Clubhouse app has major privacy, security flaws

Clubhouse, an invitation-only audio-chat social networking app, has soared in popularity due to a growing interest in sound-based products with the recent rebound of the podcast.

However, Kaspersky warns that it can create a false sense of security, privacy, and closeness, in part due to how its registration works. 

Users believe themselves to be surrounded by like-minded people and friends, which makes them behave more authentically than they would in front of strangers. According to the security giant, this creates an opportunity for attackers who are always on the lookout for ways to use any accidentally-mentioned information against a victim. In this instance, a user wouldn’t be able to prove the phrase was, for example, taken out of context, unless the conversation is recorded in advance.

“Theoretically, such cases could lead even to blackmailing a targeted person by demanding to pay a ransom,” the company says.

In addition, Kaspersky says it is important to remember that everything spoken or written within the app is not only heard and seen by those present but also collected and analysed by the service itself.

Clubhouse collects content, communications, and other information that participants provide, including when they sign up for an account, create or share content, and message or communicate with others.

If you are planning to use this platform for customer engagement...don't. At least, not if you want to avoid a big, fat fine from an EU regulator .
Alexander Hanff, SynData AB.

To create and manage an account, a user provides personal data, including name, phone number, a photo, an e-mail address, and a username. The app temporarily records the audio in a room while the room is live. Moreover, the data collected about the participants may also be given to third-parties, albeit for temporary use.

Against the GDPR

Alexander Hanff, a privacy advocate and co-founder of SynData AB said in a LinkedIn post, that the app goes against the GDPR in several ways. It collects information about the people, accounts, and groups users are connected to and how they interact with them, but doesn't specify how the information in used.

Moreover, the app uses profiling and automated decision making, records audio – albeit temporarily, monitors users Internet activity, and stores their information outside the EU, in the US.

For companies, the app is particularly dangerous, he says. “As a company, under the Facebook Pages judgment and the Schrems II judgment from the Court of Justice of the European Union, you are jointly liable for any breaches of GDPR so if you are planning to use this platform for customer engagement...don't. At least, not if you want to avoid a big, fat fine from an EU regulator - if you don't mind that then you might mind a class action lawsuit under Article 80 of GDPR and I suspect your investors probably will mind. That aside, if you want to totally nuke your brand, go for it,” he said.

Alexey Firsh, a security researcher at Kaspersky, says on the whole, Clubhouse’s Privacy Policy is pretty standard. “However, when you share something on such social networks, it’s very important to always remember that you actually can’t be 100% sure what will happen with your shared data, so you have to be prepared for the fact that one day it may leak to the general public, or someone may simply record it,” ends Firsh.

Kaspersky warns that users must remember that the Internet, especially discussion and social platforms, are a public place and the behaviour conducted on them should be appropriate for the public.

Read more