Popular apps often secretly send personal data to marketing companies, or include invasive third-party trackers, or abuse permissions that they're granted, even in the background.

In our Privacy Reviews series, we dissect one app per review and tell you which third-party trackers it's using, what the trackers do, and what data they collect. We use Lockdown to automatically expose and block these behaviors.


Privacy Review: Houseparty

April 23rd, 2020 by Johnny Lin - Permalink

For our first review, we chose the video chat app Houseparty due to its popularity, boosted by recent mandatory stay-at-home orders. Even though the app is free for its users, how much is the marketing data and tracking of 50+ million teens and young adults worth? We start with a summary card below.

What is this app?

Name
Houseparty (iOS, Android, Mac, PC, Browser). Review covers the iOS version.
Description
Group video chat app that also includes games.
Popularity
Currently the #1 downloaded app in Social Networking category with millions of installs per month. Target demographic is a younger population.
Ownership
Owned by Epic Games, which is itself 40% owned by Tencent, a Chinese multinational conglomerate, and >50% owned by its founder, Tim Sweeney.

What user data and permissions does this app require?

Required Info
🙋‍♀️ Full Name
✉️ Email Address
📅 Full Birthdate
Required Access
📷 Camera
🎤 Microphone
❗️ Notification
Optional
📇 Contacts
🤦‍♀️ Facebook Connect
📞 Phone Number

Which trackers were found, and what do they collect?

AppsFlyerMARKETING

Connections Detected

  • sdk.appsflyer.com
  • events.appsflyer.com
  • t.appsflyer.com

Data Collection (Privacy Policy)

Unique identifiers, IP address, User agent, the URL from the referring website, downloads and installations of Applications, and other interactions, events, actions, Customer issued user ID, clicks on Customer ads, ad impressions viewed, audiences or segments to which an ad campaign is attributed, the type of ads and the webpage or Application from which such ads were displayed, the webpages on Customer’s website visited by an End User, IDFA (identifier for advertisers), Android ID; Google Advertiser ID, browser type, device type and model, CPU, system language, memory, OS version, Wi-Fi status, time stamp and zone, device motion parameters, carrier.

SegmentUSER DATA

Connections Detected

  • mobile-service.segment.com
  • api.segment.io
  • cdn-settings.segment.com

Data Collection (Privacy Policy)

Contact Information, Profile Information, Communications, Marketing Information, Financial Transaction Information, Device Data, Online Activity Data, Professional or Employment Information, User Preferences

BranchMARKETING

Connections Detected

  • api.branch.io
  • cdn.branch.io

Data Collection (Privacy Policy)

IP Address, Cookie, Link Data, User Agent, Referrer, Request, Phone Number, Engagement Data, iOS Identifier for Advertising, iOS Identifier for Vendors, Android Advertising ID, Android ID, Branch Cookie ID, App Version, Device model, Manufacturer, Operating system, Operating system version, Screen size, screen resolution, Session start/stop time, Mobile network status (WiFi, etc), Application installed time, Application updated time, Device locale (country and language), Local IP address, Mobile platform, Branch SDK version, Carrier ID, MAC address, Windows Advertising ID, CPU ID

InstabugANALYTICS

Connections Detected

  • api.instabug.com

Data Collection (Privacy Policy)

Personal Data includes Data Subjects’ email, name and IP address, and other Personal Data that Client may submit through or upload to the Company’s systems the extent of which is determined and controlled by the Client in its sole discretion

TaplyticsMARKETING

Connections Detected

  • api.taplytics.com

Data Collection (Privacy Policy)

Privacy Policy contains vague descriptions of "Personal Data", including IP address, device identifier and usage information. Due to lack of disclosure, they're likely not compliant with GDPR and/or CCPA. Site footer still shows Copyright 2019 as of April 16th 2020.

Google CrashlyticsANALYTICS

Connections Detected

  • e.crashlytics.com
  • settings.crashlytics.com

Data Collection (Privacy Policy)

Owned by Google, so same as Google's Privacy Policy. Personal information, email address, apps, browsers, devices, unique identifiers, browser type and settings, device type and settings, and too much more to fit here.

How frequently are trackers contacted?

The list of blocked tracking attempts in five minutes of using Houseparty.

Lockdown recorded and blocked 224 tracking attempts to six third parties in our five minutes of using Houseparty. This included app installation, initial launch, signup, and a ten second videochat.

The more actions that we took, the more third-party tracking was recorded - for example, opening settings and modifying something would create tracking attempts. Adding a friend would also create multiple tracking attempts, as would starting a video call.

We detected no background tracking (tracking that occurs when the app was not in use) in the one hour time span that we monitored Houseparty.

Every time Houseparty was re-opened, Lockdown logged 36 more tracking attempts to at least three different third-party trackers.

Conclusion

Houseparty's Privacy Grade: C+.

While we can't be certain exactly what Houseparty is sending to third parties, we know at the very least, every app activation and user action, along with unique identifiers are being sent for unknown processing. That amounts to hundreds of data points per user per day, multiplied by over 50 million+ users, multiplied by the number of different marketing and tracking companies.

During our testing, we did not use Houseparty's "Connect To Facebook" feature. Had we done so, we would have likely logged Facebook Tracker blocking in addition to the other third parties above.

If you have the Lockdown app installed, you're automatically protected against the trackers and privacy intrusions described above. This test was conducted using version 0.3.6, and with the "Marketing (Beta)" Block List set to "Blocked".

Please share this Privacy Review if you found it useful. Send us feedback, questions, or even request an app's Privacy Review at team@lockdownhq.com.

Press and media have permission to use the research/content above, provided that they attribute and link back to this review.