Clubhouse, the red-hot networking app, has become the new trend thanks to it offering people the rare chance of close digital proximity to the wealthy and famous, like Elon Musk, Drake, Oprah Winfrey, and Kevin Hart.
Unfortunately, the platform suffered a data breach in its early days, but the situation is not unique: Clubhouse is another app, like many available for download, that provides a direct gateway to your personal data and information.
Its invite-only format, currently available only for iOS users, creates an element of exclusivity. Users can engage both privately and in public channels, where all kinds of topics are discussed.
Regardless of the sudden hype around the app, the platform faces some big challenges and wildly misjudged the importance of data privacy in its early days. European cybersecurity company Avira shares five things the app got wrong:
1. Security and Privacy Protocols didn’t get an invitation to join the club
Most people don’t look at the privacy policy of an up-and-coming social media platform, but they should, especially since some of them can flagrantly violate users’ rights to data privacy and security.
Clubhouse, for example, has failed to meet even the basic principles of EU law and violates most of the legal requirements on privacy and data confidentiality as soon as you start using their platform, as it has been noticed by the privacy advocate and co-founder of SynData AB, Alexander Hanff, in a LinkedIn post on Clubhouse.
The primary piece of Clubhouse’s user recommendation engine relies on access to the contacts. You can’t invite anyone else to the platform if you don’t grant access.
If you do give the app access to your contacts, Clubhouse will show you everyone on your contact list who is also on Clubhouse. It will also urge you to invite those who aren’t and let you know as soon as someone in your contacts has joined.
Furthermore, if you want to take advantage of “Single Sign On” (using Twitter or other social media credentials to sign in to Clubhouse) they will extend their access into all your contacts, content and account information on those other social media sites. All of these breach the requirements set under GDPR, the regulation in EU law on data protection and privacy. GDPR also addresses the transfer of personal data outside the EU and EEA areas, another issue of Clubhouse.
In case you are wondering what happens with all your data it collects, you should know that your data will all be transferred to the United States, without a valid legal basis.
Aviro
ALSO READ: Networking app Clubhouse raises privacy concerns
2. Conversations are not end-to-end encrypted
If you visit their privacy policy it states that: “Solely for the purpose of supporting incident investigations, we temporarily record the audio in a room while the room is live. If a user reports a Trust and Safety violation while the room is active, we retain the audio for the purposes of investigating the incident, and then delete it when the investigation is complete. If no incident is reported in a room, we delete the temporary audio recording when the room ends.”
In other words, the audio content is deleted as soon as the room ends, unless there is an incident investigation. It also means that the content is not end-to0end encrypted, to be recorded, which is contrary to the rules imposed by the ePrivacy Directive (2002/58/EC).
The EU law states that the confidentiality of communications is required, and interception of those communications can only occur legally with the consent of all parties engaged in that communication.
3. Data is openly tracked, and users are profiled
You don’t need to have knowledge of legal terms and provisions to understand what Clubhouse does wrong with users’ data. Besides the fact that they record the conversations, they “collect content, communications, and other information you provide, including when you sign up for an account, create or share content, and message or communicate with others,“ as stated in their Privacy Policy page.
They also “may choose to collect information about how you use our Service, such as the types of conversations you engage in, content you share, features you use, actions you take, people or accounts you interact with, and the time, frequency, and duration of your use.”It is unclear, though, how they do this and what they later do with this data.
4. Passing the blame
Clubhouse is a sketchy idea for private users for a couple of reasons: Firstly, it violates many legal requirements regarding privacy and data confidentiality. Second, it’s asking users to break the law by providing access to their address book in order to invite friends to use the platform and this includes their phone numbers.
The EU law states that you must have the consent of your friend to share their personal data with a third-party commercial entity. In the same context, a company cannot use personal data provided by a third-party (in this case, a private user) unless that data has been provided lawfully. As illustrated above, disclosure of personal data without consent is not lawful.
5. Exclusivity of Clubhouse is being exploited by cybercriminals
Besides the privacy and security issues, the users’ interest in the social platform can be exploited by cybercriminals to monetize through sale of fake invitations and fake apps for Android, install malicious code on users’ devices or record conversations, as we’ve seen already that are no encrypted.
Since Clubhouse is available only on the iPhone and only through an invitation system, there are already Ebay, Craigslist and private Facebook groups selling invitations. The price starts from 20 dollars and have often exceeded 100 dollars.
The malware threat is another concern hypothesized by Avira experts. Even though probably everyone who heard about Clubhouse knows it’s only available for iPhone, the app is still among the most sought after on the Google Play Store, which can a be an open door for cybercriminals, by creating fake apps and installing malicious code on users’ devices.
Ultimately, an app that has garnered this much support is such little time is unlikely to disappear overnight. It will undoubtably make changes and hopefully tighten its security and privacy policies.
But the damage to its reputation amongst many has already been done, and for good reason, in today’s cyber climate, it is not acceptable to cut corners and companies must be held to account for not living up to these expectations.
Avira’s mission is to protect people in our connected world and put everyone in control of their digital lives. The portfolio includes many award-winning security and privacy products designed for Windows and Mac computers, Android and iOS smartphones, home networks and smart devices (IoT). In addition, all features are available as SDKs and APIs for companies. Together with partners, Avira protects more than 500 million devices worldwide.
Avira is headquartered in Tettnang on Lake Constance and has further offices in Europe, Asia and the USA. For more information, visit www.avira.com.
