A House of Woes: Lack of Privacy in Clubhouse App

April 15, 2021 In Blog, Privacy, Social Media By Kai Koppoe

Clubhouse is an audio-only social networking app that launched in March 2020 and grew in popularity while the world struggled to navigate life in the pandemic. What started as an exclusive app for Silicon Valley’s rich and famous exploded into an ultra-popular social media platform. It has become a space for individuals to connect with celebrities, for Black creatives to thrive, and people to engage in conversations with like-minded individuals, all in a conference call styled room.^[1] In order to participate, an existing Clubhouse user must provide one with an invite to the app and a year after its release invites continued to remain a hot commodity. The app boasts over ten million weekly active users^[2] and users gather to talk, learn, laugh, be entertained, meet and connect.^[3] This exchange of fascinating dialogue does come at a price–users’ privacy.

One of Clubhouse’s privacy issues stem from its handling of users’ contacts. Clubhouse users are initially given two invites and can send an invite to anyone, provided the user has their phone number. Prior to March 14, 2021, during the signup process Clubhouse requested access to a new user’s contact list. While access was not required, the design of the request page made granting access the more tempting option. A finger icon pointed to the “OK” button, which is in a bolder font and is more enticing than the adjacent “Don’t Allow” option.^[4] Importantly, users were required to upload their entire contact list, with no option to select individual contacts, in order to send invitations.^[5] Once a user agreed to share access to their contact list, Clubhouse used that information to recommend people to follow that were already on the app.^[6] Although these individuals are not Clubhouse users, Clubhouse uses their phone number to check how many times they appear in the contacts of other Clubhouse members, and provides a list of contacts for the user to invite to join, listed in order of the number of friends they already have on Clubhouse.^[7]

On March 14^th during its Town Hall, Clubhouse announced access to a user’s contact list was no longer necessary to send invites, as users can now add phone numbers directly.^[8] Users also have the option to ask Clubhouse to delete any contacts that have already been uploaded and Clubhouse plans to create a tool that will allow users to do this on their own.^[9] But is this too little too late? The app has millions of users and presumably a large portion of these users granted access to likely hundreds of their contacts. It is unclear how many users have used this option, let alone how many are aware the option exists. There is no incentive for a user to contact the company and request their contact list be deleted and there is no guidance on how long the process takes. Individuals who have purposefully stayed away from this app, have no way to have their information deleted. Even if one user goes through the deletion process, that one contact is likely still in hundreds of other users’ phones that gave Clubhouse access. This is not real solution. An individual’s phone contact list exposes potentially sensitive personal information like therapists, doctors’ offices, rehab facilities, places of worship, and drug dealers, among others.^[10] Access to this information puts certain groups’ physical safety and livelihoods at risk. Historically vulnerable populations, like sex workers, often work to keep strong boundaries between their personal and professional lives, in order to prevent harassment, loss of employment, and societal disapproval.^[11] In the year since Clubhouse launched, it has accumulated information about individuals who never joined the app or consented to Clubhouse’s policies surrounding its collection and use of their personal information.^[12]

Beyond access to users’ contact lists, the creators of this app failed to consider users’ privacy along the way. Clubhouse requests that users connect their Twitter and Instagram accounts to Clubhouse to find connections. It states it will be able to see users’ Tweets (including protected Tweets), profile information and account settings, and the accounts that users follow, block, and mute on Twitter.^[13]

