Hacker News

Is that site down? I'm just getting the default nginx page.

> That app made a lot of basement dwelling chuds furious, to the point that someone was willing to risk prison time for a shot at harming those women.

Although undeniably, the data being mostly women does bring in the chuds so it's not entirely wrong, I think this is a shallow take for a couple of reasons:

1. If any app stored user data this freely, it would be stolen and gloated over on 4chan.

2. This app, which I'm learning about just now, seems deeply problematic. It's a place for people to publically share and shame other people that they don't like. The genders of the people doing this doesn't matter, this is called doxxing and it's not ok, no matter how it gets dressed up (women's safety, children's safety, anti-terrorism, anti-drugs, whatever)

Exactly, this is why if I walk down a street that looks sketchy and I get assaulted/robbed, it’s not a crime and no one can be charged!

Any bad behavior should be legal if the victim should have realized the warning signs.

i think you are assuming a level of computer literacy that doesn't exist in the general population. most people seem to not actually know where data goes when they put it in their phone, how that data is used, or what actually happens on computers in general. They mostly appear as magic to them.

Look at what this site does.

You upload other people’s personal information on it to run background checks on them.

So, many of the victims probably haven’t heard of the company.

Victim blaming isn't right. Yes, they could have exhibited more caution. No, it's not their fault.

> or that claim things that are per se considered damaging --- a specific and limited list

Standard disclaimer that law varies by jurisdiction. However, that limited list typically includes claims that the person committed a crime. Many juristictions also include accusing someone of having a contagious disease, engaging in sexual misconduct, or engaging is misconduct that is inconsistent with proper conduct in their profession.

In other words, the types of things I would expect people to be talking about on tea overlap heavily with defamation per-se.

If the users were careful to make all of their statements opinions, that defense would work. However, I doubt that is the case. Instead, I expect many users to include example of what their ex did that led to their opinion; which gets directly into the realm of factual statements.

The provider protections are real, and likely protect the app from direct lawsuits (or, at least from losing them), but do not protect the app's users. A few news stories about an abusive ex going after their former partner based on what they posted in the app could be enough to scare users away. You don't even need to win the lawsuit if your goal is to harass the other person.

> "This guy is a creeper and treats romantic partners terribly" is pure opinion, and cannot be defamatory.

That is true. But i think untrained and emotionaly involved individuals will have trouble navigating the boundaries of defamation. Instead of writing opinions like “treats romantic partners terribly” they will write statements purporting facts like “this creep lured me to his house, raped me, and gave me the clap”. This is not an opinion but three individually provable statements of facts. Plus the third would be considered “defamation per se” in most jurisdictions if it were false. (The false allegation that someone has an STD is considered so loathsome that in most places the person wouldn’t need to prove damages.)

Unles specifically coached people would write this second way. Both because it is rethoricaly more powerfull, but also because they would report on their own personal experience. To be able to say “treats romantic partners terribly” they would need to canvas multiple former partners and then put their emotionaly charged stories into calm terms. That requires a lot of work. While the kind of message i’m suggesting only requires the commenter to report things they personaly know about. And in an emotionaly charged situation, like a breakup, people would be more likely to exagarate in their descriptions, making defamatory claims more likely.

> Under US law, providers are generally not liable for defamatory content generated by users…

This is true, and i believe this is the real key. Even if the commenters would be liable, the site themselves would be unlikely to become liable with them.

It’s hilarious that we earnestly debate whether women should be allowed to have a space to speak anonymously about whatever the hell they want, but it’s completely unquestioned that 4chan is a perfectly legal operation.

A general plug that if you read this comment and thought “damn, 1st amendment law sounds complex and interesting”, you may want to check out https://www.serioustrouble.show/ , a podcast about legal news with a recurring focus on 1st amendment law and cases

But you can ruin a person’s life on a whim. That cannot be allowed.

The fact that it verifies by ID scan is also not safe at all for a million different reasons.

