Privacy
Privacy-friendliness of Audio-only applications
The COVID pandemic has fast-forwarded the technological evolution by at least a decade. To cater to the fast-growing needs during the pandemic and the shift to the work-from-home culture, many new applications have come up. A significant surge in the usage of video applications such as Microsoft Teams, Google Meet, and Cisco WebEx amongst another plethora of applications can be witnessed during this time period around the globe.
Video conferencing applications like Zoom have become a part of our lives as most of the official meetings and tasks take place on the application. Overusing the application can result in burnout and tiredness which is known as ‘Zoom fatigue’[i]. It was because of factors like zoom fatigue it was felt that there is a need for audio-only applications.
Pandemic has seen the launch of several applications, including the one known as ‘Clubhouse’. The application is an audio discussion platform where like-minded people can come together to discuss their ideas and increase their network[ii]. This application like all others has both positives and negatives. The lack of a proper privacy policy for many applications has come into the limelight during the pandemic. Applications like Houseparty and Zoom which gained unprecedented popularity due to the increase in their user bases came under fire as many loopholes in their privacy policy caught the public eye[iii]. After continuous complaints by the users on issues like chat leaks, selling of personal information on data black markets, zoom bombing, etc., many experts found out that the Clubhouse app was violative of the European General Data Protection Regulations (GDPR)[iv] and Section 72[v] of the IT Act, 2000.
Due to the exclusivity of the Clubhouse application as invite-only, and because it initially was only available for iOS devices and excluded the Android devices which had a ~72% share in the smartphone marketplace, an Indian application created waves on the Internet. The Bengaluru-based application ‘Leher’ is similar to one that is being seen as an alternative and a desi version of the Clubhouse application.
About the applications
The clubhouse is an audio-only drop-in, easy-to-use application which lets people simply join any ongoing ‘live’ conversation or chat by an individual. The live-only and real-time are two main USPs of Clubhouse. Since it does not have a feature of video conferencing or recording, and even of sending any type of media, the app is unlike any other conferencing application – successfully solving the zoom fatigues.
Clubhouse being an audio-only application has no feature of video conferencing. It is being advertised as a platform to share ideas and interact. The application being an invite-only app can only be joined if another user invites a non-user to join the app. There is an Indian alternative to Clubhouse, called Leher. The idea behind the application is similar to Clubhouse. An added advantage of using Leher is that there is no need for an invite to join the application. Anyone can register and join the app and join any room of their choosing.
Privacy Policy and the issues relating to it
Shadow Profiling
The creation of a shadow profile of a non-user is one of the biggest privacy concerns that has emerged. The practice of shadow profiling is what landed Facebook in trouble[vi]. During the Congressional Testimony, Mark Zuckerberg was questioned on creating shadow profiles of non-users. A shadow profile is a profile of a non-user of the platform.
In the Clubhouse app, after a user creates a profile, they have an option to invite two other people to the platform. As a part of the process, you have to give the application access to your personal contacts for you to invite people[vii]. By using this information clubhouse checks for the number of times a contact has appeared in other users’ contacts and creates a shadow profile of the people who have not even joined the app. This shadow profile of non-users includes name, number, and potential contacts[viii].
The amount of information that the company has of the people who even do not use the application is alarming as this information might be sold to third parties without the consent of the people who do not use the app.
Automatically collected data
Under its privacy policy[ix] clubhouse specifically lays out guidelines regarding the information it collects automatically. Regarding the internet activity data, it mentions the list of information which they receive in their systems, whenever the user interacts with clubhouse service in any manner. The information which they receive automatically includes the user’s location, email, usage data, etc. Even if the user is visiting the clubhouse website, information such as email and IP address gets stored in their system.
It is normal for information deemed not to be “sensitive” to be freely shifted about, transmitted, exchanged, transferred, and sold. Even under the IT Rules 2011, which under Rule 6(1) provides that disclosure of sensitive personal data by a body corporate to any third party shall require prior permission of the provider of such information does not include non-sensitive personal data. Those who engage in these practices seem to assume that the information in question has been given by the user knowing what privacy policy contains and therefore is “up for grabs”[x]. The process of compiling and aggregating information almost always involves shifting information taken from an appropriate context and inserting it into one perceived not to be so. That is, the violation of contextual integrity is part of the reason why data aggregation can be considered morally offensive.
Sharing and disclosure of personal data
The actual privacy horror starts for the user when they create an account on the Clubhouse application. The Clubhouse privacy policy specifically states that they collect personal data. While the users are not allowed to record or save their audio conversations, the app is allowed to do so for investigative purposes. Since they are saving audio conversations, it reasonably means that these messages are not end-to-end encrypted.
Clubhouse also shares some personal data without further notice to their service providers and vendors as a part of their business. They mention that they are collecting information about the people’s accounts. Afterwards, the application provides a list of things for the purpose for which the information might be used. It can be safely assumed that the information might be used at the whims and fancies of the application.
The privacy policy of the Clubhouse states that the data is processed all over the United States. It is also important to mention that certain information is retained in the archives even after the deletion of a user’s account. Leher app on the other hand retains personal data for as long as they have a legitimate business purpose in keeping such data. To provide advertisements that might interest the user, they will share the device ID with measurement companies. These companies link user’s activity on the platform with user’s activity on other websites.
