Molotov and your email address: a relationship far from exclusive
After Mapstr, continuation of the analysis of Apps with Molotov, nice application for watching TV via the Internet.
To see the tracking tools installed by Molotov, I followed the following procedure on my iPhone:
- Closing different background applications
- Launching the application Charles Proxy and activation of tracking
- Launching the Molotov application, then navigating the App
- Export of logs from my Charles Proxy session to my computer
As you can see above, Molotov allows many third-party companies to track you, including:
- Google : via Crashlytics (crash reports) and live (especially for Chromecast). No surprise, Google is present on the majority of Apps.
- Facebook : here too, no surprise, we find Facebook on most Apps. Why does Molotov use Facebook services? To report App installations, conversions and return usage data to Facebook Analytics, as indicated Facebook developer documentation.
- Segment : the tool allowing you to centralize the sending of your user data to third parties (a “Tag Management” tool particularly well suited to Apps). Please note that Molotov transmits a hash of your email address to Segment, which is not a guarantee of protection of your privacy because some companies offer find email address from a hash for only $0.04.
- Adjust : a mobile marketing company specializing in the attribution of advertising campaigns (knowing which ad you installed Molotov), Adjust also recovers the hash of your email.
- Amplitude : Analytics tool, Molotov still leaks the hash of your email.
- Braze : Analytics tool also, allowing you to interact with the user via in-App messages and notifications. Here it's even worse, Molotov leaks your email, not hashed.
A vague privacy policy, far from respecting the GDPR
If we now look at the Molotov privacy policy, here is the paragraph concerning the transfer of your personal data to third parties:
We may share your data with third parties as set out below:
Subcontractors: who provide services on our behalf, such as the provision of CRM and customer support software, analytical solutions, IT services and payment transaction processing. The access of our subcontractors to your data as part of the provision of these services is limited and governed by the written agreements that we enter into with them, in particular through specific contracts detailing their obligations regarding the protection and confidentiality of your personal data (“Data Processing Agreements”). Molotov is in no way responsible for the processing of your personal data carried out by these subcontractors.
This information is vague and non-specific. I have never given my consent to be tracked by Google, Facebook, Segment, Adjust, Amplitude and Braze. Even less have I given my authorization to transmit my email address to some of these companies, even hashed. And transmitting my email address in plain text to a third party without my consent or even without the slightest information is a blatant violation of my privacy.