20
14 Comments

Don't have Clubhouse? Don't worry, they have you

  1. 3

    Well, PII leakage of phone numbers is not the real deal they are after. In fact, this leakage is most likely a mistake. The real identifying information they are going after is our voice. Very little regulation in that space and they are an audio social network for a reason after all. 😅

    cc: I know @csallen has a different POV on them (Clubhouse), but I strongly believe that turning our voices into a product that someone else can use does affect us adversely. It will likely take away a lot of freedoms that we enjoy without thinking––and in this particular case, it'd be free speech, so even verbal speak/criticism would become difficult since some device somewhere is always going to be “listening.”

    1. 1

      For the record, YouTube and other platforms that support video have been storing and processing our voices (and looks) for the past couple of decades. Not to mention podcasting platforms.

      1. 1

        And Amazon Alexa, Apple Siri, and Google Voice. I agree with you there.

    2. 1

      So glad I didn't join in on the hype :D

  2. 1

    Good thing i have it installed on an ipad ;D

  3. 1

    Here is what I learned when clubhouse got access to my contacts. 49 other people saved my local pizza joints phone number on speed dial.

  4. 1

    The picture and the name seem to come from your address book. I doubt that they are transmitting your address pic/name to their servers. Not sure about the weather or not they could be uploading the phone number. Although, I'm aware of a few smart ways you could possibly communicate set membership without actually communicating the items in the set. The number "51 friends" doesn't have to be accurate - so it could be based of bloom filters, or... a guess.

    1. 1

      They don't transmit names (or so they say), however, phone numbers are still PII. I can directly use them to identify an individual.

      One way would be to hash it, but assuming phone numbers have 9 digits (limited combinations) and the hash function lives on client side - they become PII.

      Think of it as a hash attack. Get every single phone number combination, create a hash and match it. That's your inverse function.

      1. 1

        Get every single phone number combination, create a hash and match it.

        But... that's not really how proper, modern hashing works.

        If they use bcrypt (or better yet, PBKDF2) with 10,000-100,000k iterations, with proper use of unique salts, you'll have little to worry about.

        1. 1

          If you use Salts, then there wouldn't be a 2nd degree connection?
          E.g. if you and me have phone number X, then we won't be connected, since we have 2 different hashes corresponding to X.

          P.S. not an expert

          1. 1

            That's an interesting point. I can think of a few ways around it while still using salts, but each workaround raises additional concerns.

            Companies like CloudSponge do a great job of harvesting user contact information while keeping it private, secure, and GDPR-compliant, but with the difference that they also do not do the n-degree cross matching.

            What worries me is we've probably given this more thought here in these comments than many apps like this do in real-life. Hopefully, Clubhouse isn't playing fast and loose with this PII.

            1. 1

              one option that doesn't use hashing is to just chop the phone number in half and record a counter for half phone numbers. That could be unique enough for guessing the number of users who have the phone number, but not unique enough to identify the individual.

              I'm not sure if this still violates GDPR.

              1. 1

                It still would as there still hasn’t had consent from others anout using their number for that service. They may try to pass as legitimate interest but I think it’d br shot down in court

                When I see practices like this it really gives me concern about a lack of building systems with privacy in mind - so it only makes matters worse when you think about how much data they’re storing and how weak their infosec controls may be 😱

Trending on Indie Hackers
How I grew a side project to 100k Unique Visitors in 7 days with 0 audience 49 comments Competing with Product Hunt: a month later 33 comments Why do you hate marketing? 29 comments My Top 20 Free Tools That I Use Everyday as an Indie Hacker 18 comments $15k revenues in <4 months as a solopreneur 14 comments Use Your Product 13 comments