As a reminder, the Morning Edition is being sent for free every day this week. If you like the content in this Newsletter, you can subscribe here. Otherwise, if you do nothing, you’ll continue to receive the weekly edition on Fridays–which is always free.
I took some pushback a while back for my criticism of Clubhouse
. Actually, it wasn’t even criticism, I simply pointed out a few of the issues with the company’s privacy practices, including the fact that–at the time–the company was recording your conversations, even though you couldn’t record them yourself.
It seems a lot of people want to give the company some slack. “It’s new, and trying to figure things out. Besides, it’s not doing anything any other social media network isn’t already doing,” was the general sentiment.
I suppose the first is a reason to give the company the benefit of the doubt. The latter, however, isn’t. But, for what it’s worth, giving a company the benefit of the doubt isn’t the same as giving it a blank check to behave however it wants. Behaving like Facebook, for example, isn’t exactly setting the bar particularly high.
Facebook gets plenty of criticism over how it handles user data, and the way the company often responds isn’t any better. In that sense, maybe Clubhouse is pretty similar to Facebook.
On Sunday, Cyber News reported
that 1.3 million Clubhouse users had their personal data leaked online. Almost every tech publication that I follow picked up the story that a database with user names, social media profiles, and other information had been leaked on a hacker forum.
That is starting to sound similar to recent news that the data of 500 million users that was leaked from Facebook
back in 2019 had resurfaced online for free. I wrote, in the piece linked above, that the real problem wasn’t that the information was out there, but Facebook’s response–or lack, thereof.
“This is old data that was previously reported on in 2019,” a spokesperson told Bloomberg
in a statement. “We found and fixed this issue in August 2019.”
My point was that Facebook was ignoring the real problem–which is that user data is out there, and the company has never even notified users that were affected–but claiming victory anyway.
It’s as if the company wants to take credit for fixing a problem because it patched a massive hole in its security, even though none of the stolen goods have been recovered. I reached out to Facebook directly, but the company did not immediately respond.
That’s a problem because Facebook knows a lot about you, perhaps more than any other company on earth. The information that Facebook gathers is what it uses to show you targeted advertisements. But in the hands of hackers and criminals, it can be used for much more nefarious purposes.
Imagine if robbers were able to steal the contents of a bank vault because someone left the door open and unguarded (which is basically what Facebook did with your personal information). That would be bad. It would be even worse if the bank’s response after the fact was, “Yeah, we know that a bunch of your money is gone, but we’ve closed the vault and changed the combination.”
The problem isn’t just that the vault was left open, it’s that everything inside was stolen and hasn’t been recovered. That’s the real problem and it hasn’t been fixed.
Essentially, since Clubhouse assigns user IDs in sequential order, it appears that a hacker could have simply called the Clubhouse API, changed the ID over and over again, and scooped up all the publicly available information for each. That isn’t technically a “hack” or a “leak,” but it’s certainly not a good thing that Clubhouse designed its API in a way that anyone could do this.
This is misleading and false. Clubhouse has not been breached or hacked. The data referred to is all public profile information from our app, which anyone can access via the app or our API.
No, This is misleading and false, it is a clickbait article, we were not hacked. The data referred to was all public profile information from our app. So the answer to that is a definitive ‘no.’
All of which appears to be technically true. The thing is, I don’t think that when people joined Clubhouse, they expected their personal information to be gathered up and made available in a single database on a hacker forum.
For example, my house number is public information. It’s on the front of my house. Anyone who drives by my house can see the number on it. That doesn’t mean I expect someone to randomly drive around, collect house numbers, and publish them online with other personal information about me.
(And yes, I understand there was a time when phone companies used to do exactly that. At least, in that case, you could opt for an “unlisted” number and avoid the whole thing.)
The point is that just because something is available publicly, accessing that information involves some degree of friction. Scraping it all and putting it in a single database is different, if for no other reason than it’s not what we expect when we choose to use a service like Clubhouse–to say nothing of the fact that it just makes it easier for anyone with that information to use it for phishing or other scams
I understand why the company felt the need to push back so hard–it’s in the middle of raising a lot of money and trying to establish itself before its much larger competitors are able to build clones that overtake it.
Still, the fact that the company is in such a hurry to grow that it isn’t taking the time to build better privacy protections into the app is a problem. Even worse is the company’s “it’s all fake news” response that shows Clubhouse doesn’t seem to think it has a problem at all.