To protect our privacy, we should divorce the Duke Marriage Pact

on tech

We’re here to crash your (algorithmically-selected) weddings. 

Last week, Duke was abuzz with the giddy excitement of undergraduates who received the results of the now-infamous “Duke Marriage Pact” survey. The Marriage Pact was the latest attempt to address the loneliness problem on campus in the midst of the COVID-19 pandemic.

In the week leading up to the highly-anticipated matchmaking night, students were encouraged via social media posts, text threads, and Duke Student Government emails to take the online questionnaire. 

In an era of socially-distanced encounters and mostly-digital interactions, The Marriage Pact offered, at first glance, an unbeatable opportunity: the chance to meet your campus soulmate with minimal effort. To receive matches in their email inboxes, students completed a short questionnaire, letting an algorithm run its magic to determine who they’ll head to the altar with. 

The process was so easy and compelling that, by February 2, more than 4,200 students had submitted the survey, answering questions ranging from the mundane “What is your major?” to the more compromising “Is it okay that your partner does harder drugs?” and “Do you prefer kinky sex?” 

When we asked our friends who completed the survey what they thought about it, we were met with responses such as “It’s just for fun, it doesn’t matter.” Yet, regardless of whether people took the survey seriously or completed the form “for the meme,” we’re here to bear the news that The Marriage Pact actually does matter. 

Launched as an unreviewed, “independent student initiative” at Duke, what many of us likely were not aware of was that The Marriage Pact is not just a fun school project; it’s a full-spanking corporation, registered in Delaware and doing business in California

Students were encouraged to contribute to the construction of a massive database of our most intimate personal data, including personally identifiable information (PII) such as names and email addresses, sexual preferences, attitudes towards drug use, and political and religious views.

Now that the matches have been sent and the deed has been done, The Marriage Pact is not providing sufficient information on how they are planning to protect and handle this trove of information in the future. 

We deserve better.

The idea behind the Duke Marriage Pact originated on another college campus across the country: Stanford. The algorithm behind the project was first developed as a class project in 2017 by two undergrads. According to a Stanford Daily article, “An algorithm for stable marriages [filters] through the profiles and find[s] each student their most compatible long-term partner—a ‘backup plan’ in case both people end up single later in life.” 

The Duke version of the survey was actually a continuation of this Stanford project, now branded as “The Marriage Pact.” The matching algorithm was launched previously at multiple schools, including Cornell, Yale, Columbia, UVA, Northwestern, and Tufts, and has made over 25,000 matches. And the Pact is continuing to expand, with the survey rolled out at Princeton, Dartmouth, Villanova, and Washington University in St. Louis alongside Duke this semester. 

In other schools’ newspapers, such as The Tufts Daily, concerns about data privacy have been briefly mentioned. Yet, it seems as if many of our peers have been reassured by the sheer existence of the “Data Principles & Practices'' document distributed alongside the school projects. 

Just because a privacy policy simply exists does not mean that it meets the standards we should be holding for our most sensitive information. Every major tech company out there has a privacy policy, but that doesn’t mean we consider all of them to be completely trustworthy.

The Duke Marriage Pact’s data privacy statement—really, a brief outline of ideals—is housed in a Google doc (seriously, a Google doc) owned by one of the Stanford students behind the national operation of The Marriage Pact. Within five quick pages, the authors define the types of data they collect and proclaim, in this “informal policy,” that The Marriage Pact will not sell your data.

And to that, we say, “Congrats for doing the bare minimum!” Seriously, not selling our information doesn’t mean a company is taking enough measures to secure our data. In fact, The Marriage Pact’s privacy statement doesn’t make any mention of cybersecurity, which is a key principle. There’s no privacy if your data is out there for any amateur hacker to grab during their lunch break.

A representative of the Duke team directed The Chronicle to The Marriage Pact’s CEO, Liam McGregor. When we asked McGregor about what kinds of cybersecurity practices, certifications, and training the company relies on, he wrote, “[W]e do our best to apply the most rigorous industry-standard practices around data handling,” with no mention of whether the team’s practices actually meet the industry standard for cybersecurity practices.

When you submit the form, your name and email are presumably linked to the rest of your responses. The Marriage Pact doesn’t say if they’ll encrypt this data or separate out your contact information so that a hacker could only associate your answers to deeply personal questions with an anonymized ID number.

Do you really want anyone on the Internet—not just now, but 20 or 30 years from now, future employers and friends alike—reading about whether or not you think you’re smarter than your Duke peers?

The Marriage Pact’s privacy statement may not address any cybersecurity risks, but that doesn’t mean the risks are negligible. Last year, hackers infiltrated a similar project at Stanford via SQL injection, potentially accessing the names and “crushes'' of one thousand survey respondents. Who’s to say that Duke is immune to similar action?

Furthermore, while “no student on the Duke team can see any individual response,” it remains unclear how much access our Stanford peers have to our data or what training they have received with regards to cybersecurity and privacy. 

