With small new engaging platforms it is wise to take a closer look on how they manage to safeguard our privacy and protect our data. The invite-only live-audio SoMe platform Clubhouse has passed the 10 million users landmark during its first year in action. So should you feel left out in the cold in case you haven’t received an invite yet? Rather you should feel concerned over the fact that they – mildly spoken – still have several privacy challenges to mitigate and you probably already have a Clubhouse profile! Yes that is correct, your name might already be visible in the app – even though you have not initiated any kind of relation or given any consent to Clubhouse.
How is that possible? During the onboarding process users allow Clubhouse access to snatch all contact data on their phone – otherwise they will not be able to invite any friends. That means if any of the 10 million users have your name and phone number in their contacts, Clubhouse have you listed! Besides your name and number, they also know who knows you. GDPR requires a legal basis for having and retaining contact details as phone numbers, so this is a breach of GDPR and such an invite-a-friend setup a violation of European law. Your friends can’t give this consent on behalf of you, so they actually ask private users to break the law by the way they encourage them to invite friends to the platform by providing access to their address book.
But there are other dodgy concerns to notice.
For the purpose of supporting incident investigations, Clubhouse temporarily record the conversations among members. The audio messages are not encrypted which violate the EU ePrivacy requirement for communication confidentiality and even more alarming we risk that our conversations can’t be kept private.
As Wired refers; Researchers from the Stanford Internet Observatory point to that Clubhouse by sending users’ Clubhouse identifiers and chatroom identity numbers unencrypted, enable third party can track your actions in the app.
“… some of Clubhouse’s infrastructure is run by a Shanghai-based firm and it seemed that the app’s data was traveling through China at least some of the time—potentially exposing users to targeted or even widespread Chinese government surveillance. “
In this 4 min video from Bloomberg News, Kartikay Mehrota explains how an unidentified user could stream Clubhouse audio feed from discussions in several same-time rooms into their own website and an android app. Even more alarming this scraping of the unencrypted data was not detected by Clubhouse, but found by cybersecurity experts.
Read more about this topic (e.g. how Clubshouse collects internet activities and behavioral data):