A better way would have been to charge a small subscription fee - like $2/month or something. The fee filters out 99% of the trolls out there (who wants to pay to troll) and also gives the app/website admins access to billing info - name, mailing address, phone number, etc - without the need for a full ID scan. So the tiny amount of trolls that do pay to troll would have to enter accurate deanonymizing payment information to even get on the system in the first place.

And it can be made so only admins know peoples' true identities. For the user facing parts, pseudonyms and usernames are still very possible - again so long as everyone understands up front that such a platform would ultimately not be anonymous on the back end.

But oh no, that won't hypergrow the company and dominate the internet! Think of all the people in India and China you're missing out on! /sarcasm

Many people will do anything they can to hurt their ex after a breakup.

Hey now! They use ID verification bub - how are you gonna fake that? It’s not like there are just public buckets of legitimate ID photos taken by real women for you to hoover up. Check mate.

The difference is, on these platforms you're rating legal entities. On Tea, you're rating, or rather sharing personal information about, an individual. Where I come from, sharing personal data of someone without their consent is not allowed.

> By this logic: I suppose glassdoor, yelp, or Google reviews aren't legal either?

Imagining a future where I have to pay Tea to promote and astroturf my profile or they lower my rating, and pay bot farms to post glowing reviews

I have not used the app nor read much about it but this guys talk about it: https://youtu.be/WjfpryoQ0Mk

Yes, as far as I understand, you upload pictures of men, either taken in the wild or from dating sites (Tinder) against their will. I am pretty sure that this would be illegal in some jurisdictions. Especially EU.

Companies aren't people (despite lots of people pretending they are).

Almost everyone? And not in a cheap throwaway comment way, I mean genuinely. The value is that it’s informative not a gossip rag.

A lot of these groups have also had people get successfully sued for defamation.

Every couple years someone tries this and it immediately turns into a cesspool because no matter the good intentions of the makers, it attracts the worst kind of person as active users.

It gets shut down, everyone forgets, then someone eventually has a brilliant idea...

It come from a place of sincerity but defenders imagine everyone would use it for the same reasons they would: Warning people of genuine threats in the dating world. They would never use it for gossip, or revenge, or creative writing, etc. so they don't imagine others would.

But at scale, if generously only 0.1% of women in America are bad actors that would weaponize this app, that's over 150k people (not to mention men slipping past security). And the thing about bad actors is that one bad actor can have an outsized effect.

> “False slander” is not a thing.

It's only not a thing because, in the U.S., it's redundant. In other jurisdictions, it might be a thing, because there are places where a claim can be both defamatory and true.

Whew, one look at his account and I can imagine what women who've been on dates with him would be saying haha

That dude is a pos tho

It's harmful to spread this kind of fear. Statistically it's less than 0.05% of women die because they are killed by their partner. This puts a stigma on men in general as some sort of dangerous savages.

I keep seeing the defense for Tea as an app for women’s safety, which is of course a valid concern. Wouldn’t it make more sense for a service to exist, like some kind of enforcement service provided by the government, where others can report safety concerns and that service goes and does something about it legally?

If such a service exists and isn’t being too effective, shouldn’t that be worked on?

My guess is that there’s more to the reasons for why Tea is popular but the safety argument is largely being used to defend it

You are probably unaware of unintended consequences enabled by this app - many women use it to find bad boys they feel attracted to due to some brokenness in female psyche. So you'll get public outrage on one hand and private DMs on the other from them, based on how bad you are described/vetted by other women on the app.

Online men-dominated forums often dislike and feel personally attacked by people talking about sexual abuse/harassment done by other men. I guess they immediately imagine themselves being falsely accused of such acts, rather than being a woman that is attacked.

You still think so?

I wonder how well-received this comment would be if it mentioned crime statistics regarding something else than gender.

It would be in Apple and Google’s best interest to pull these apps immediately. Multiple Supreme Court justices have indicated an interest in narrowing the breadth of section 230 immunity. This app, structured entirely around effecting the reputation of private individuals, provides a relatively clean case to do so. It’s not a stretch that the app could be considered a ‘developer in part’ of the content it hosts, and thus lose section 230 protection.

