[HN Gopher] Clubhouse uploads all your contacts
___________________________________________________________________
Clubhouse uploads all your contacts
Author : sleepyhead
Score : 105 points
Date : 2021-01-08 15:15 UTC (7 hours ago)
(HTM) web link (twitter.com)
(TXT) w3m dump (twitter.com)
| finger wrote:
| I imagine this is not Clubhouse.io ?
|
| Confusing when different products have the same name.
| larsnystrom wrote:
| I absolutely thought this was clubhouse.io until I had a closer
| look at the screenshots. I have no idea what this other
| clubhouse app is. Confusing indeed.
| lights0123 wrote:
| And so does every other social media platform. Signal does so
| with hashes (https://support.signal.org/hc/en-
| us/articles/360007061452-Do...), but there's so few phone numbers
| that it would be trivial to brute force or rainbow table all the
| possible values.
| AlexandrB wrote:
| I wish Signal didn't use phone numbers as identifiers. That's
| the original sin of all these apps and the convenient excuse
| for uploading contacts
| beaudin wrote:
| Public, the stock trading app does this as well. Same interface
| (your contact has x friends) but it seems this is a growing,
| and worrisome trend.
| rio517 wrote:
| I'm assuming signal is following best practice. How else could
| one match contacts without uploading some contact data?
| saagarjha wrote:
| Signal's "best practice" for a while was to use special
| hardware that relied trusting Intel in the best case but in
| practice was also perpetually being broken into...
| sleepyhead wrote:
| There is no need to upload or match contacts in this case. It
| is a required step for inviting a new user. The invite SMS is
| even sent from the device, not by Clubhouse.
| ljlolel wrote:
| One of the recent versions sends it from Clubhouse servers
| not the device.
| rio517 wrote:
| Oh! I see. I was thinking of matching users in your list
| with those already on the platform. In this case, that
| means N number of user already sent their contact list to
| clubhouse and club house is keeping and using that data.
| neom wrote:
| I was extremely annoyed last week when my friend messaged me and
| asked me if I was going to use clubhouse, I said no I don't think
| anyone I know would be using it. She said, well.. you have 63
| friends using it, I said... I don't have 63 friends! She then
| proceeded to send me a screenshot with a list of her contacts not
| on ClubHouse that shows how many of their contacts are on it. I
| don't know why this bothered me so much, but for whatever reason
| it did.
| cmroanirgo wrote:
| This is precisely why iOS and Android should never have allowed
| an app direct access to our Contacts. Rather, everything from
| the API should be anonymous hashes AND be different per
| application. The OS should also have supplied a "Contact list
| UI" that gave apps a unified way of displaying contacts without
| giving away the keys to the kingdom.
|
| Otherwise, once your contact list is uploaded, everyone's
| privacy is violated.
| hundchenkatze wrote:
| The terseness of their permission request does not meet Apple's
| review guidelines. It's almost identical to one of Apple's
| unacceptable examples.
|
| https://developer.apple.com/design/human-interface-guideline...
|
| https://developer.apple.com/app-store/review/guidelines/#5.1...
|
| Is there a way to report the app to bring it to Apple's
| attention?
| saagarjha wrote:
| Sadly, it doesn't seem so. The fact that there is no clear
| place to do this is honestly quite ironic given that Apple
| requires all third-party apps to have an easy way to report
| rulebreaking content...
| edualm wrote:
| There is actually! I was told about it over the phone with an
| App Review rep a few weeks ago. I didn't write it down
| unfortunately, but I think it was appreview@apple.com -
| googling for that e-mail address returns some results, so I
| am pretty positive that was it.
| hundchenkatze wrote:
| Awesome! It seems that most of the references in search
| results are around interactions between Apple and
| developers. But it definitely looks like the best place to
| send violations as well. Thank you!
| nowherebeen wrote:
| I just sent them an email. Other developers should too
| because everyone should play by the same rules.
| Nextgrid wrote:
| A little known fact is that Uber also does this, or at least used
| to. On iOS when you try to copy a link to follow your trip it
| first asks for contacts permissions with a bullshit reason -
| declining doesn't have any ill effects but obviously it's
| designed to try and catch users off-guard or make them think it's
| mandatory and I guess a lot of people do submit.
| m463 wrote:
| I think there should be dark patterns and ... darkest patterns.
| protomyth wrote:
| It would actually be a neat UI to show the person's contacts
| letting the person pick which one to try with a "match the hash"
| function that shows the one way hash generated and does a "ping"
| on the service to see if someone matches.
|
| Won't happen, but would be a fun UI to do.
| meekmockmook wrote:
| Lol Big Tech spying on their own. Beautiful.
| archibaldJ wrote:
| This is not Clubhouse.io but joinClubhouse.com, an invite-only
| zoom/gather.town alternative for organising events. I have a few
| friends in San Francisco using it but doesn't look like it's
| well-known outside the circle.
|
| Think they've been growing a lot in the recent months and getting
| more popular.
|
| Curious what is the legal implication from a privacy perspective
| if they are only uploading the hashes.
| mtnygard wrote:
| Thanks for clarifying that. I've got a generally good opinion
| of clubhouse.io and was concerned.
| sdfhbdf wrote:
| Why is it against GDPR if somebody agreed to it and agreed to
| their Privacy Policy [1]? I don't understand the claim in this
| tweet exactly. I think some context is missing.
|
| [1]: https://www.notion.so/Privacy-Policy-
| cd4b415950204a46819478b...
| tauntz wrote:
| AFAIK the issue is that the service is pulling in PI of other
| people without their consent.
|
| You can not store my name/phone number etc without my consent -
| even if you got that data from one of your user's contact list.
|
| Please correct me if I'm wrong. IANAL.
| secondcoming wrote:
| If my number is in your phonebook, you cannot give consent to
| Clubhouse to get that info on my behalf.
| theodorton wrote:
| I believe the "We need contacts permission" message is key
| here. The message should include the purpose for what the
| contact data will be used for when asking for consent.
|
| > Specific - consent must relate to specific actions relating
| to the data rather than for any purpose the business wants it.
| For example, if the data is for a newsletter subscription, it
| must say exactly that.
|
| https://www.gdpreu.org/the-regulation/key-concepts/consent/
___________________________________________________________________
(page generated 2021-01-08 23:02 UTC)