Move aside from Facebook, there is another social media platform in town with even worse privacy risks and it is called Clubhouse! But before we get into the (many) Clubhouse privacy concerns, let’s see what exactly is Clubhouse.
What is Clubhouse?
Clubhouse is a social media platform in which you communicate with other people via audio chat rooms. It was developed in 2019 by Rohan Seth and Paul Davidson, initially as a podcast called Talkshow, but was rebranded as Clubhouse in March 2020 and released for iOS.By December 2020, the app had 600,000 users, and in January 2021, they announced that the app had an active weekly user base of around 2 million. Note that, at the time, Clubhouse access was invite-only.On 9th May 2021, Clubhouse launched the Android app beta for users in the US, and as of May 2021, the app is available fully to Android users around the world.
How Does the App Access Your Private Data?
Okay, now that we went over the introductions, let’s explore the privacy problems of the Clubhouse app. According to the Clubhouse Privacy Policy, here are the data that the app collects:
- Account data
- Contact information
- Names of invited friends
- Conversations
- Messages
- Interests, usage, and connections
- Communications
- Payment and transactional data
- Information from social media companies
- Device data
- Cookies
So let’s explore all of that in detail.
How Does Clubhouse Use and Share Your Personal Data?
Clubhouse collects information such as your first name, last name, email address, phone number, preferred language, profile picture, organization name, and other information included in your bio or profile. And, of course, like any other “free” app, Clubhouse will share your personal information without telling you. In fact, according to Clubhouse, the company will share your data with:
- Service providers
- Professional advisors
- Authorities and others
- Subsidiary and affiliates
And, if you want to delete your account, well, you can’t. At least not without sending an email to their support with a request and then waiting for them to “approve the action”.
What About the Information Others Have Shared About You?
As Clubhouse users sign up for it and invite others via text message, the app has access to the contact list on your phone (if you allow the app to sync with the device), can import information from the device, and upload contacts. When the app was first released, it was not possible to send an invite to someone who was not on your contacts list. However, as of 12th March 2021, you no longer need to give Clubhouse access to your contacts list to invite someone. Of course, that doesn’t mean someone else hasn’t given the app access and they could have your phone in their contacts list, which means that your number could be in the company’s database even if you’ve never signed up for it. Also, if you connect your social media platforms like Facebook or Instagram, to Clubhouse, that information is collected as well. Here’s what Clubhouse says under “How you Share Information on Clubhouse”: If you connect your social media accounts (e.g. Instagram or Twitter) with Clubhouse, Clubhouse will also inform those companies that you have authorized its access to your profile information and connections associated with your accounts with other companies.
How is Clubhouse Tracking You?
Not surprisingly, the app is tracking you via cookies, for which it quite blatantly states that it is used to help us track the efficiency of our advertising campaigns on other platforms. That’s not all, of course, as the app also collects information about the device you are using, your operating system, your telecom provider, browser type and settings, your interactions with the app, time and date of app use, and more. You can even opt-in to allow Clubhouse access to your call log data and verify your phone number! Wow. By the way, here’s how you can prevent browser fingerprinting.
What About the Audio and User Reports?
The whole idea of Clubhouse is that you have to “experience” the audio live. That means, no pausing and no recording and listening to it later. Except that the Clubhouse records everything you say when in one of the Clubhouse rooms. Again, according to the privacy policy: We temporarily record the audio in all rooms and retain it (along with a transcript) if a user or our automated systems flag a potential Trust and Safety violation. Of course, they don’t say what they do after this, such as who listens to the audio and how they make decisions from it.
Clubhouse Users Records Leaked Online
Of course, with such lax privacy, Clubhouse has already had two quite big data leaks. In April 2021, 1.3 million Clubhouse users’ records were leaked online to a hacker forum: The data included:
- User IDs
- Names
- Usernames
- Photo URLs
- Follower numbers
- Account creation date
- Number of people followed by the user
- Twitter handles
- Instagram handles
- Invited by user profile name
In a statement on Twitter, the company responded: This is misleading and false. The clubhouse has not been breached or hacked. The data referred to is all public profile information from our app, which anyone can access via the app or our API.
Of course, this reveals quite a big privacy problem and, according to the senior information security researcher at CyberNews, Mantas Sasnauskas: The way the Clubhouse app is built lets anyone with a token, or via an API query the entire body of public Clubhouse user profile information and it seems that token does not expire. Also, in another alleged data breach, cybersecurity expert Marc Reuf posted on Twitter that Clubhouse user data was up for sale on the Dark Web, including 3.8 million phone numbers.
This, according to Reuf, included: not just members, but also people in the contacts lists that were synced. Clubhouse issued a statement shortly after, denying the breach, saying: There has been no breach of Clubhouse. There are a series of bots generating billions of random phone numbers. In the event that one of these random numbers happens to exist on our platform due to mathematical coincidence, Clubhouse’s API returns no user-identifiable information. Privacy and security are of the utmost importance to Clubhouse and we continue to invest in industry-leading