A narrowing of section 230 would not be good for Apple or Google, though they wouldn’t face any liability for the Tea apps conduct.

That's not how 230 works - why do people keep parroting this misinformation?

https://www.techdirt.com/2020/06/23/hello-youve-been-referre...

This is fine if you have a secure tool to access. It's not okay if you just try to spin up your own solution.

Apple is launching such a service in iOS26

https://developer.apple.com/videos/play/wwdc2025/232/

This is mDL (mobile driver's license) here in the US, but it's a new technology and not widely available or adopted yet. https://www.nccoe.nist.gov/projects/digital-identities-mdl

I am not going to show my ID to Google, especially given that it is a foreign company with dubious data collection history.

Or we could deny providing "app" developers with any such information.

That's PR speak for saying that it's a Kiwi Farms clone. I'm sure the two userbases even share their sense of righteousness regarding their own actions.

This case couldn't be more clear cut. It's horrid, and the people running the sites should be held accountable. Two wrongs don't make a right, especially when it will inevitably cost innocent lives, sooner or later.

In other words it's a slander platform. Got it.

you forgot the most common use cases in practice: a man you work with slighted you in some small way. now hes going to have sexual assault red flags. the HR lady who already hates men will look you up on tea and decline to hire you because you dont have green flags.

3) You’re in competition with someone at work and you want to make his life difficult. You want to blackmail someone into promoting you, etc.

it also doesn't disappear. Before the internet you could say something, laugh, and move on. It disappeared.

Now if someone says something online it can be read for years and often without context of when it was originally written.

Absent broader regulation, we all know that apps like Tea depend HEAVILY on user trust. However, I am a bit concerned users either won't fully grasp the severity of this breach or won't care enough and end up sticking with the app regardless.

A somewhat embarrassing but relevant example: my friends and I used Grindr for years (many still do), and we remained loyal despite the company's terrible track record with user data, privacy, and security as there simply wasn't (and still isn't) a viable alternative offering the same service at the expected level.

It appears Tea saw a pretty large pop in discussion across social channels over the last few days so I'm pretty hopeful this will lend itself to widespread discussion where the users can understand just how poorly this reflects on the company and determine if they want to stick around or jump ship.

Or maybe require them to prominently disclose the breech to all current and future users on the app main screen for some period of time afterward (a year or two?). Sort of like the health-code inspection ratings posted in restaurant windows.

That cuts to the issue some other comments have pointed out, that user trust is really their most important capital – and with short attention spans and short news cycles, it may rebound surprisingly fast.

Companies, especially American ones, see data as an asset, rather than a liability.

The GDPR in Europe attempts to reset this but it’s still an uphill battle

> Appropriate regulation should make this an offense punishable by a large fine.

And some kind of legal penalty for the engineers as well. Just fining the company does nothing to change the behavior of the people who built it in the first place.

I think we can treat it as currency. All nine letters of my SSN, for example, I’ll allow you to store those if in return I get to store the name of the CEO’s boat.

The cynical part of me feels like certain employees had uncontrolled access to the user data.

There would be a morbid irony in the idea of a tool marketed as increasing safety for women actually being a honeypot operation to accumulate very sensitive personal information on those very women.

Not a fan of the "vibe coding" hype, but is there any evidence that this app was built that way?

No they got more, 23gb of files.

> Make company liable for damages when breached.

This won't be enough, you have to make PEOPLE liable for breach.

Making a corporation being liable is useless, it's a legal Person and it can simply declare bankruptcy and move on.

There has to be a better way than just adding another deterrent to starting a company. Could there be an industry standard for storage security? Certification (a known hurdle) is better than "don't fuck up or we'll fine you to death".

This is the only way to deter this. Negligence and incompetence needs to cost companies big money, business-ruining amounts of money, or this is just going to keep happening.

I agree, but relying on lawsuits is far too slow and costly . We can reduce the latency of discovery and resolution by adding software protocols.

