It may be impossible to delete your personal information from Houseparty and other social media services – despite privacy legislation!
My colleague Jake Moore recently published a blogpost Houseparty – should I stay or should I go now? The post intrigued me, not just for the title taken from the great 1982 song by the Clash. Jake, sensibly, suggests that when you no longer use an app, such as Houseparty, that you delete both the app and the account you created to avoid your personal data being left dormant on a server where it could possibly be prone to being part of the next data breach.
If you think deleting your account deletes all your personally identifiable information (PII) from instant messaging apps, then you may need to think again, and this is probably true for all services that encourage social interaction between friends and request permission to access the contacts on a user’s device to facilitate this. If, like me, you have never used Houseparty, you could be forgiven for assuming that the service does not hold any personal information on you; again, you may need to rethink this.
Your personal data, such as phone number and name, and maybe even email and physical address, may have been uploaded to servers of social media and instant messaging companies when they are granted permission to synchronize contact lists from your friends’ devices.
What about Houseparty?
At the start of the pandemic, a good friend of mine, Kent, and I communicated to organize a virtual social gathering on a Friday evening. He suggested Houseparty; however, we used Facetime due to my preference to not create yet another account. From that original discussion, I knew Kent used Houseparty and had an account; a quick call confirmed he still has the app installed to keep in touch with family and friends. I asked Kent whether he granted Houseparty permission to access his contacts. After initially stating “No, why would I do that?”, we quickly established that he had, as clicking to add a friend through contacts displayed everyone that was in his phone contact list. To exonerate Kent’s actions, it’s worth pointing out that the app does not really function as a social tool unless it has access to your friends, either through Facebook or your uploaded contact list.
When installing the Houseparty app, there are several options offered to enable the app either to find friends who are already users or to suggest friends and even friends of friends (see Figure 2a below). The main options are to allow access to the contacts stored on your phone or to allow access to your Facebook account, enabling Houseparty to extract your friends list from the social network. The wording in Figure 2a specifically states “your contacts will be uploaded to Houseparty’s servers so that you and others can find friends and to improve your experience”. The privacy-conscious among you are probably making a sighing noise right about now, especially at the inference that others will be introduced to your contacts.
If you skip granting the permission during installation, the app will prompt you again if you click on “contacts” when trying to add friends. Note the change in language and the missing disclosure that the contact list will be uploaded to Houseparty’s servers: see Figure 2b.
If you have ever used an app or service that uploads your contact data, you may have witnessed “X has joined” type messages displayed in the app or service. The option to start a conversation or connect to the person is a convenient notification and the very reason that companies request permission to upload contact data to their servers.
The collection of account information does include a disclosure that “some information” about your friends is collected if you import your contacts, see Figure 3.
The use of the words “some” and “certain” seems vague when addressing data collection of PII; this is probably by design, as a detailed listing could cause concern, even alarm. The reference to “contacts” being split between the two sections of the policy covering “account information” and “third party accounts and apps” is confusing. What is confirmed, though, is that phone numbers and addresses of your contacts are collected if you grant permission to upload your contacts. I hope by “addresses” they mean email addresses … or am I being optimistic?
The general concept that your contact data is used to assist in connecting with your friends seems perfectly reasonable and logical: see Figure 5. The suggestion of other connections based on your existing friends implies that users are profiled, which again is probably not that surprising for a social networking tool.
However, the “you” then becomes confusing when reading the next section on “your choices”, as this then refers to a registered user being able to make decisions in their account setup on such things as marketing preferences.
Taking back my identity
My request – As a resident of California please send me a copy of any data about me that includes my name, email address or phone number.
Houseparty response – The email address you are contacting us from does not reflect any account, and so I can only ask you to please submit a new request using the correct email address you used to register the account.
There is a blatant disconnect between my request and the answer; I asked for data they may have in their possession about me but the response refers to there being no registered account for the data I provided in my request. So I asked again…
My request – I have never had an account and I am requesting confirmation that my personal information is not held on any system in their company.
Houseparty response – Don’t worry, I look for your information in our system but I didn’t find any account with your phone number or your email, therefore we don’t have any data about you.
My request – If I give my permission to upload my contacts from my phone can you [Houseparty] confirm what information this will upload, name, email, phone number etc. And if I later decide to delete my account will all this uploaded contact data be deleted with my account?
Houseparty response – First, the app requests permission to read your contacts from your device to crosscheck who in your contacts is already using Houseparty, therefore you will be able to reach out to them since the contact already exists in your device and makes this faster to invite them to be able to communicate with you. Basically, the app reads the name, email and phone number to make those contacts faster to reach out for you. Once you request an account deletion, all information is deleted from the Houseparty account, all your contact’s names, emails and phone numbers as well as the information you used to create your own account.
My request – confirmation that contact lists are uploaded and whether if I request account deletion would my contact data be removes from all my friends accounts as well?
Houseparty response – A copy of your whole contacts list is not copied into a server and kept there, but it is accessible to read by the service through the app, once you grant permission for this.
Confirming no data is uploaded and then confessing that actually the support team does not know what is uploaded is bad. If you don’t know the facts, then don’t provide an answer!
Who owns the contact data held on someone’s phone and does the owner of the device have the right to share it with third parties such as Houseparty or Telegram? And should the third party request consent from the contact, me in this case, to retain access to or store the personally identifiable data on their systems?
So, when my colleague Jake suggested deleting unused accounts and apps, he was providing good advice – something I advocate and fully agree with. However, as detailed above, this does not necessarily mean you are avoiding the risk of being part of any data breach that a company, in this scenario Houseparty, Telegram or WhatsApp, may suffer. Your personally identifiable information is likely to remain on servers of social media and instant messaging companies and continue to be accessible to them through linked social media accounts or contact lists of your friends.
In the unpleasant event that a breach were to occur, are they required to send a breach notice not only to registered account holders but to everyone they have data on or whose data they have or had access to? Unfortunately, as far as I can tell, the breach notification is only a requirement that applies to account holders. Privacy legislation and breach notifications should probably extend to all the PII data stored, not only that of account holders.
My takeaway from this is that some instant messaging and social media services are storing my personally identifiable information not only without my consent, but without my knowledge and probably with no mechanism (or even deliberate unwillingness) to allow me to discover if that is the case.
written by Tony Anscombe, ESET We Live Security