Is ClubHouse, the hot discussion app of late 2020, a private platform? Ask Alexander Hanff, online privacy specialist, speaker and consultant, and he’ll say what is below. Reproduced with his consent from his Linkedin post here.
TLDR; it is shit, it is massively unlawful – stay away!
“Hi Alex I just got an invite to Clubhouse. What do you think of the platform? I can send you an invite if you don’t have one already if want to check it out, it’s all the rage!” appeared in my Signal messenger app last night on my phone – sent from a friend and business colleague almost fizzing with enthusiasm.
I had to check it out obviously, given the FOMO nature of the 21st Century (a philosophy, I should add, that I do not subscribe to). Was this a new E2EE messenger app to challenge the floundering WhatsApp? Perhaps a new Open Source social media platform to finally take on the woeful performance of LinkedIn?
As is always the case, I first went to their web site to have a look at their privacy policy – I know most people don’t do this, but I do … every time; and on this occasion I was no less deflated with what I found than I almost always am.
So what is Clubhouse – apparently it is some new engagement platform aiming to take on both WhatsApp and LinkedIn as a business networking social media site with customer engagement billed as one of its core purposes. Unlike other social media platforms, users can only engage via audio recordings (voice messages) which are shared both privately and in public channels (or chat rooms). However, that difference aside it is pretty much the same as any other social network from a privacy perspective – as I am about to explain – the only difference being that at least they disclose all the illegal profiling and data processing they are going to do without so much as a dinner invitation, right there in their privacy policy.
Let’s get started shall we…
End to End Encryption (e2ee)
As with all modern social media platforms focused on sending messages Clubhouse uses e2ee right…well …no is the answer here. If you visit their privacy policy it clearly states in the first section “Personal Data We Collect”:
Audio: Solely for the purpose of supporting incident investigations, we temporarily record the audio in a room while the room is live. If a user reports a Trust and Safety violation while the room is active, we retain the audio for the purposes of investigating the incident, and then delete it when the investigation is complete. If no incident is reported in a room, we delete the temporary audio recording when the room ends.
So if they are recording the conversations in the room for investigative purposes, clearly the audio messages are not end to end encrypted. This is a big problem (at least in the EU) as under the ePrivacy Directive (2002/58/EC) the confidentiality of communications is required, and interception of those communications can only occur legally with the consent of all parties engaged in that communication. Given the European Electronic Communications Code came into effect in December 2020, this includes “over the top” services such as messenger apps and the definition of consent relies on Article 4 of the General Data Protection Regulation (GDPR) which states that consent must be specific, informed and cannot be a condition of access to the service. In fact just today the Norwegian Privacy Regulator issued a notice to Grindr of intent to fine them 10 million Euros for (in part) requiring people to provide consent to processing which is not strictly necessary in order to access the service. This a big pile of No No in the EU.
Further GDPR requires privacy by design and default (well technically data protection by design and default but it amounts to the same thing) under Article 25 – clearly the ability of Clubhouse to record all conversations (however temporarily and what is temporary anymore anyway right?) doesn’t meet this legal requirement.
So no E2EE then and so far we have violations of GDPR under Article 5 (security principle, proportionality principle and necessity principle), Article 6 (invalid consent due to access to service provision and therefore no valid legal basis), Article 25 (data protection by design and by default), and of course Article 5 (confidentiality of communications) of the ePrivacy Directive.
What’s Next?
OK so we know that these guys are clowns already because they have failed to meet even the basic principles of EU law as soon as you start using their platform. So let’s dig a bit deeper.
We collect content, communications, and other information you provide, including when you sign up for an account, create or share content, and message or communicate with others.
(emphasis added)
Oh look another breach of ePrivacy Directive Article 5 (confidentiality of communications) just in case we were in any doubt that they didn’t mean it when they said they record the chat rooms…
What about profiling and social graphs… yep they’ve got that covered too (and of course no way to refuse this type of interference with your privacy):
We collect information about the people, accounts, and groups you are connected to and how you interact with them
How do they use this information? Well they don’t really want to tell you that so they just provide a list of things they “may” use it for leaving the door wide open for them to essentially use it for whatever the hell they like.