That's a reactive measure. Certainly, it's worth pursuing. Though like the notion that you can't protect people from being murdered if you only focus on arresting murderers, there is a need for a preventative solution as well.

the problem is what are the damages? how much are those damages?

My SSN / private information has been leaked 10+ now. I had identify fraud once, resulting in ~8 hours of phone calls to various banks resulting in everything being removed.

What are my damages?

GDPR makes company liable for damages when breached.

That is why Tea did not operate in Europe.

Maybe the idiot that published this didn't even form an llc, "waste of 200$"

> just use your brain and don't upload your face and driver's license to a gossip website

Meanwhile, in the UK, new legislation requires me to upload my face and driver's license just to browse Reddit.

>just use your brain and don't upload your face and driver's license to a gossip website.

It isn't just gossip websites requiring this, and it isn't just gossip websites suffering breaches.

This is becoming more unfeasible as it becomes required to access online services like reddit, nexusmods, verification on dating apps. Sending facial, and documentation data is becoming mandated by governments across the world.

The app store is auditing & restricting functionality within the iPhone, but the backend protections are a wild west.

"use your brain" is no substitute for security. This is a hacker forum. We think about how to protect apps. Even smart people have slipped up

Yeah, just upload the pictures of unsuspecting guys.

Sorry, well deserved ladies. It just made my day. ROTFL.

And please provide an app with all the names and pictures of the ladies who used it. So that I can easily check who not to date.

Good thing our children will learn all about this at their mandatory Internet Literacy Fundamentals course they have to take in high school.

Oh wait—no such thing exists!

It's up to us to teach this to our children. There's no hope of getting the current generations of Internet users to grasp the simple idea that app/website backends are black boxes to you, the user, such that there is absolutely nothing preventing them from selling the personal information you gave them to anyone they see fit, or even just failing to secure it properly.

Without being a developer yourself or having this information drilled into you at a young age, you're just going to grow up naively thinking that there's nothing wrong with giving personal information such as photos of your driver's license to random third parties that you have no reason to trust whatsoever, just because they have a form in their app or on their website that requests it from you.

Nice, some unsolicited victim blaming!

Also about validating the backends, apple has the resources to provide a level of auditing over the common backends. S3, Firebase -- perhaps the top 5. It's easy to provide apple with limited access to query backend metadata and confirm common misconfigurations.

I partially agree. At least the threat of app shutdown would be enough consequence for the publisher to take things seriously

wouldn't it be funny if the app store had to review it and make sure the personal info was sensitive and possibly humiliating enough . "sir your app has been denied because MY_PERSONAL_INFO table requires at least 3 d-pics"

i agree about the power concerns, but where would you assign the authority if not the app store?

it could be an enhanced certification like "Enhanced SEcurity" or "End to End security" to allow gradual adoption.

The world was moving away from App Stores and walled gardens. And then I woke up, and returned to grim reality.

that sounds preposterous . can you qualify that?

> * Mandate 3rd party auditing once an app exceeds 10k users

You have a lot of interesting suggestions.

I would love to see some kind of forced transparency. Too bad back-end code doesn’t run under any App/Play Store control, so it’s harder to force an (accurate) audit.

it could be made available just to apple servers via ACL or protected token. but no one else .

I wouldn't go that far. What they uncover with their FOIA requests that the general public would otherwise never know about tends to be quality content. And, like the Wired, their FOIA-based articles aren't paywalled.

CEOs and board members should be personally criminally liable for shared personal information coming out of their platforms.

It's the only way they will push companies to STOP storing them long term.

I've been in several companies (mostly FinTech) that store personal sensitive documents "just in case". They should be used for whatever is needed and deleted. But lazy compliance and operations VPs would push to keep them... or worse, the marketing people

> The internet went from 'YouTube asking users to never use your real name' to 'you have to submit your ID to some random app' in 10 years. Crazy!

Because we couldn't get anyone to take the internet seriously if it was just a bunch of anonymous pseudonyms trolling each other. And maybe that was a mistake.

