The latest trendy video conferencing app
Houseparty, the video chat app bought by Epic Games last year (the studio behind Fortnite), is currently experiencing dazzling success. Benefiting from a fluid and fun interface, offered on smartphones but also on computers, it is currently competing for the lead in iOS downloads in France and in most countries confined to Zoom, according to AppAnnie.
Zoom and Houseparty have a very different initial target, businesses and teenagers respectively, but both are taking advantage of confinement to see their use explode. And in fact, this application was suggested to me by friends just this week for a “Skype Apéro”. After Zoom analysis, let's see if Houseparty is leaking your personal data.
Houseparty review on iPhone
To understand if the Houseparty application is directly leaking your personal data to third-party companies, you need to intercept the requests sent from your Smartphone by Houseparty, before they are sent over the internet network. For this, I use the application Charles Proxy, and I follow the following steps:
- Closing apps on my iPhone
- Opening Charles Proxy and enabling tracking
- Launch of Houseparty
- Export Charles Proxy logs to my computer
And there, unlike the Zoom app, comparatively quite “clean”, it's the tracker fair:
Which third-party companies collect your personal data in this way?
- Crashlytics: application used to monitor crashes, this company has had a particular destiny: bought by Twitter in 2013, who then sold to Google in 2019.
- Facebook: like Zoom before the Vice revelations, Houseparty therefore uses the services of the omnipresent Facebook. It is difficult to understand the need for Houseparty because installing the Facebook library for iOS offers a lot of features: Analytics (an equivalent of Google Analytics, but giving aggregated information on Facebook users to app developers), advertising code (to retarget you on other applications), Login module, content sharing, access to the Facebook social graph, etc.
- Branch.io: This company provides, among other things, an attribution tool, which allows Houseparty to know which advertising campaigns are recruiting active users. How ? According to their website: “Branch's People-Based Attribution uses deterministic web cookie + device ID pairs to match touchpoints from every channel with conversions on any platform. We empower you to eliminate the ambiguity of fingerprint-based attribution and unify fragmented data to show you each customer's full journey". In short: another marketing company you've never heard of that's scamming you.
- Doubleclick: Google's advertising solution, here for applications. Allows Houseparty to monetize your use of the application through advertising, and Google to collect additional information about you.
- Taplytics: Analytics and customization solution, allows Houseparty to personalize its messages according to users.
- Appsflyer: another attribution and analytics tool.
- Segment: a Tag Manager for applications, which we will discuss below given the considerable amount of personal information leaked to this third party.
Segment, the Hub of your personal data
Segment's motorcycle: "The best companies are built on unified customer data".
But the third party that Houseparty leaks the most personal information to is Segment: equivalent to a "Tag Manager" on an application environment, this tool is a Hub which allows you to collect your usage data from the Houseparty app as well as your personal data, and then redistribute them to third parties. And we can say that Houseparty is generous when it comes to transmitting your personal data, Segment thus recovers among other things:
- Your name in plain text
- Your plain email address
- Your Houseparty nickname
- Your advertiser ID
- Your Smartphone model
- If you have installed certain applications (Facebook, Instagram, WhatsApp, Snapchat)
- If you are connected via WiFi via the cellular network
- Your telephone operator
- If you have authorized access to certain features of your Smartphone (microphone, camera, address book, geolocation)
- Whether your Smartphone's battery is charging or not
The thing to understand here is that Segment only collects what Houseparty tells it to collect, so Houseparty consciously chose to leak all of this data. The worst? It is impossible to know to whom Segment then transmits this personal data (Segment being an intermediary to other marketing tools), but you can see that the list of destinations supported by Segment is big.
Testing Houseparty on Mac
Houseparty also offers an application for Mac, let's see if it also leaks your personal data. By following the same procedure, this time with the version of Charles Proxy for Mac :
If the tracking is a little lighter (no Facebook for example), we still find Crashlytics (Google), Branch.io and above all Segment. Looking in detail at the personal data leaked to Segment, we still find:
- Your name in plain text
- Your email in plain text
- Your Houseparty nickname
- A user ID
- If you have authorized access to certain features of your Mac (camera, notifications)
- An ID for your Mac
- The name of your Mac, as well as its model
- MacOS version
- If your bluetooth is activated
- If your wifi is activated
A privacy policy giving Houseparty a free hand
As Houseparty does not inform the user of the trackers used in its apps, we have to dive into reading Houseparty's privacy policy. We quickly understand that anything is permitted with your personal data, Houseparty authorizing all processing, while not being responsible for anything. In particular, regarding third party marketing companies used by Houseparty:
These other domains, websites and services are not controlled by us, and we do not endorse or make any representations about Third-Party websites or social media platforms. We encourage our Users to read the privacy policies of each and every website and application with which they interact. We do not endorse, screen or approve, and are not responsible for the privacy practices or content of such other websites or applications. Visiting or connecting to these other websites, services or applications is at your own risk.
What about consent? On Apps, we are far from the web where sites make an effort to offer consent banners, even if they are dishonest and do not work properly. Houseparty is aware of this, and the message to users is clear: get over it!
If you would like to opt-out of the Technologies we employ on our sites, services, applications, or tools, you may do so by blocking, deleting, or disabling them as your browser or device permits.
Information and consent are at the heart of the GDPR, but we see that it is completely flouted by one of the most popular applications in the world. Without heavy sanctions from European regulators or changes to the rules of the game on the side of the main App Stores (at Apple and Google), it is unlikely that your personal data will be better protected.