Clubhouse will likely soon have to answer for its privacy failures. Clubhouse’s policies violate a number of European Union’s General Data Protection Regulation (GDPR) principles and regulators have begun to take notice. On March 17, the French Data Protection Agency, Commission Nationale de l’Informatique et des Libertés (known as the CNIL), opened an investigation to determine whether or not Clubhouse complies with the GDPR, and if it does not, the CNIL will decide if enforcement action is necessary under its own powers against the app’s company, Alpha Exploration Co.^[14] French citizens signed a petition with over 15,000 signatures and called for regulatory intervention.^[15] The French DPA has a history of issuing fines against companies that violate its Data Protection Act. For example, in 2020 it fined Google $120 million and Amazon $42 million for dropping tracking cookies without consent.^[16] In the United Kingdom there is a similar petition with over 25,000 signatures, also calling for the UK privacy watchdog, Information Commissioner’s Office, to step in.^[17] Additionally, the Hamburg Commissioner for Data Protection and Freedom of Information (HmbBfDI) announced in early February that it had requested information from Clubhouse to review its compliance with European data protection law.^[18] This occurred after Germany’s largest consumer protection organization, Federation of German Consumer Organizations, filed a complaint against Clubhouse for GDPR violations.^[19] Clubhouse will have to make a number of changes in order to avoid facing large fines by European regulators and agencies in the U.S. as well.

Clubhouse founders noted their desire to slowly expand access to the app to ensure its features can handle a large user base.^[20] However, every step along the way, Clubhouse has shown how essential it is for privacy to be a proactive measure embedded into the design of technology systems and business practices, throughout the entire lifecycle of data use.^[21] While it remains to be seen what actions regulators will take against Clubhouse, one thing is clear– there is room for improvement.

Footnotes[+]

