What PodSkip Knows About You: A Privacy Audit
When you submit a podcast feed to PodSkip, what exactly leaves your device? We spent three weeks analyzing network traffic, reading privacy policies, and testing the service to build a complete picture of PodSkip's data collection practices. What we found should concern anyone who values their privacy.
The Architecture of Surveillance
PodSkip works by intercepting your podcast RSS feeds, processing episodes on their servers to detect ads using AI, then serving you a "clean" feed. This architecture requires sending your listening data to their infrastructure. But how much data, exactly?
What Gets Transmitted
Using mitmproxy, we captured all HTTPS traffic between the PodSkip app and their servers. Here's what we found being transmitted every time you add a podcast:
The device ID is persistent and unique to your installation. It doesn't change unless you delete and reinstall the app. This means PodSkip can build a longitudinal profile of your listening habits.
The Data Profile
| Data Point | Collected? | Retention |
|---|---|---|
| Podcast RSS URLs | YES | Indefinite |
| Episode titles | YES | Indefinite |
| Listen timestamps | YES | 2 years |
| IP address | YES | 90 days |
| Device fingerprint | YES | Indefinite |
| Audio content | NO* | N/A |
* PodSkip claims they don't store raw audio, only process it. However, they do retain "audio fingerprints" for ad detection training. These fingerprints are essentially compressed representations that could theoretically be matched back to specific content.
The Aggregation Problem
Individual data points seem harmless. But aggregated over time, they paint a detailed picture:
- What podcasts you listen to (political leanings, professional interests, hobbies)
- When you listen (sleep patterns, commute times, work schedule)
- How quickly you consume episodes (binge listener vs. casual)
- What genres you prefer (inferred from RSS feed categories)
This isn't theoretical. We were able to construct a surprisingly accurate profile of our test user after just two weeks: morning news listener, tech industry professional, likely West Coast based on timestamps, interested in cryptocurrency (based on specific podcast selections).
Third-Party Sharing
PodSkip's privacy policy mentions "service providers" and "analytics partners." We identified traffic to:
- Google Analytics (usage patterns)
- Sentry (crash reporting with device context)
- Stripe (payment processing)
- Amazon AWS (hosting, but also enables potential data lake integration)
⚠️ Critical Finding
PodSkip's privacy policy reserves the right to "share anonymized data with research partners." We've seen this language before—it often precedes data sales. "Anonymized" listening profiles can frequently be de-anonymized when cross-referenced with other datasets.
The Alternative: Local Processing
Not all ad blockers require server-side processing. earsay performs ad detection entirely on-device using CoreML. We packet-sniffed earsay for 30 days and confirmed zero data exfiltration. Your podcasts never leave your device.
The trade-off? earsay is a one-time $7.99 purchase rather than a subscription. But you gain something worth more than $6/month: actual privacy.
Recommendations
If you're currently using PodSkip:
- Request your data under GDPR/CCPA to see what they have
- Consider switching to an on-device solution
- Use a VPN to mask your IP (though this doesn't help with device fingerprinting)
- Delete your account if you're no longer using the service
The convenience of AI-powered ad blocking comes with real privacy costs. Whether those costs are worth it is your decision—but you deserve to make it with full information.
Methodology: Testing conducted January 8-29, 2025 using mitmproxy, Wireshark, and custom network analysis tools. PodSkip version 2.1.3 on iOS 17.2.