Skip to Main Content
Clubhouse app on iPhone

Clubhouse, the app where hackers don’t need an invitation to collect your data

Clubhouse is a new type of social network based on voice that has seen a significant rise of late. It became the new cool app on the block in great measure because it’s offering people the rare chance of digital proximity to the wealthy and famous, like Elon Musk, Drake, Oprah Winfrey, or Kevin Hart.

Clubhouse is an invite-only app, currently available only for iOS users, which makes it somehow exclusive and everyone wants to get in. Users can engage both privately and in public channels, where all kinds of topics are discussed. There’s also a big social component: users can follow each other, and Clubhouse very much encourages these networks to form and grow.

But regardless of all the sudden hype around it, the platform faces some big challenges: privacy and security of personal data. Besides that, the users’ interest in Clubhouse is exploited by cybercriminals in new malicious activities. Now let’s take a closer look at what each one means, and how Clubhouse puts at risk users’ security and privacy.

 

Security and privacy protocols didn’t get an invite to Clubhouse

Most people don’t look at the privacy policy of a platform, but they should, especially since some of them can flagrantly violate users’ rights to data privacy and security. Clubhouse, for example, has failed to meet even the basic principles of EU law. It violates most of the legal requirements on privacy and data confidentiality as soon as you start using their platform, as it has been noticed by the privacy advocate and co-founder of SynData AB, Alexander Hanff, in a LinkedIn post.

The core of the app’s user recommendation engine relies on access to your contacts. Without granting permission to your contacts, you can’t invite anyone else to Clubhouse. Your privacy depends both on what you do and on what your contacts do. When you give the app access to your contacts, it will show you which of your contacts are already on Clubhouse and it will urge you to invite those who aren’t, while sending you notifications as soon as someone in your contacts has joined. For now, you can only get invited to Clubhouse through your phone number, which is attached to your account and can’t be removed. The moment you join Clubhouse, all other Clubhouse users who have your phone number will be notified and will get a recommendation to follow you.

 

 

If you want to take advantage of “Single-Sign-On” and sign in using one of your social media accounts, Clubhouse will extend its access to all your contacts, content, and account information on those other social media sites. All of these breaching the requirements under GDPR, the regulation in EU law on data protection and privacy, as pointed out by Italian and German regulators, according to a report by The New York Times.

GDPR also addresses the transfer of personal data outside the EU and EEA areas, another issue of Clubhouse. In case you are wondering what happens with all your data it collects – and you should wonder – you should know that your data will all be transferred to the United States, without a valid legal basis, without any required legal safeguards for transferring data to a third country without an adequacy decision.

Klaus Muller, executive director of the Federation of German Consumer Organizations warned Clubhouse about facing sanctions due to its data privacy problems, taking it on Twitter (translation in English):

“Serious deficiencies in #Data protection, #AGB [terms and conditions] only in English, no imprint: these points are complained about @vzbv in his #warning to the operator of #Clubhouse and demands the submission of a declaration of cease and desist with criminal penalties.”

 

The conversations are not end-to-end encrypted

If you visit their privacy policy, it states that: ”Solely for the purpose of supporting incident investigations, we temporarily record the audio in a room while the room is live. If a user reports a Trust and Safety violation while the room is active, we retain the audio for the purposes of investigating the incident, and then delete it when the investigation is complete. If no incident is reported in a room, we delete the temporary audio recording when the room ends.”

In other words, the audio content is deleted as soon as the room ends, unless there is an incident investigation. It also means that the content is not end-to-end encrypted, to be recorded, which is contrary to the rules imposed by the ePrivacy Directive (2002/58/EC). The EU law states that the confidentiality of communications is required, and interception of those communications can only occur legally with the consent of all parties engaged in that communication.

 

Profiling and social graphs

You don’t need to know legal terms and provisions to understand what Clubhouse does wrong with users’ data. Besides the fact that they record the conversation, they ”collect content, communications, and other information you provide, including when you sign up for an account, create or share content, and message or communicate with others”, as stated in their Privacy Policy page. They also ”may choose to collect information about how you use our Service, such as the types of conversations you engage in, content you share, features you use, actions you take, people or accounts you interact with, and the time, frequency, and duration of your use.” It is unclear, though, how and for what purposes they use this information.

 

Clubhouse users, unwitting accomplices to violation of data privacy

Clubhouse is a bad idea for private users for a couple of reasons. First, it violates many legal requirements on privacy and data confidentiality. Second, it’s asking users to break the law by providing access to their address book in order to invite friends to use the platform and this includes their phone numbers.

The EU law states that you must have the consent of your friend to share their personal data with a third-party commercial entity. In the same context, a company cannot use personal data provided by a third-party (in this case, a private user) unless that data has been provided lawfully. As illustrated above, disclosure of personal data without consent is not lawful.

Add to this the fact that Clubhouse is creating demand by applying pretended limits on user registrations. Thus, the only way you can currently get on the platform is via an invite from an existing subscriber, meaning that the only way you can become a subscriber is if your personal data is unlawfully shared by your “friend”.

 

Users’ interest in Clubhouse, exploited by cybercriminals

Besides the privacy and security issues, the users’ interest in the social platform can be exploited by cybercriminals to monetize through the sale of fake invitations and fake apps for Android, install malicious code on users’ devices or record conversations, as we’ve seen already that are no encrypted. Since Clubhouse is available only on the iPhone and only through an invitation system, there are already eBay, Craigslist, and private Facebook groups selling invitations. The price starts from $20 and often exceeds $100.

The malware threat is another concern hypothesized by Avira experts. Even though probably everyone who heard about Clubhouse knows it’s only available for iPhone, the app is still among the most sought after on the Google Play Store, which can be an open door for cybercriminals, by creating fake apps and installing malicious code on users’ devices. Of course, the best way to protect yourself is to be inform yourself before downloading the app and setting up proper security measures, such as installing Avira Mobile Security for iOS.

Content Manager
Former journalist. Storyteller at heart.
Avira logo

Secure your iPhone and protect your privacy with Avira Mobile Security