Footnotes
1	Michael Blackmon, For Black People Trying To Make It In Entertainment, Clubhouse Is The Place To Be, BuzzFeed News (Jan. 30, 2021), https://www.buzzfeednews.com/article/michaelblackmon/how-black-creators-have-made-clubhouse-their-own [https://perma.cc/Q8C5-JMQS].
2	Brian Dean, How Many Users Does Clubhouse Have?, Backlinko (Mar. 22, 2021), https://backlinko.com/clubhouse-users [https://perma.cc/QQA7-PZYK].
3	Welcoming More Voices, Clubhouse Blog (Jan. 24, 2021), https://www.joinclubhouse.com/welcoming-more-voices [https://perma.cc/A967-QL9Y].
4	Will Oremus, Clubhouse Is Suggesting Users Invite Their Drug Dealers and Therapists, Medium (Feb. 11, 2021), https://onezero.medium.com/clubhouse-is-suggesting-users-invite-their-drug-dealers-and-therapists-a8161b3062fc [https://perma.cc/6GJM-L98D].
5	Jason Aten, Clubhouse Is Recording Your Conversations. That’s Not Even Its Worst Privacy Problem, Inc: Technology (Feb. 27, 2021), https://www.inc.com/jason-aten/clubhouse-is-recording-your-conversations-thats-not-even-its-worst-privacy-problem.html [https://perma.cc/7J9G-WAXX].
6	Id.
7	Barry Collins, Clubhouse: The Hot New Social Network Has Big Privacy Problems, Forbes (Feb. 10, 2021), https://www.forbes.com/sites/barrycollins/2021/02/10/clubhouse-the-hot-new-social-network-has-big-privacy-problems/?sh=5acf608ae4c3 [https://perma.cc/WBW5-47JB].
8	Clubhouse (@joinClubhouse), Twitter (Mar. 14, 2021, 1:39 PM), https://twitter.com/joinClubhouse/status/1371154013769453573 [https://perma.cc/6F38-9SXV].
9	Jon Fingas, Clubhouse Tackles Privacy Issues With Its Drop-In Audio Chats, Engadget (Mar. 14, 2021), https://www.engadget.com/clubhouse-phone-contacts-link-sharing-accelerator-204109327.html [https://perma.cc/3AYS-EX2P].
10	Jack Morse, How to Delete Your Clubhouse Account and Why You Might Want To, Mashable (Feb. 11, 2021), https://mashable.com/article/clubhouse-app-privacy-policy-how-to-delete-account [https://perma.cc/6R4C-JS8H].
11	Jack Morse, Deleting Your Clubhouse Account Is A Nightmare, Especially For Sex Workers, Mashable (Mar. 2, 2021), https://mashable.com/article/clubhouse-app-doxing-sex-workers-account-deletion/?utm_source=internal&utm_medium=onsite [https://perma.cc/AL2U-62CK].
12	Lourdes Turrecha, When FOMO Trumps Privacy: The Clubhouse Edition, Medium (Feb. 19, 2021), https://medium.com/privacy-technology/when-fomo-trumps-privacy-the-clubhouse-edition-82526c6cd702 [https://perma.cc/PJH2-8TZP].
13	Id.[/footnote] This grants Clubhouse even more access to information about the Clubhouse user and those who do not use the app. There is no way to preemptively block a user in the onboarding process to prevent notifying users that one has joined the app, and blocking someone on Clubhouse does not stop them from seeing one’s profile.[mfn]Sara Morrison, Clubhouse got a little less creepy thanks to a recent update, Vox: Recode (Mar. 15, 2021), https://www.vox.com/recode/22332182/clubhouse-privacy-contacts-invites-update [https://perma.cc/5QW2-3QPY].
14	Press Release, CNIL, La CNIL Ouvre Une Enquête Sur L’application Clubhouse (Mar. 17, 2021), https://www.cnil.fr/fr/la-cnil-ouvre-une-enquete-sur-lapplication-clubhouse [https://perma.cc/T5LE-NDU2].
15	Natasha Lomas, France’s Privacy Watchdog Probes Clubhouse After Complaint and Petition, TechCrunch (Mar. 17, 2021), https://techcrunch.com/2021/03/17/frances-privacy-watchdog-probes-clubhouse-after-complaint-and-petition [https://perma.cc/QDV5-GVWQ]; Victoire!! La CNIL Ouvre Une Enquête Sur Clubhouse!, SumofUs, https://actions.sumofus.org/a/clubhouse-cette-application-qui-sait-tout-de-vous (last updated Mar. 17, 2021) [https://perma.cc/MW24-MTLN].
16	Natasha Lomas, France Fines Google $120M And Amazon $42M For Dropping Tracking Cookies Without Consent, TechCrunch (Dec. 10, 2020), https://techcrunch.com/2020/12/10/france-fines-google-120m-and-amazon-42m-for-dropping-tracking-cookies-without-consent [https://perma.cc/Z8XJ-LZQD].
17	Kevin Shalvey, Clubhouse Is Being Investigated By A French Internet Watchdog, Following A Complaint Over Data Privacy, Business Insider (Mar. 21, 2021), https://www.businessinsider.com/clubhouse-investigated-french-regulator-cnil-gdpr-privacy-data-2021-3 [https://perma.cc/P3KV-H5RB]; Clubhouse: The Next Tech Privacy Nightmare, SumOfUs, https://actions.sumofus.org/a/clubhouse-the-next-tech-privacy-nightmare (last updated Mar. 17, 2021) [https://perma.cc/68QR-9YX7].
18	Hamburg: HmbBfDI Requests Information From Clubhouse Regarding Use Of Data, DataGuidance (Feb. 2, 2021), https://www.dataguidance.com/news/hamburg-hmbbfdi-requests-information-clubhouse [https://perma.cc/HF8S-8M8V].
19	Verbraucherschützer Mahnen Clubhouse Ab, Süddeutsche Zeitung (Jan. 27, 2021), https://www.sueddeutsche.de/digital/clubhouse-abmahnung-datenschutz-1.5188332 [https://perma.cc/239N-QG2S].
20	Check 1,2, 3… Is this thing on?, Clubhouse Blog (July 10, 2020), https://www.joinclubhouse.com/check-1-2-3 [https://perma.cc/Z42M-WFJ8].
21	Ann Cavoukian, Privacy by Design: The Seven Foundational Principles, Info. & Privacy Commissioner of Ont. (Aug. 2009), https://www.ipc.on.ca/wp-content/uploads/resources/7foundationalprinciples.pdf [https://perma.cc/L2K8-V5VQ].

Kai Koppoe

Kai Koppoe is a third-year J.D. candidate at Fordham University School of Law and a staff member of the Intellectual Property, Media & Entertainment Law Journal. She holds a B.A. in International Studies and History from the University of Richmond.

A House of Woes: Lack of Privacy in Clubhouse App

A House of Woes: Lack of Privacy in Clubhouse App

Share this:

Related

Kai Koppoe