The Marriage Pact takes “til death do us part” a little too seriously—your data is held by their organization “in general… until it’s no longer needed to run the Marriage Pact,” which is vague language for “indefinitely.” The Marriage Pact offers a manual process for editing your responses or withdrawing from the matching process, yet does not mention the word “delete” once. 

McGregor, the company’s CEO, said that the company does honor data deletion requests, which is nowhere to be found on their website, their privacy statement or the Typeform itself. And ultimately, if you haven’t submitted a data deletion request, it’s unclear how long The Marriage Pact will be able to hold onto your data.

C’mon, even Facebook offers a data deletion section within its privacy policy. 

As a corporation doing business in California, eventually The Marriage Pact may be legally required to clearly outline why they collect your data in order to comply with state privacy law. California’s Consumer Privacy Act (CCPA) of 2018 gives California residents the right to access and delete personal information collected about them, as well as the right to opt-out of their information being sold. 

These requirements could kick in as soon as The Marriage Pact matches over 50,000 California residents (which includes California residents attending school out-of-state)—not too high of a threshold for a company that has supposedly created over 25,000 matches via its existing college brands.

But right now, The Marriage Pact does not even have an option for you to access your data. As noted in their data privacy statement, individuals do not create user accounts on the platform. This reality means that The Marriage Pact leaves you with no way to keep track of the information you submitted. Unless, of course, you’d like to submit the form again and have your data duplicated in their system.

On the flip side, you might really trust The Marriage Pact to handle this sensitive data, and, ultimately, that’s your prerogative. But when you input your data in the survey, you’re also handing it over to Typeform, an independent third-party with its own privacy policy, its own ways of storing and handling your data, and its own history of a data breach. 

The idea of falling in love over a Typeform might be romantic enough during this pandemic to convince you to hand over your data to a nameless, faceless group of students. We don’t deny that they’ve made attempts to protect privacy, but it’s not enough. Not nearly enough.

Every time we mindlessly hit “Submit” on a questionable Typeform or hand over our email to an organization that we don’t know much about, we’re ceding our privacy for little in return. Just think, was your match really worth it? Maybe The Marriage Pact says they won’t sell our data today, but then again, in the earliest days of Facebook, Mark Zuckerberg told The Crimson he wouldn’t sell anyone’s email address.

Things change. People change. Organizations change.

Often, an organization edges in the direction of commercialization for years before it becomes a behemoth. And it looks like The Marriage Pact may be headed in that direction, with a “Join Team Marriage Pact” call for market designers, machine learning gurus, content writers, and data scientists. That’s a lot of specialized people to run a handful of Typeforms.

The algorithm right now relies on some lonely college students completing a survey. But you don’t need any significant business knowledge to see how this can be commercialized—just look to the massive market of dating apps vying for our attention. Your data, once in this system, could be used to train models that affect not just your campus, but your whole world.

We’re all curious, of course, about the survey results—The Marriage Pact has already given people a list of their own “hot takes.” But more importantly, what will The Marriage Pact’s “takes” say about Duke’s students?

The Marriage Pact could tell us what percentage of people think they’re smarter than the average Duke student or would only be comfortable dating someone within a specific race or ethnicity. What would this information mean for Duke? For all the future Blue Devils who might see this information? For parents paying almost six figures of tuition a year? For recruiters on campus who we see at coffee chats? We have no idea what the insights will be, but even aggregate statistics could irrevocably change how we think of ourselves, our classmates, and our institution. 

Maybe The Marriage Pact will head straight for another commercialization opportunity—selling the organization, its algorithm, and its database to the highest bidder. Maybe Facebook or Tinder or Hinge will fork over the cash to understand how today’s college students are looking to find love.

We’re not saying that The Marriage Pact will do this. 

Right now, it seems like The Marriage Pact is a fun startup run by some talented college students, but their attempt at a privacy statement leaves us with far more questions than answers. We hope that they’ll take this moment as an opportunity to re-evaluate their privacy practices and make real commitments to securing and de-identifying user data, routinely deleting personal data, and building out a binding privacy policy that provides greater transparency. 

We’re now in the same position as those Harvard students were in 2004 when thefacebook.com launched. And this time, we know how this works. The onus should not be on us, as college students, to investigate every potential startup’s data privacy and cybersecurity practices.

We believe that The Marriage Pact and those involved here at Duke need to have a conversation about how they can ensure the security and privacy of student data. In the meantime, now that the matches are out, The Marriage Pact really has no reason to hang on to this massive trove of personally-identifiable information. Unless, of course, there’s a few secondary purposes beyond finding your true love.

So, break up with The Marriage Pact! You’ve (hopefully) already found your soulmate, and it’s time to request that The Marriage Pact deletes your data (hit ‘em up at hello@marriagepact.com). 

Jessica Edelson and Niharika Vattikonda are Trinity juniors. Their column, “on tech,” runs on alternate Thursdays.

Want us to break down a technology topic you’re interested in? Email us at jre29@duke.edu and nv54@duke.edu.

Discussion

Share and discuss “To protect our privacy, we should divorce the Duke Marriage Pact” on social media.