Dieser Artikel ist auch auf Deutsch erschienen.

tl;dr: Every time you open the invite tab, clubhouse uploads all the phone numbers from your address book.

Clubhouse is currently invite-only, which is probably part of the current hype. To invite someone you have to give Clubhouse access to your address book. This has been criticized several times. There has been a lot of discussion about how Clubhouse uses this address book data. We took a look and document how clubhouse currently uses the data from your address book and how it could be done better.

Invites to Clubhouse

After registering, the clubhouse app asks for access to your address book. This must be granted if you want to invite friends.

After clicking the Invite button, the app uploads all phone numbers in your address book to their servers to find out which of your contacts can be invited and which are already registered with clubhouse.

No names or further information is transferred, only the phone numbers. However, clubhouse has access to this data and could decide to upload it as well in a future version without users noticing.

As a response, the server delivers a list of all phone numbers that can be invited or that are already on Clubhouse.

The upload happens not only the first time the invite tab is accessed, but is repeated every time you open the tab. This means that clubhouse could create a complete history of your contacts from the time you registered with the app and theoretically also knows which people you probably met only recently.

Alternatives

This procedure is highly questionable from a privacy point of view, especially since Clubhouse grants itself extensive usage rights to the uploaded contact data.¹ In addition, a hidden social graph can be created that also includes contacts who are not registered with Clubhouse and have never agreed to the terms of use.

There are other ways to find contacts, for example Signal uses a complicated contact discovery protocol to make sure that the servers do not have permanent access to your contact data.

It would also be possible to perform a comparison using only the hash values of the phone numbers, as suggested by the saarland data protection authority. While this would mean that the plain phone numbers are no longer known to the servers, a social graph could still be created, including for contacts who are not using clubhouse. The Signal article linked above describes why hashing is not always an adequate solution in further detail.

Update 1: Hashing

Since we already got feedback (thank you Matthias): Hashing is not a sufficient protection.^{2, 3} Since there are relatively few possible phone numbers, they can simply be brute forced. We didn’t want to leave this option unmentioned, because the Saarland data protection authority suggested this method.

Update 2: How to do it better.

Privacy preserving contact discovery is hard. However, Clubhouse does not use the phone numbers for contact discovery. There is no way to find your contacts in the app via their phone number. While you can see which of your contacts are already on clubhouse in the invite tab, there is no way to directly access their profile.

So instead of uploading the address book cloubhouse could:

1. show all contacts in the address book without sending them to their server. Only after pressing “invite”, the server will be asked if an invitation can be sent to this specific phone number.

2. switch to another invite system. Like many other apps, Clubhouse could generate invite tokens or invite links that you have to provide when signing up. After inviting someone, you are already prompted to send them a message. This message could contain a short invite code that they can then use to register a new account. This way no access to the phone book would be needed.

3. not use phone numbers. They are only used for loging into Clubhouse, but nowhere in the app. Instead, only user names and passwords could be used.