On the rare occasion when I have to do this, I blur the maximum amount of the image and watermark it with hundreds of lines of small red font saying “FOR EMPLOYMENT VERIFICATION BY $X_ENTITY.”

If they have a problem with it then I will gradually remove pieces until they’re okay. But I haven’t had to do this the few times I’ve used this tactic – it causes issues with automated scans but eventually some human manually reviews it and says it’s okay.

What I don’t like is the “live verification” apps that leave me no choice but to take a photo of it.

> I hope it served as a good lesson to the average person to be more cautious while submitting sensitive information like a government ID.

This absolutely should not be normalized. If I'm ever prompted to submit photos of a government ID to some service, I'm turning heel. I'll try to use their phone service (which I just did successfully this week), correspond via mail or maybe, as you've said, handle it in person but I'm probably content to go without.

You can send it as an encrypted PDF, fwiw

But that was because no one told them. Now they are told and taught. A lot of systems Warn even for opening something publicly... And yet.

I check all CVE's of the software my clients use because we need to figure out why things are broken and often this is a start -> unpatched CVE's. Most (by far) CVE's are not 'honest mistakes' or missed corner cases because rocket-science; they are just sloppy programming. Something that should never pass review. We DO know better but people ship things and hope for the best (including the case in this post etc).

a few more of these incidents and they'll care a lot more

By then we'll just launder the blame onto the AIs

Tech is special! Think about the margins, the gains, the $$$!

I bet on greed. It always wins.

And as a man, do you know what happens when you report sexual assault?

You get laughed at. Hard.

So yeah, I'd like to see these broken down between cis-, hetero-, homo-, and trans-.

And why are cis-lesbian-women also reporting higher numbers of sexual assault than man/woman relationship? No men in that relationship.

https://pmc.ncbi.nlm.nih.gov/articles/PMC5511765/

The rainn articles are propaganda with a specific slant.

I agree that you could make a Tea app for every faction's favorite cause, and use "safety" as the justification: report your local communist, report your local infidel, report your local secret white supremacist, report your local secret Western imperialism agent, report your local suspected jihadi, report a homosexual, report a suspected illegal immigrant, report a local adulterer, report an apostate, report a kulak.. etc. chefkiss

Witch Hunt as a Service, with a delightful UX, a little gamification, and soon integration with your favorite apps. Coming to an App Store near you.

I think this is also called 'politician's logic': https://www.youtube.com/watch?v=vidzkYnaf6Y

The type not into nonconsensual sex?

How would you even identify who is on the app?

Blaming women for wanting to seek out safety in this way is strange.

However there is something to be said about the crowd you find yourself with. If you assume this app to be necessary, I would assume your social standards are not high enough.

We're in agreement. Is an anonymous takedown app the solution for reputation management that enables civilization? If someone is trying to destroy your reputation, on which your entire livelihood depends, should you at least know who the accuser is, how reputable they are, what evidence they have? Do you want to give the Internet a magical button to destroy you on a whim?

And these apps represent an attempt to privatize the state

It's fair that men and women have different challenges here. But humans are squishy and chaotic and self-interested, they're not angels of pure wisdom, fairness and justice. Giving someone a repercussion-free button to destroy someone else the instant they feel slighted, vindictive, threatened, jealous, disrespected, is a recipe for disaster. There's a reason these apps have not once worked sustainably, they always turn into a vile cesspool that brings the worst out of mobs.

I don't have a fix for this, it is entirely fair to want justice for the defenseless. At the same time I have a strong hunch that there is no problem-solution fit here, at least not with this sort of app.

yeah because ALL women are the same, right? you seem kinda sexist here

There's only one guiding principle for Apple - and that's money. Dont let their privacy marketing ("Privacy is a human right") fool you otherwise.

Do you expect abusive people to answer honestly? The perceived anonymity on the app is a double edged sword.

You need to verify you're a woman with some form of ID before you can get into the app. Faking an ID and a picture can't be that difficult in the age of AI (especially not when the company that's supposed to verify you is this callous with their users' PII), but it's not as quick and easy as you suggest.

