Clubhouse has a Privacy Problem and It’s Not Getting Any Better

Invite-only, audio-based app Clubhouse has seen a meteoric rise in its popularity since it launched, with a whopping estimated $1 billion valuation as of early March and millions of registered users. The app, launched exclusively for iOS in April 2020, enjoyed massive attention after surprise appearances from big names in the tech world like Elon Musk and Mark Zuckerberg. However, it also faced controversy in Oman, where it was banned as it did not have a permit to operate there, although activists called it censorship. Most notably, however, the app was also banned in China, where authorities feared public discourse was becoming too popular. A very small portion of the population could access the app, and access was further limited because users needed a foreign-registered iPhone to use it. Still, Beijing blocked the app after workarounds made it available on February 8.

Despite these bans in major countries, Clubhouse’s biggest controversies are those that relate to its data privacy policies. Unfortunately, the privacy problems are built into the structure of the app itself, with the app requiring access to the contact lists of all new people who sign up. When these privacy concerns came to light, new users began to have issues with the way in which their data was being handled, a reasonable reaction considering how social media apps have a history of mishandling user data.

How Clubhouse works

Clubhouse allows users to launch and join rooms where any kind of topic can be discussed. It works like most other social media apps, users follow other users and Clubhouse encourages these networks to develop and grow.

When Clubhouse was launched, its user recommendation engine relied on access to a user’s contacts. A user couldn’t invite anyone else to the platform unless they granted the app access to their contacts. After this, Clubhouse would show the user everyone in their contact list who was also using Clubhouse. It urged users not only to invite those who weren’t already on Clubhouse, but also told them as soon as someone in their contacts had joined.

However, if someone didn’t want all or any of their contacts to know they were using Clubhouse, it simply was not possible. Clubhouse enabled them to know and encouraged them to follow new sign-ups. People could also get followers who were strangers that weren’t even in their contact lists, but rather they were in the said stranger’s contact list. People’s privacy on Clubhouse is impacted not only by what they do but also by what others who have their information in their contacts do. People could only get invited to Clubhouse through their phone number, which was attached to their account. So if someone had their phone number in their contacts, and they had given the app access to those contacts, the contacts would get a notification when the person joined Clubhouse.

To add to the privacy concerns users already had, an unidentified user in February streamed Clubhouse audio feeds from “multiple rooms” into another website, showing that the app was not as secure as users would like. Although Clubhouse said it had banned the responsible user and installed “safeguards” to prevent such a thing from repeating, the company did not outline the details of what the alleged safeguards were. Moreover, Clubhouse relies on Shanghai-based startup Agora Inc. to handle most of its back-end operations, bringing up a whole host of concerns. China has already banned the social media app, but with Clubhouse depending on a Chinese tech company to provide so many resources to the platform, people are beginning to wonder how much data is being gathered by Agora, which processes Clubhouse’s data traffic and audio production.

This is especially concerning for Chinese citizens, activists and dissidents, who may still be using the app via a VPN or other means. There is a lot of suspicion surrounding Agora about alleged violations of user data security requirements, similar to other Chinese tech companies. In fact, Stanford Internet Observatory claimed that Agora might be able to access users’ raw audio and potentially provide access to the Chinese government. However, the tech company has claimed that it does not gather, share or store any end user data through which a user could be identified. The only data it collects is to improve the algorithm. Agora has clarified that it runs in accordance with the California Consumer Privacy Act (CCPA) and EU General Date Protection Regulation (GDPR), which is the European data privacy and security law.

What changes has Clubhouse made now?

As of mid-March, Clubhouse has made some changes to its privacy policies and the way the app functions. The update, released March 12, solves some of the aforementioned privacy issues. Users can now invite their friends without giving the app access to their list of contacts. Previously, giving Clubhouse access to your contact list was necessary to invite other people.

However, if someone signs up for the app, uploads their contacts, and your phone number happens to be in their list, they’ll still get an alert if or when you join the app, regardless of whether you choose to upload your contacts or not. Clubhouse provides no way to preemptively block a user in the onboarding process to prevent this. Even if you do block someone, the app doesn’t stop them from seeing your profile like other social media platforms.

Despite these changes, privacy concerns are still at the forefront of user experience with the app. In fact, French data privacy regulator Commission Nationale de l’Informatique et des Libertés on March 12 started an investigation into Clubhouse’s use of data under GDPR. The regulator said in a statement it received a complaint before opening the investigation.

The privacy concerns users have are not unfounded. There are instances where you don’t want certain people to know which apps you may be using, or anything about yourself – for example, abusive exes from past relationships, stalkers who may have your number saved, bosses who you don’t want to know about your private life – the list goes on. It’s not unreasonable to wonder whether your private conversations are, in fact, truly private. This and other aspects of the user experience coupled with Clubhouse’s ties to Agora bring to the forefront all-too familiar concerns about the privacy policies and transparency of social media platforms.

Romessa Nadeem is a Project Coordinator at Media Matters for Democracy, which runs the Digital Rights Monitor.

No comments

leave a comment