Houseparty, should I, or should I not?

Jake Moore, Cyber Security Specialist for ESET explains the benefit of deleting your Houseparty – or any other unused – account, rather than just uninstalling the app?

When the coronavirus pandemic began, people took to Houseparty in their millions. Many of us weren’t allowed to meet anyone in person, so videocalling became an even bigger success and Houseparty was the front runner. Between March and April 2020, Houseparty reported 50 million sign-ups. For comparison, the app was downloaded 533,000 times in February 2020.

Houseparty was in the press for all sorts of reasons, including some rather negative slants from rumours that some accounts had been hacked. However, this was never proven and is thought to be a smear campaign. Nonetheless, the app was definitely a hit with the younger generations for keeping in touch with their friends, and remained a top 10 app during the early part of lockdown.

Moving on a few months, and as we start to ease back into our normal routines as safely as we can, we now have the option of seeing a small number of people again. It is, therefore, likely that Houseparty “rooms” aren’t being attended in the same numbers they once were.

Like many unused apps on people’s phones, I assume many people left Houseparty idle on their devices rather than deleting it and even fewer probably deleted their accounts. “But what’s the benefit of deleting an account rather than just removing the app?” you may ask

Houseparty, and many other apps, collect basic registration details like name, email address, birthday, phone number, address, username and password when you create an account. They even have the ability to collect location information from your IP address, and some apps may share all of this information with third parties too.

What happens when you delete your Houseparty account?
When we delete a social media or any other online service account, most of us probably assume that the service operator will wipe all our personal information from their systems. Our data cannot be used for any further use such as marketing, which is a win for privacy and a loss for mass data collection.

However, in my research I found that not all apps have been playing by the “rules” of information deletion – even when they said they did. Security researcher Saugat Pokharel was awarded a US$6,000 bug bounty payout after he discovered that Instagram retained photos and private direct messages on its servers long after he thought he had deleted them. And Instagram isn’t the only big name in recent years to fall foul of this misdemeanour.

Last year, security researcher Karan Saini found that Twitter was retaining deleted direct messages for years, as well as data sent to and from accounts that had been deactivated and suspended.

I decided to reach out to Houseparty and asked them what the best way is to delete my data from their servers. Their response was speedy and helpful: “Generally, account deletion is the only way to remove data from our systems. Kindly note that any related personal identifying information will be removed once you have processed the account deletion.”

When you delete your Houseparty account, you are restricting the use of your data and withdrawing consent to being tracked. However, the bigger worry for me is if you don’t delete your account and then one day the company is hit with a data breach, you could see all your information being sold on the dark web. Criminals will never stop attacking servers and if your data is among that stolen, it could be used against you.

Should any of our readers be old enough to remember Myspace, there is a fair chance they would have owned an account. In 2005 it was the coolest network going and arguably one of the earliest, widely popular social media sites. It was a great place to find friends, bands and banter. But when Facebook and other sites came along and dominated, I wonder how many users deleted their accounts or unconsciously chose to just never log in again.

In 2016, login credentials and related data of 427 million Myspace accounts were put up for sale on the dark web, and it’s my hunch that not all of those accounts were active users. This stolen data included passwords, so anyone reusing passwords could have lost access to other accounts as well. If people leave their accounts open and idle, they are potentially leaving themselves open to future attacks.

My advice is to only ever enter personal data if you absolutely must and use a VPN where possible for apps that use or even on-sell your information. In the UK, GDPR laws prohibit the selling of personally identifiable information to third parties without consent, but of course this all goes out the window when a threat actor steals the data in a breach as they don’t have the same set of morals.

While you still have the chance, it’s far safer not to be on a “breached list” in the first place, but many will say that once your data is on the internet it’s there forever. However, it may be worth going through your phone, opening up those idle apps one last time and deleting the account, rather than just deleting the app and forgetting about the account. The information that lives on may not feel like it is worth anything to anyone else, but it could be used nefariously when pieced together with other information on you and can have damaging effects if used in conjunction with identity theft or bank fraud.

So, should you now want to delete Houseparty, simply head to the app, hit the settings button and head to the “Privacy” tab which will give you the option to delete your account after multiple attempts to try to keep you to stay. Whilst you’re at it, make sure you do a similar operation for any other unused apps on your devices too!