“To pop, or not to pop — that is the question”

How things are privacy-wise on the social network Poparazzi.

Is the social network Poparazzi a threat to privacy?

In a world already chock full of social networks, new services have to fight for user attention and come up with something original. In doing so, the creators of new platforms sometimes forget about basic features such as privacy and security. A striking example of this was the security fiasco with the social network Clubhouse, which became a smash hit in the spring of 2021.

The social network Poparazzi, which is the subject of this post, appeared a few months after Clubhouse and is still pulling in users. On the very first day of launching, Poparazzi topped the App Store chart in the U.S., and over the past year it’s been downloaded five million+ times. In this post we explain the privacy issues of the social network.

How Poparazzi works

Poparazzi’s main feature is that it doesn’t let you post photos or videos of yourself. Instead, users post shots of other people, which are called “pops.”

A Poparazzi user-account has two sections: the first with photos and videos of you posted on your page by others; the second — with shots that you yourself uploaded to other users’ profiles; (this section is visible only to you). At the same time, pops don’t have to be real photos or videos; they can be memes or your favorite cat pictures from the internet.

What also sets the new social network apart from other such services is that no user can find out the real number of your subscribers and subscriptions. Instead, it lists the total number of poparazzi — that is, the number of people who “popped” you and the number of pops themselves.

Only users you follow can freely upload pops to your profile. At the same time, in order to do so, they themselves don’t have to follow you.

What permissions does Poparazzi need?

For a friendly social network supposedly lacking pretensions, Poparazzi is quite pushy. During registration, the app immediately requests a whole host of permissions: access to the camera, contacts, notifications, and all photos on the device. And all are mandatory! If, say, you give access to only some photos, or revoke some permissions later, you won’t be able to add friends and post pops.

Poparazzi wants access to your camera, contacts, notifications, and every single photo

Poparazzi wants access to your camera, contacts, notifications, and every single photo

How to unblock a Poparazzi profile

After granting the service all the access it requires, you are taken to a page with a “Profile blocked” message. The developers explain that to unblock the profile someone needs to post a pop on your page. Before that, it seems you can’t fully use the app: viewing your profile, posting pops, viewing other accounts, etc. are all off limits for now.

You are immediately prompted to add three people from your contact list as friends, so that (hopefully) one of them will pop you and activate your profile. If none of your friends uses Poparazzi yet, the app lets you send them invitation links.

“Profile blocked” message after registration in Poparazzi

In actual fact, as our experiment showed, it only takes one follower in your profile to activate it. By friending them, you open all your account options: viewing other people’s pages, commenting, posting pops. So, as it turns out, you don’t need someone to pop you to unblock your profile after all.

What to do if you don’t like a pop

There isn’t much you can do to stop others viewing photos and videos in which you appear. Profile content is open to all users of the social network by default. You can’t hide your account from random guests — there’s simply no such option in the privacy settings. All you can do is manually delete unwanted pops from your profile, ban specific individuals from popping you, or add users to a deny list. If you ban a user from posting a photo to your profile, they’ll remain among your followers and be able to view your feed. If deny-listed, however, the user is removed from your followers list and won’t be able to pop you or view your pops and longer.

How to prevent friends from posting photos of you

By default, anyone you follow can post pops of you. They don’t need your consent to do so. You’ll see what’s been posted only after logging in to your profile. And that could be an hour, or even a week, after the pop was uploaded. If you don’t want a particular pop hanging around on your page, you can delete it. To do this, click on it and then on the three-dots icon in the upper-right corner, and after that select Delete.

There are two ways to block a friend from posting pops in your profile: either unfollow them, or restrict their access to your account. Remember, even after you do this, your followers (and all Poparazzi users — save for those in your deny list) will still be able to view your feed.

To unfollow a user, go to their profile and click Following. If you want to unfollow several friends in one go, on your profile tab, click on the gear icon in the upper-right corner of the screen, go to Privacy Settings, and click on the crosses next to the user’s nickname. Remarkably, apart from the list of your followers, this section contains nothing at all.

Restrictions on the publication of pops in your Poparazzi account

Restrictions on the publication of pops in your Poparazzi account

If you want to continue following a user but block them from uploading pops to your profile, go to their account, click on the three-dots icon in the upper-right corner of the screen, and select Remove Poparazzi.

Can people I don’t follow pop me?

Poparazzi’s developers claim that if you don’t follow someone, they can’t post pops in your feed without your approval. If such person tries to post a pop, it will simply not be published.

If you add the author of unpublished pops as a friend, then all photos they were trying to post will immediately show up in your profile. Another way to achieve the same result is to click on the three-dots icon in the upper-right corner of the person’s profile and select Approve Poparazzi. Clicking this button essentially duplicates the follow feature.

User approval in Poparazzi

User approval in Poparazzi

During our experiment, we discovered that you can’t view pops uploaded by a new poparazzi before adding them as a friend — they’re visible only to their author. Nor do notifications about pops from unfamiliar accounts arrive, as things currently stand. Thus, it turns out that adding a new follower is a pig in a poke, because you never know what pops might pop up in your profile as a result.

How to block users in Poparazzi

Fully restricting a user’s access to your page is possible only by blocking. To do this, in their profile, click on the three-dots icon in the upper-right corner and select Block.

User blocking in Poparazzi

User blocking in Poparazzi

In that same section, you can report a user to the developers if you think they’ve violated the rules of the service: for example, by posting pornographic content or disclosing other people’s personal data (although the developers don’t explain what is considered such data). To do so, click Report and describe the issue. The developers state that they’ll take action against violators.

How to delete a Poparazzi account

We found the answer to this question in the FAQ section on the Poparazzi site. It provides a link to a no-frills page. You’re prompted here to enter the phone number you used for Poparazzi registration in the field under a message from the developers. That done, click Delete My Account Including Photos I’ve Taken & Photos Of Me.

Deleting your Poparazzi account

Deleting your Poparazzi account

It doesn’t even matter if you logged out of your account before sending the application or not— either way your profile is deleted. However, if you open your feed while your request is still pending, it’ll be canceled. The developers don’t say how long it takes to process such requests, but our test account was deleted in just a couple of minutes.

User risks

The main problem with Poparazzi privacy is that you cannot fully control which photos and videos of you will be seen by friends, family and colleagues. Users have an extremely limited set of tools for controlling who exactly can post pops of them on their own page.

Also bear in mind that a large chunk of the social network’s user base is made up of teenagers, who may not yet realize that an ill-judged pop from a party could, years later, cost them their career.

Another potential problem for Poparazzi users is doxing. Photos, especially ones posted uncontrollably, can show not only a face, but a plethora of other information, too: who they mix with, where they go, and what they like doing. This can all be weaponized by a skilled doxer.

How to stay safe on Poparazzi

Poparazzi privacy leaves much to be desired, so think carefully before registering. If you still decide to open an account, follow our tips to minimize the risks:

  • When registering, use a fictitious nickname, not your real name. That’ll make it harder for strangers to correlate your profile with other personal data.
  • Only follow users you trust. After all, they will be able to post photos and videos on your page. Remember, some memories don’t belong online.
  • Review your profile regularly and delete unwanted pops.
  • If you’re a parent and worried about your teenager, install Kaspersky Safe Kids. Our solution lets you control your child’s access to unsuitable apps and sites — including Poparazzi.
Tips

Cybersecure Christmas

Many hacks have started during Christmas holidays. A few simple tips will reduce the chances of your company becoming the next victim.