Houseparty, star of lockdown and surveillance

At the top of downloads, a disaster for your privacy

Published by Pixel de Tracking on March 29, 2020

The latest trendy video conferencing app

Houseparty, the video chat app bought by Epic Games last year (the studio behind Fortnite), is currently enjoying spectacular success. With a smooth and playful interface, available on smartphones but also on computers, it is currently competing with Zoom for the top spot in iOS downloads in France and in most locked-down countries, according to AppAnnie.

iOS Houseparty Ranking

Zoom and Houseparty originally targeted very different audiences, businesses and teenagers respectively, but both are benefiting from lockdown as their use explodes. In fact, friends suggested this application to me just this week for a “Skype Apéro”. After analyzing Zoom, let's see whether Houseparty leaks your personal data.

Testing Houseparty on iPhone

To understand whether the Houseparty application directly leaks your personal data to third-party companies, you need to intercept the requests Houseparty sends from your smartphone before they go out over the internet. For this, I use Charles Proxy, following these steps:

  • Close the apps on my iPhone
  • Open Charles Proxy and enable tracking
  • Launch Houseparty
  • Export the Charles Proxy logs to my computer

And there, unlike the Zoom app, which is comparatively quite “clean”, it is a tracker festival:

Houseparty iPhone

Which third-party companies collect your personal data in this way?

  • Crashlytics: an application crash monitoring tool with an unusual history: bought by Twitter in 2013, then sold to Google in 2019.
  • Facebook: like Zoom before the Vice revelations, Houseparty uses the services of the omnipresent Facebook. It is difficult to understand exactly why Houseparty needs it, because installing the Facebook library for iOS offers many features: analytics (an equivalent of Google Analytics, but giving app developers aggregated information on Facebook users), advertising code (to retarget you on other applications), Login module, content sharing, access to the Facebook social graph, etc.
  • Branch.io: this company provides, among other things, an attribution tool that lets Houseparty know which advertising campaigns recruit active users. How? According to its website: “Branch's People-Based Attribution uses deterministic web cookie + device ID pairs to match touchpoints from every channel with conversions on any platform. We empower you to eliminate the ambiguity of fingerprint-based attribution and unify fragmented data to show you each customer's full journey". In short: another marketing company you have never heard of, tracking you anyway.
  • Doubleclick: Google's advertising solution, here for applications. It allows Houseparty to monetize your use of the application through advertising, and Google to collect additional information about you.
  • Taplytics: an analytics and personalization solution that lets Houseparty personalize its messages according to users.
  • Appsflyer: another attribution and analytics tool.
  • Segment: a Tag Manager for applications, which we will discuss below given the considerable amount of personal information leaked to this third party.

Segment, the hub of your personal data

Segment Segment's motto: "The best companies are built on unified customer data".

But the third party to which Houseparty leaks the most personal information is Segment: the equivalent of a "Tag Manager" in an application environment. This tool is a hub that collects your usage data from the Houseparty app as well as your personal data, then redistributes it to third parties. And we can say that Houseparty is generous when it comes to transmitting your personal data. Segment receives, among other things:

  • Your name in plain text
  • Your email address in plain text
  • Your Houseparty nickname
  • Your advertiser ID
  • Your smartphone model
  • If you have installed certain applications (Facebook, Instagram, WhatsApp, Snapchat)
  • Whether you are connected via WiFi or the cellular network
  • Your mobile operator
  • Whether you have authorized access to certain features of your smartphone (microphone, camera, address book, geolocation)
  • Whether your smartphone's battery is charging or not

The key point here is that Segment only collects what Houseparty tells it to collect, so Houseparty consciously chose to leak all this data. The worst part? It is impossible to know to whom Segment then transmits this personal data (Segment is an intermediary for other marketing tools), but you can see that the list of destinations supported by Segment is long.

Testing Houseparty on Mac

Houseparty also offers an application for Mac. Let's see whether it also leaks your personal data. I followed the same procedure, this time with the Mac version of Charles Proxy:

HouseParty Mac

Although the tracking is slightly lighter (no Facebook, for example), we still find Crashlytics (Google), Branch.io and above all Segment. Looking in detail at the personal data leaked to Segment, we still find:

  • Your name in plain text
  • Your email in plain text
  • Your Houseparty nickname
  • A user ID
  • Whether you have authorized access to certain features of your Mac (camera, notifications)
  • An ID for your Mac
  • The name of your Mac, as well as its model
  • MacOS version
  • Whether Bluetooth is enabled
  • Whether WiFi is enabled

A privacy policy that gives Houseparty a free hand

Since Houseparty does not inform users about the trackers used in its apps, we have to dive into Houseparty's privacy policy. We quickly understand that anything is allowed with your personal data: Houseparty authorizes every kind of processing, while taking responsibility for none of it. In particular, regarding the third-party marketing companies used by Houseparty:

These other domains, websites and services are not controlled by us, and we do not endorse or make any representations about Third-Party websites or social media platforms. We encourage our Users to read the privacy policies of each and every website and application with which they interact. We do not endorse, screen or approve, and are not responsible for the privacy practices or content of such other websites or applications. Visiting or connecting to these other websites, services or applications is at your own risk.

What about consent? In apps, we are far from the web, where sites at least make an effort to offer consent banners, even if they are dishonest and do not work properly. Houseparty is aware of this, and the message to users is clear: deal with it.

If you would like to opt-out of the Technologies we employ on our sites, services, applications, or tools, you may do so by blocking, deleting, or disabling them as your browser or device permits.

Information and consent are at the heart of the GDPR, but we can see that they are completely flouted by one of the most popular applications in the world. Without heavy sanctions from European regulators, or changes to the rules imposed by the main app stores (Apple and Google), it is unlikely that your personal data will be better protected.