with a vast network of friends all over the world and zero concerns about meeting new people; eighteen months later, I’m a full-time single mom – and just a couple weeks ago, I surprised myself again when I took the plunge and downloaded my first online dating app. I’m not really even interested in dating right now, but Mark Zuckerberg’s team was kind enough to notice I’ve been single for over a year and suggested I might like to try it. It wasn’t Tinder, so I resolved to at least take a look.
This won’t be my typical legal post........
Hacking will Happn
Happn is a proximity based dating app that streams the people you “cross paths” with in real life. It requires a Facebook connection. When you are within a close distance of another user that fits your predefined parameters, they show up in your stream, and in the “Tinder” fashion, you either pass or like the person. Profiles show a first name, age, and employment or school information, as well as your common Facebook interests.
I realized two things very quickly. First, real time common interests requires an API call to Facebook. And second, capturing the API calls with a Packet Sniffer will yield Facebook profile ID’s. It honestly started with a match to someone that had a job listed that just didn’t seem right. I couldn’t resist peeking behind the scenes. As every sourcer out there knows, if you have a Facebook profile, about 90% of the time, you have EVERYTHING. Surprise! Mr. Hotshot was NOT actually a Managing Director at Google!
Exploit number two is the real goldmine for taking advantage of any proximity based application: using Mock Locations. As it applies to Happn, because you collect profiles based on people you “cross paths” with, changing your location, especially using an application that allows you to “jump around” in a predefined radius, drastically changes who you will see in your steam at any given time, as well as the number of people you have access to. For example, I work from home every day, next to Wrigley Field and all the bars that go along with it. My neighborhood has a “type,” but a simple spoof using another free application and amazingly, the entire demographic on my stream changed.
The Recruiting Application
What if you could turn invisible, stand in the middle of the Microsoft campus and collect Facebook profiles of people walking by or sitting at their desks in the buildings? By downloading two additional Apps and running them in tandem with Happn, you can do exactly that – at least for people using the application. Looking for lawyers? Position yourself in the courthouse or a building that houses a number of large law firms. This will also work to take advantage of any proximity based application and there may be a wealth of information to be obtained. It’s an interesting concept for other potential sourcing tricks. One only has to figure out how to use it to their advantage.
The Game Changing Factor
Why will this trick give you an advantage unlike any previous proximity recruiting “hack”? Training on using social check-ins to locate potential candidates to poach have existed for a long time! I remember being told about using Foursquare to locate people who check-in at corporate locations and conferences 5 years ago. But this strategy takes into account a statistic others don’t. Single people are more likely to change jobs. Think about it: there’s no partner to weigh in on the decision; less likely to be kids involved; more tendency for risk; and less ties and costs overall for relocation.
The idea for using dating apps to find potential candidates has also been around for a while. But on most platforms, the question has always been “how do I appropriately contact these people? Messaging someone about a job – especially on an app that requires a ‘match’ to chat doesn’t seem like the best plan!” The solution? Use your ninja skills to pretext your way into a conversation on another platform! Get the Facebook profile and send the message there. Still wary? Use the information to match a LinkedIn profile or an email. The possibilities are endless!
Step By Step Guide for Happn
FIRST: Download and set-up the following applications to run on your phone: Happn, Packet Capture and FakeGPS (The version that works best for this costs $1.99, but there is a free option). Get a feel for each of the Apps separately. I’m not going to give instructions on this.
Example: Finding Microsoft Employees
- Open Packet Capture and run in the background with the SSL certificate
- Open Fake GPS and set your location. The paid version allows you to set options where you “walk around” the area. For this test, I placed myself in the middle of the campus and walked around a 500m radius.
- Open Happn and load profiles. As they pop up, click on each profile. You just need to open the profiles – nothing else is necessary.
- Open Packet Capture and find the Happn calls to Facebook
- Open the calls and look for the profile ID in the API call for each profile
Does this make you a Stalker?
Real time proximity information can be a dangerous toy for people that understand the implications and know how to take advantage of the data. Keep in mind, this trick sits in a legal grey area and definitely falls in the creepy stalker category. When you open a profile, Happn gives you information about when you crossed paths with a person, how many times you cross paths and how far away the person is currently. This gives you some serious stalking abilities, for example you will probably have a very easy time figuring out when someone is at home instead of work and approximately how far away they live from work too!
First, is this hacking? I can only speak to the process provided. If you connect any other tools, automate it, use fake profiles or throw some other ingredient from your “privacy be damned” arsenal into the cocktail, you (I can see your gears turning already [name withheld by editor]) will probably cross the line.
Packet Sniffing: There is absolutely nothing wrong with monitoring the network traffic on your own private network, especially on your cell phone. In fact – just as a side note, SCOTUS recently ruled that all that packet sniffing Google was doing a few years ago on open networks was also completely legal.
Mock Locations: There are times when this is a legal grey area. For example, you shouldn’t be using tools that mock your location so that you can watch shows that aren’t available to you. This is usually done by using a mock IP address however, not mock GPS broadcasts on your phone. Similarly, it might be a bad idea to set your GPS location to somewhere you wouldn’t actually be able to physically access for security reasons. It’s a stretch to say that collecting information by using your phone’s mock location to position yourself somewhere you can’t legally access “in real life” is a crime, but I don’t recommend it.
Terms and Conditions: As stated, don’t screw this up by adding a step I didn’t include. As to the terms and conditions of Happn, it is a French application to be construed under the law in France. Nothing I described appears to violate the user agreement of the application on its face, but I am not a French lawyer. Buyer beware.
Discrimination: This one is tricky. If you are actually looking for candidates with this tool, it would be best to work with a few other people that will allow you to capture the largest demographic possible. Talk to someone in your organization if you are worried about discriminatory effect.
The caveat of the application is that if you are not in the age range of the person looking or if they see you and “X” you (aka Tinder’s “swipe left”) they will no longer appear on your stream. There are thigs you can and can’t do about this. You can do as much as possible to “dress-up” your profile. You can’t change your name, gender or age. They are tied to the Facebook profile you used to sign up for the service. It may be tempting to use a fake Facebook profile to circumvent some of these limitations. That will violate the terms of service for both applications and crosses the line for other complex legal reasons I won’t bore you with. It is a cool trick that has some limitations. Deal with it.
Originally Published 1/15/16 @ ERE - SourceCon