We use your contact information and (if you choose to provide us with access to it) your address book
What they don’t mention here is they actually REQUIRE you to share your address book if you want to invite any of your friends on to the platform and this includes their phone numbers.
IMPORTANT NOTE: DO NOT DO THIS! It is a breach of GDPR and DOES NOT fall under the Household Activity exception (yes we have case law in the EU for invite-a-friend referral marketing which states you must have the consent of your friend to share their personal data with a third party commercial entity).
So another breach because well, I know it is a pain in the ass but, as a company you CANNOT use personal data provided by a third party unless that data has been provided lawfully and sadly, as illustrated above, unless there is consent, disclosure of personal data in this way is NOT lawful.
Add to this the fact that they are creating demand by applying pretend limits on user registrations and the ONLY way you can currently get on the platform is via an invite from an existing subscriber meaning that the only way you can become a subscriber is if your personal data is unlawfully shared by your (ahem) “friend” and we have something of a problem… do not pass go, do not collect €200.
Can I have a Cookie, please?
When it comes to their monitoring of your Internet Activities (or as they call it “Internet Activity Data”) they are doing so much of it (all unlawfully under the ePrivacy Directive and GDPR) that they actually tell us TWICE in their privacy policy, because transparency is key, right? Never mind that they don’t have any lawful consent for these monitoring activities – at least they tell you what they are going to do before they slip the Rohypnol into your drink, right? That’s ok then…except it isn’t, it is illegal.
There is so much of this crap going on that to talk about all of it would basically require copying and pasting 80% of their privacy policy (and by the way it should be a privacy NOTICE not a policy – pet peeve) and I don’t really think that is going to be fun for anyone so you will just have to take my word for it that they are really shit at ePrivacy and GDPR compliance.
By the way, if you want to take advantage of “Single Sign On” (using Twitter or other social media credentials to sign in to Clubhouse) they will extend their sticky little fingers into all your contacts, content and account information on those other social media sites – but don’t worry, they promise they won’t actually post to those sites using your credentials… they will just slurp up ALL your data and connections because who needs Data Minimisation and Purpose Limitation anyway right (another GDPR fail to add to the list – again Article 5 if you are that interested).
What about profiling and automated decision making?
At this point it probably comes as no surprise… yep they’ve got that covered too:
We may infer your preferences for content and features of the Service, or future products and services, based on the Personal Data we collect about you.
So thats another GDPR fail then – Article 22(1) states: “The data subject shall have the right not to be subject to a decision based solely on automated processing, including profiling…” this is a generally prohibitive clause not an opt-out – but who cares about legal obligations anyway right? I can tell you who doesn’t, Clubhouse!
But my data is safely stored in the EU, right?
WRONG!
Your data will all be transferred to the United States, without a valid legal basis, without any required legal safeguards for transferring data to a third country without an adequacy decision. At least they are not using Privacy Shield…
Yet another breach of GDPR so they throw out the ENTIRETY of Chapter 5 of GDPR (why bother breaching a single Article when you can basically burn the entire fucking book right?).
Conclusions…
Clubhouse is a REALLY bad idea for private users, companies and investors.
As private users they are asking you to break the law by providing access to your address book in order to invite your friends to use the platform with you.
As a company, under the Facebook Pages judgment and the Schrems II judgment from the Court of Justice of the European Union, you are jointly liable for any breaches of GDPR so if you are planning to use this platform for customer engagement… DON’T. At least, not if you want to avoid a big, fat fine from an EU regulator – if you don’t mind that then you might mind a class action lawsuit under Article 80 of GDPR and I suspect your investors probably will mind. That aside, if you want to totally nuke your brand – GO FOR IT!
Clubhouse is a shining example of HOW TO BREAK EU LAW – they are so good at it they could and probably should, write a book on the subject.
Rumour has it they are seeking investment at a valuation of 1 Billion United States Dollars! – you don’t find that sort of change down the back of the sofa. My advice to potential investors/hedgefunds is, you REALLY need to do better due diligence if you think investing in this toxic venture is a good idea – as coincidence happens, my company does regular consultations on investment and M&A due diligence in relation to privacy and data protection compliance so perhaps throw some of those BILLIONS! our way to save you a pretty penny and some rather embarrassing conversations at the 19th in the (ahem) clubhouse…