Is it reductive? It also has good incentive for someone jilted or misinterpreting something to suddenly tarnish someone's reputation with little recourse for the other party. It is a one-sided review app for people in a way that people affected may never even know!

Go checkout the website, the first image is just two people gossiping.

This app operates just like an app some creep online would use, people post pictures (permission or not) and gossip about them.

There’s also a ton of bad incentives for those women who lie, manipulate and abuse beyond “gossip”.

If guys had an app that women couldn't access where we shit talked all of our exes with photo evidence women would riot at the company HQ.

But then again, can't convince people as a whole that men are, on average, good and decent people with normal flaws just like women, and therefore deserve to be protected, loved, and appreciated equally.

I think they mean the actual posts on tea itself, not the leaked ID photos.

obviously it would be malicious and unethical, but since that didn't seem to stop Tea users, I'd be interested in what their arguments against it would be.

I think what they meant is that Apple is allowing a legally dubious app to operate.

Not that apple should enforce minimum security, but that the app shouldn't be allowed on the App Store in the first place. For obvious reasons.

Supposedly, if your photo is posted on Tea you can contact Apple. Then Apple will force Tea to take your information down.

>> Let's be real you wrote men/women only to be PC. You really meant small group of men.

Let me share a message I got from a woman I met a couple years ago on a dating site: "Just a side note about the dating thing on here. I get very annoyed with how horribly men take care of themselves or even try to communicate. Most men today on these sites are repulsive. It was refreshing to see you smile, and look nice. Thank you for that."

So it's not a bunch of red-pill alpha guys. I'm an average guy with basic manners and a lack of creepiness. Heck I was near my all time high weight at the time. Every single woman on those things has at least one story about a guy she met that will make you cringe from his behavior. My fav was the guy who sent a woman flowers before even meeting her - at her workplace! Dude the cyberstalking you need to do to pull that off is CREEPY AF - not romantic.

If you want to be in that top 10 percent of men the bar is incredibly low.

No, it really does apply to both. Women who are not dating or are in a stable relationship won't use that app.

It's unironically a stronger case for network effects than Facebook

Thanks - this is context I was missing :)

All the mods were doxxed too, but life uh finds a way?

The actual violation would be a privacy violation

I believe this argument, still not clear why it became viral recently

If you look at the API, it is a slop app. The IDs were being uploaded to a public Firebase bucket. Chats are also public now. The full API keys are leaked because they were in the shipped app.

Do you think if that was disproved that would be better somehow?

The UK and some US states are instituting age verification for adult content. Doxxing thousands of women is a great way to get people talking about privacy and security.

It reveals a chronic and widespread lack of basic empathy.

A women gets assaulted on a date. She warns other women, on a website created for that purpose. Her drivers license, chat history, and passport are then revealed to the open web... and this forum celebrates it, with a giddy glee.

As if all the women on there were lying. As if women must not be permitted to warn each other about predatory men.

I held a faint hope that we were brigaded... Since when do we celebrate this? But clicking through to a few of the users past comments, that hope died.

I've never been quite so disgusted by this forum. This is vile; a stark sign of deep, deep rot in the HN community.

Maybe if all these creepy men just dated each other and left women alone, the problem would solve itself.

>Isn't that true in the real world as well?

I suspect the folks complaining about "markets" in online dating are not the kind of people who can connect offline.

To be fair, I think online dating has gotten worse -- sites like OkCupid used to match you based on shared affinity... the issue there is you could be a very high match on shared values but not someone's "type" visually -- imagine being shown the girl of your dreams only to find out the feeling is not mutual :-)

Conversely, I feel like people sometimes forget that they opted into these interactions, it's not like someone strolled up in a bar and began talking at them.

Anyways... if you're frustrated with apps, I'd suggest doing just that. Talk to people.

I met my last girlfriend at a bus stop. Before that, on a porch -- I was walking by and struck up a convo.

If you can't connect with people organically, no amount of tech can save you.

It’s true in the real world, but dating apps make it much more exaggerated.