ClubHouse: How safe really is this 'safe space'?

Tl;dr

Clubhouse has emerged as one of the most sought after social media platforms enabling anyone to host and participate in audio-based conversations. Considering its growing popularity, there is a need to survey its human rights due diligence. With over a million users from India alone regularly participating in Clubhouse discussion rooms, it is necessary that Clubhouse streamlines data protection and data processing practices and ensures the digital security of its users. In this post, we unfurl some of the key considerations the platform must include while fostering a robust human rights framework.

Background

As India battled a vicious second wave of the COVID-19 pandemic, forcing its population to be burrowed indoors, Indian netizens found themselves an alternative to the roadside ‘addas’ in the form of Clubhouse, a social media platform that facilitates audio-only conversations between large groups of people without the hassle of meeting links or passwords. With the launch of its Android version in May 2021, India emerged as its top market, adding about 2.6 million users since its launch.

Considering the rise of Clubhouse, reports suggest that law enforcement agencies of the Indian Government, such as the National Investigative Agency, Enforcement Directorate and Central Bureau of Investigation, are monitoring conversations on the platform. We have filed a Right to Information application with the Government of India to determine the veracity of these reports.

Concerns Emerge

Independent of our efforts to seek transparency regarding the Government's monitoring of Clubhouse, we are also concerned with the functioning of Clubhouse itself. For one, there is a rise in hate speech, disinformation and discriminatory commentary on the platform, against which the platform does not provide sufficient safeguards. There are also concerns with how respectful the platform is of user privacy. We believe that a social media platform rolled out in 2020 should have accounted for these concerns. This is because such platforms have observed how practices of organisations such as Facebook, have adversely impacted the digital rights of users. Thus, in this post, we express concerns with practices of Clubhouse and urge the platform to respect privacy, provide redressal against hate speech, and ensure due process and transparency when it censors content.

  1. Everything is not rosy at Clubhouse: When Clubhouse was initially rolled out, it did not have a privacy policy and even manipulated algorithmic discoverability tactics to access users’ personal data through invasive tracking mechanisms like cookies and pixel tags. As an aftermath of pushback from digital rights advocates, Clubhouse has come up with a privacy policy that delineates the gamut of information that they collect, use and share. However, concerns with its ability to secure users' data remain as recent reports indicate that scraped data of more than 1.3 million Clubhouse users was posted on a popular hacker forum.
  2. Data collection practices: A deeper dive into the privacy policy and data processing practices is necessary to assess how safe users’ data is with Clubhouse. The platform collects a wide array of information. This includes your name, email address, contact details, phone number, IP address, device name, operating system, the people you interact with and the time, frequency and duration of your use. Furthermore, Clubhouse facilitates easy one-step sign-on by allowing the users to synchronise their social media accounts to the platform. Thus, Clubhouse also accesses any personal information shared by the users on these platforms. Such excessive collection of data is against the principle of data minimisation which requires that Clubhouse only collects such personal information as is necessary to provide its services. Moreover, based on the specific authorisation, Clubhouse also collects phone numbers in your contact list even if those individuals are not on the platform. This undermines the right to informational privacy of those persons whose phone numbers get exposed to Clubhouse without their knowledge, let alone consent.
  3. Data Sharing practices: Clubhouse’s data sharing policies remain just as nebulous. It shares user data with vendors and service providers, business transferees as well as law enforcement agencies, if the need arises. Here again, the scope of consent and clarity on what data is being shared and for how long is lacking. This contravenes the principles of data minimisation and purpose limitation practises endorsed in global privacy law legislations. Moreover, while Clubhouse doesn’t sell information yet, there is no framework in place to prevent monetisation of data in the future. It recently also launched a pay for exclusive content feature which required users to subscribe to avail of exclusive content. Whether the rollout of this feature is in compliance with the application’s policy of not selling data is under scrutiny currently.
  4. Ambiguity over incident reporting, investigation and grievance redressal: Clubhouse temporarily records every conversation on its platform and purportedly retains them for the purposes of investigations, if a trust and safety complaint is raised during the live session. In case no complaints are made, recordings are deleted as soon as the session ends. However, the Community Guidelines does not clarify the constitution of the investigating team, the standard operating procedure the investigative team follows to address complaints and whether the recordings are removed entirely from every source once the investigation ends. There is further ambiguity around which part of the recording is retained for trust and safety concerns and if irrelevant information gets parsed from the same. For instance, if a non-muted participant forgets to leave the room, shall the recording capture even the non-related conversations of the said participant? Moreover, if complaints are raised post the session, it is unclear how Clubhouse will investigate them since recordings are deleted as soon as the session ends.
  5. Possibility of data spillage: While the conversations retained for investigations are protected by server-side encryption, regular conversations remain unprotected. Consequently, threats of plausible data leaks through vendors and back-end service providers persists. Concerns over Clubhouse’s data sharing practices were aggravated by a Stanford Internet Observatory report about alleged data spillage to a China based company which provides back-end support to Clubhouse. This augments the threat of state surveillance. While streamlined data protection legislations like the California Consumer Privacy Act, 2018 or the General Data Protection Regulation pertaining to EU countries enable due safeguards against any plausible misuse of data, in the absence of a data protection legislation in India, fear of the overreach of state interventions and subsequent persecution looms large.

Clubhouse should provide a Human Rights Policy and volunteer for a Civil Rights Audit

As a platform that buttresses free and open conversations, Clubhouse is posited as an application that empowers many and facilitates democratic interactions between people across diverse socio-cultural milieu. At present, the Community Guidelines of Clubhouse reflect the intent to adhere to the Santa Clara Principles on Transparency and Accountability of Content Moderation, 2018. But, as incidents of breaches grow, Clubhouse’s content moderation tactics would have to be evaluated according to these principles. Independent assessment of hate speech and disinformation needs to include systemic fixes in a way that trust and credibility is ensured in the review process.

We urge Clubhouse to provide a human rights policy. The United Nations Guiding Principles on Businesses and Human Rights require ‘business enterprises’ to maintain a minimum standard of human rights across jurisdictions. The policy will guide Clubhouse towards ensuring that it is respectful of digital rights as it grows and enable users to understand how the platform accounts for human rights in its governance of the platform. The policy should provide for an independent civil rights audit similar to the one Facebook volunteered for in the United States of America. The periodic audit will examine Clubhouse’s efforts to respect and defend human rights on its platform, evaluate how Clubhouse complies with its community guidelines and privacy policy, and provide its recommendations.

We believe that civil rights audits of social media entities are extremely important. In this day and age, these entities hold immense power in regulating speech and it is important that there is an independent evaluation of how such regulation takes place. A comprehensive human rights audit is the only way to mitigate the dual threat of hate & disinformation on the one hand and state/corporate surveillance on the other. As a new age social media platform, a robust and human rights compliant privacy policy is the first step towards making Clubhouse a more democratic and transparent space.

Important Documents

  1. Privacy Policy of Clubhouse, May 9, 2021 (link)
  2. Community Guidelines of Clubhouse, April 5, 2021 (link)
  3. Previous blog post titled ‘Examining Facebook’s Human Rights Policy ’, March 30, 2021 (link)
  4. Terms of Services of Clubhouse, May 5, 2021 (link)
  5. Boom Report titled Inside Clubhouse India: Is it the new ground for polarisation, June 18, 2021 (link)
  6. Quint Report titled Govt Prying on Clubhouse Rooms, Violating App’s Terms of Services, June 14, 2021 (link)
  7. Santa Clara Principles, February 2018 (link)
  8. United Nations Guiding Principles on Business and Human Rights (link)