Can we trust Clubhouse on the confidentiality of our data?

The new Clubhouse social network.

-

SOPA Images

• The French gendarme of personal data (Cnil) has opened an investigation into how Clubhouse uses the private information of its users.

• "When a person is invited to register by a member, the application accesses all of their contacts to find other Clubhouse users", denounces Me Merav Griguer, lawyer and teacher at Sciences-Po and Assas, specializing in the protection of personal data.

• Several security vulnerabilities have also been detected in recent weeks on the American platform.

It's the trending social network right now.

The Clubhouse platform has experienced tremendous growth in recent weeks.

Available by invitation - and only on iPhone -, it allows its users to come together in a virtual lounge (called, "

 room"

) to have a conversation, only audio, on various themes and more or less interactive formats: questions - responses from investors, political figures, chatting with friends, celebrity interviews with thousands of listeners or even musical improvisations.

A format currently popular, because of the health context.

But today, several users and associations are worried about the risks that the new application poses in terms of personal data protection.

In France, a petition gathering to date more than 10,000 signatures is circulating to alert on possible breaches of privacy.

Alerted, the French gendarme of personal data (Cnil) on Wednesday opened an investigation into how the new darling of social networks uses the private information of its users.

"The investigation should make it possible to confirm" whether the European legislation on data protection (RGPD) is indeed applicable to the company, and if this one respects it, specified the CNIL.

The audio conversations of the

recorded

rooms

?

As with any new and booming social media, there are many questions regarding security and privacy, both in the registration process and in how the app protects its content today.

Doubts about the confidentiality of personal data appear during the registration process.

“When someone is invited to join by a member, the app accesses all of their contacts to find other Clubhouse users.

The platform therefore has access to your entire directory.

On what basis, since there is no consent?

“Asks Me Merav Griguer, lawyer and teacher at Sciences-Po and Assas, specializing in the protection of personal data.

“The application, which is free to join, also encourages users to connect their Twitter and Instagram accounts to find people, or for their contacts to find them […] Many users have indicated that their contact details have been shared with other users without their permission.

This lack of transparency once again demonstrates the truth behind the well-known saying: "If it's free, then you are the product", adds Jonathan Fischbein, Chief Information Officer. at Check Point Software.

Several security vulnerabilities have also been detected in recent weeks.

Cyber ​​security experts discovered that users were sharing login information remotely, pulling audio and metadata from Clubhouse to an external site.

An unidentified user thus streamed audio conversations from “multiple rooms” to their own third-party website.

“Recording a user's conversations without their consent is contrary to the GDPR and other legal provisions.

This proves that in terms of security, the platform has many flaws.

And it is very problematic ”, details Me Merav Griguer.

User data accessible in China?

The other major point that poses a problem is the issue of data transfers outside the European Union.

“In Clubhouse's privacy policy, users are not informed that data is transferred to the United States.

A legal framework would be needed to allow this transfer, which in principle is prohibited outside the European Union under the General Data Protection Regulation, ”recalls the lawyer and teacher specializing in the protection of personal data.

A survey conducted by the Stanford Internet Observatory (SIO) further established that the application's basic infrastructure was provided by a real-time engagement software provider based in Shanghai (China).

"The WIS has discovered that Clubhouse unique user IDs and chat room IDs are transmitted in the clear to its central infrastructure, potentially exposing these details to the Chinese government," says Jonathan Fischbein of Check Point Software. .

According to experts, therefore, it is possible that the Chinese government had access to users' audio content.

An application "victim" of its meteoric rise

The American application, which has seen its use spiked in recent weeks by the containment measures adopted around the world, therefore seems today a little overwhelmed by all these dysfunctions.

“It is a platform that has met with great and rapid success, and we now realize that the legal aspect was not so well put together at the start.

But all these dysfunctions can be corrected.

The platform could quickly become compliant with data protection requirements since the main shortcomings have been identified.

This is probably what she will do in the coming weeks, ”admits Me Merav Griguer.

On the other hand, there is an element that could persist in terms of the risk of invasion of privacy and individual freedoms, "it is the fact of organizing

rooms

on subjects which touch on very sensitive data, such as political convictions, sexual orientations, religious ... As it stands, this is a pool of sensitive data that could end up in the hands of malicious people.

The risk is real.

We will therefore have to quickly find safeguards, particularly serious ”, adds the lawyer specializing in the protection of personal data.

But the biggest risk today for Clubhouse, it is especially the loss of confidence of its users.

If it does not want to lose a large part of its subscribers in Europe, the platform will have no other choice but to comply with European regulations.

“Other procedures have been launched in Germany, and in Italy in particular.

If Clubhouse does not comply with the requirements, the CNIL - and the other European regulatory bodies - will be particularly strict on the subject and will deploy all the legal and repressive arsenal at their disposal, ”warns Me Merav Griguer.

Web

Clubhouse: We went to discover the ultra-select application where only the voice counts

Politics

Twitch, Clubhouse… Why politicians are launching on these “new” social networks

• By the Web

• Investigation

• CNIL

• Cybersecurity

• Private life

• GDPR

• Social networks

• Personal data

• Platform