Is ClubHouse, the hot discussion app of late 2020, a private platform? Ask Alexander Hanff, online privacy specialist, speaker and consultant, and he’ll say what is below. Reproduced with his consent from his Linkedin post here.
TLDR; it is shit, it is massively unlawful – stay away!
“Hi Alex I just got an invite to Clubhouse. What do you think of the platform? I can send you an invite if you don’t have one already if want to check it out, it’s all the rage!” appeared in my Signal messenger app last night on my phone – sent from a friend and business colleague almost fizzing with enthusiasm.
I had to check it out obviously, given the FOMO nature of the 21st Century (a philosophy, I should add, that I do not subscribe to). Was this a new E2EE messenger app to challenge the floundering WhatsApp? Perhaps a new Open Source social media platform to finally take on the woeful performance of LinkedIn?
Let’s get started shall we…
End to End Encryption (e2ee)
Audio: Solely for the purpose of supporting incident investigations, we temporarily record the audio in a room while the room is live. If a user reports a Trust and Safety violation while the room is active, we retain the audio for the purposes of investigating the incident, and then delete it when the investigation is complete. If no incident is reported in a room, we delete the temporary audio recording when the room ends.
So if they are recording the conversations in the room for investigative purposes, clearly the audio messages are not end to end encrypted. This is a big problem (at least in the EU) as under the ePrivacy Directive (2002/58/EC) the confidentiality of communications is required, and interception of those communications can only occur legally with the consent of all parties engaged in that communication. Given the European Electronic Communications Code came into effect in December 2020, this includes “over the top” services such as messenger apps and the definition of consent relies on Article 4 of the General Data Protection Regulation (GDPR) which states that consent must be specific, informed and cannot be a condition of access to the service. In fact just today the Norwegian Privacy Regulator issued a notice to Grindr of intent to fine them 10 million Euros for (in part) requiring people to provide consent to processing which is not strictly necessary in order to access the service. This a big pile of No No in the EU.
Further GDPR requires privacy by design and default (well technically data protection by design and default but it amounts to the same thing) under Article 25 – clearly the ability of Clubhouse to record all conversations (however temporarily and what is temporary anymore anyway right?) doesn’t meet this legal requirement.
So no E2EE then and so far we have violations of GDPR under Article 5 (security principle, proportionality principle and necessity principle), Article 6 (invalid consent due to access to service provision and therefore no valid legal basis), Article 25 (data protection by design and by default), and of course Article 5 (confidentiality of communications) of the ePrivacy Directive.
OK so we know that these guys are clowns already because they have failed to meet even the basic principles of EU law as soon as you start using their platform. So let’s dig a bit deeper.
We collect content, communications, and other information you provide, including when you sign up for an account, create or share content, and message or communicate with others.
Oh look another breach of ePrivacy Directive Article 5 (confidentiality of communications) just in case we were in any doubt that they didn’t mean it when they said they record the chat rooms…
What about profiling and social graphs… yep they’ve got that covered too (and of course no way to refuse this type of interference with your privacy):
We collect information about the people, accounts, and groups you are connected to and how you interact with them
How do they use this information? Well they don’t really want to tell you that so they just provide a list of things they “may” use it for leaving the door wide open for them to essentially use it for whatever the hell they like.
We use your contact information and (if you choose to provide us with access to it) your address book
What they don’t mention here is they actually REQUIRE you to share your address book if you want to invite any of your friends on to the platform and this includes their phone numbers.
IMPORTANT NOTE: DO NOT DO THIS! It is a breach of GDPR and DOES NOT fall under the Household Activity exception (yes we have case law in the EU for invite-a-friend referral marketing which states you must have the consent of your friend to share their personal data with a third party commercial entity).
So another breach because well, I know it is a pain in the ass but, as a company you CANNOT use personal data provided by a third party unless that data has been provided lawfully and sadly, as illustrated above, unless there is consent, disclosure of personal data in this way is NOT lawful.
Add to this the fact that they are creating demand by applying pretend limits on user registrations and the ONLY way you can currently get on the platform is via an invite from an existing subscriber meaning that the only way you can become a subscriber is if your personal data is unlawfully shared by your (ahem) “friend” and we have something of a problem… do not pass go, do not collect €200.
Can I have a Cookie, please?
By the way, if you want to take advantage of “Single Sign On” (using Twitter or other social media credentials to sign in to Clubhouse) they will extend their sticky little fingers into all your contacts, content and account information on those other social media sites – but don’t worry, they promise they won’t actually post to those sites using your credentials… they will just slurp up ALL your data and connections because who needs Data Minimisation and Purpose Limitation anyway right (another GDPR fail to add to the list – again Article 5 if you are that interested).
What about profiling and automated decision making?
At this point it probably comes as no surprise… yep they’ve got that covered too:
We may infer your preferences for content and features of the Service, or future products and services, based on the Personal Data we collect about you.
So thats another GDPR fail then – Article 22(1) states: “The data subject shall have the right not to be subject to a decision based solely on automated processing, including profiling…” this is a generally prohibitive clause not an opt-out – but who cares about legal obligations anyway right? I can tell you who doesn’t, Clubhouse!
But my data is safely stored in the EU, right?
Your data will all be transferred to the United States, without a valid legal basis, without any required legal safeguards for transferring data to a third country without an adequacy decision. At least they are not using Privacy Shield…
Yet another breach of GDPR so they throw out the ENTIRETY of Chapter 5 of GDPR (why bother breaching a single Article when you can basically burn the entire fucking book right?).
Clubhouse is a REALLY bad idea for private users, companies and investors.
As private users they are asking you to break the law by providing access to your address book in order to invite your friends to use the platform with you.
As a company, under the Facebook Pages judgment and the Schrems II judgment from the Court of Justice of the European Union, you are jointly liable for any breaches of GDPR so if you are planning to use this platform for customer engagement… DON’T. At least, not if you want to avoid a big, fat fine from an EU regulator – if you don’t mind that then you might mind a class action lawsuit under Article 80 of GDPR and I suspect your investors probably will mind. That aside, if you want to totally nuke your brand – GO FOR IT!
Clubhouse is a shining example of HOW TO BREAK EU LAW – they are so good at it they could and probably should, write a book on the subject.
Rumour has it they are seeking investment at a valuation of 1 Billion United States Dollars! – you don’t find that sort of change down the back of the sofa. My advice to potential investors/hedgefunds is, you REALLY need to do better due diligence if you think investing in this toxic venture is a good idea – as coincidence happens, my company does regular consultations on investment and M&A due diligence in relation to privacy and data protection compliance so perhaps throw some of those BILLIONS! our way to save you a pretty penny and some rather embarrassing conversations at the 19th in the (ahem) clubhouse…