Third-Party Data
A personal data breach is defined under Section 3(29) of the draft Personal Data Protection (PDP) Bill, 2019 (The bill is yet to be passed) as “any unauthorised or accidental disclosure, acquisition, sharing, use, alteration, destruction of or loss of access to, personal data that compromises the confidentiality, integrity or availability of personal data to a data principal.”
While the PDP bill (which has not been passed yet) defines personal data breach and has given guidelines regarding it, there is no mention of breach of third party’s data. To join the clubhouse app, they require the user to share their phone’s contact book which is an important part of registering. It also helps them to invite other people from the contact book to the platform. This process involves sharing that friend’s phone number which is a huge privacy breach, since even under European Union Laws, disclosure of personal data without the consent of the person whose data is given out, is unlawful.
Are Clubhouse and Leher complying with the draft PDP Bill, 2019?
Under this proposed legislation, Section 3(14) defines a data principal as an individual whose personal data is being processed. The Bill covers the processing of personal data by both the government and companies incorporated in India. It also governs foreign companies, if they deal with the personal data of individuals in India. Section 2(c) of the bill states that the provisions of the Bill will apply even when there is the processing of personal data by data fiduciaries and processors are not present within the territories of India if it’s in connection with a business being carried on in India and offering goods & services to data principals within India or in connection with any activity which involves profiling of data principals within the territory of India.
Under this proposed bill certain rights are given to users for their personal data. Under Sections 17 and 18 of the bill the user can seek confirmation on whether their personal data has been processed, they can seek correction, or erasure of their data, and restrict disclosure of their personal data. Any processing of personal data can be done only after taking consent from the data principal.
It is also pertinent to mention that the proposed bill states that personal data of individuals can be processed without their consent only in certain circumstances and has exempted certain agencies from the provisions of the act as mentioned in Section 37. But according to the clubhouse app privacy policy, it can be assumed that not just a lot of personal data will be processed without the consent of the user but also for the erasure of their account from the application the user will have to request them. Major points regarding the usage of personal data which we have discussed from the policy can be said to violate rules under this bill. On the other hand, Leher allows the user to delete their entire account but keeps information in an anonymized format even after termination.
Conclusion
Applications like clubhouse have the potential to cause a major threat not only to a user’s privacy but also to the privacy of a non-user. The amount of information the application has even before a user makes an account is alarming. Tracking IP addresses and automatic storage of persons’ email is just the tip of the visible iceberg. Risks after joining such an application include giving away the phone numbers of all the people in your contact list and having all your private messages recorded where someone has access to them.
This article can be cited as:
Shambhavi Sinha and Siddhartha Misra, Privacy-friendliness of audio-only applications, Metacept- Communicating the Law, accessible at https://metacept.com/privacy-friendliness-of-audio-only-applications/.
References
[i] Jenna Lee, ‘A Neuropsychological Exploration of Zoom Fatigue’ (Psychiatric Times, 18 November 2020) <https://www.psychiatrictimes.com/view/psychological-exploration-zoom-fatigue> accessed 14 March 2021.
[ii][ii] Rashi Varshney, ‘[App Friday] This ‘Made in India’ alternative to Clubhouse is trending among Indian entrepreneurs’ (YOURSTORY, 12 February 2021) <https://yourstory.com/2021/02/app-friday-leher-made-in-india-alternative-clubhouse> accessed 14 March 2021.
[iii] Prasid Banerjee, ‘Viral Lockdown video apps Zoom, Houseparty under scrutiny for privacy violations’ (Mint, 1 April 2020) <https://www.livemint.com/news/india/viral-lockdown-video-apps-zoom-houseparty-under-scrutiny-for-privacy-violations-11585716642493.html> accessed 15 March 2021.
[iv] Ibid.
[v] Information Technology Act 2000, s 72.
[vi] Andrew Quodling, ‘Shadow profiles – Facebook knows about you, even if you’re not on Facebook’ (The Conversation, 13 April 2018) <https://theconversation.com/shadow-profiles-facebook-knows-about-you-even-if-youre-not-on-facebook-94804> accessed 15 March 2021.
[vii] Barry Collins, ‘Clubhouse: The Hot New Social Network Has Big Privacy Problems’ (Forbes, 10 February 2021) <https://www.forbes.com/sites/barrycollins/2021/02/10/clubhouse-the-hot-new-social-network-has-big-privacy-problems/?sh=3bbc4e65e4c3> accessed 15 March 2021.
[viii] Zen Chan, ‘Clubhouse And Its Privacy & Security Risk’ (Medium, 7 February 2021) <https://medium.com/technology-hits/clubhouse-and-its-security-risk-201526fd06d1> accessed 16 March 2021.
[ix] Clubhouse Privacy Policy, accessible at <https://www.notion.so/Privacy-Policy-cd4b415950204a46819478b31f6ce14f>.
[x] Alexander Hanff, ‘Clubhouse – the next privacy nightmare you’ve never heard of’ (LinkedIn, 27 January 2021). <https://www.linkedin.com/pulse/clubhouse-next-privacy-nightmare-youve-never-heard-alexander-hanff/> accessed on 18 March 2021.