A Proposed Clubhouse Blueprint for Leveraging Privacy to Achieve Growth, Instead of Growing At Privacy’s Expense
Preceding posts in this blog series covered Clubhouse’s privacy failures and how its app rollout signals to consumers that it doesn’t care about them or their privacy. This post provides a blueprint for how Clubhouse can begin to fix its weak privacy foundation.
Last week, Clubhouse reportedly had a data leak involving 1.3 million Clubhouse users, whose user IDs, names, photo URLs, usernames, social media handles, and other profile and account information were scraped and posted on a hacker site.
As a result of Clubhouse’s privacy failures, privacy advocates and regulators all over the world are scrutinizing the new audio-based social media platform. Here in the United States, privacy advocates have notified both the Federal Trade Commission and California Attorney General of Clubhouse’s privacy failures. Overseas, French and German regulators are investigating Clubhouse’s privacy practices, and UK privacy watchdogs are paying close attention.
To be fair, Clubhouse ended up changing its policy of requiring access to users’ contacts to invite people, which was highly criticized for violating data protection laws like the European Union’s General Data Protection Regulation. Clubhouse also came out to say it’s building features from within its app to enable users to delete previously uploaded contacts. While these moves are necessary to comply with data protection laws, they are hardly enough to address Clubhouse’s privacy failures, or prove that Clubhouse is taking user privacy seriously.
Moreover, instead of taking accountability over its privacy failures, including the recent data leak involving 1.3 million Clubhouse users, Clubhouse’s response betrays a lack of understanding of privacy or, worse, a complete disregard for its users’ privacy:
In its tweet, Clubhouse denies any breach or hack relating to the recent data leak, arguing that the user data was public information that is accessible to anyone, and implying that it never intended to protect such information from getting accessed by third parties. But this communications spin lures us to argue over semantics, distracting us from the real issue of Clubhouse’s privacy failures.
Clubhouse could’ve taken a page from Zoom, which was in privacy hot waters last year. Zoom responded by prioritizing privacy and security for a period of 90 days and hired a team of privacy and security experts to help address its shortcomings in those areas.
It’s not too late for Clubhouse to get its privacy house in order. Should Clubhouse decide to go back to the drawing board with its privacy practices, below is a high-level blueprint for how it could leverage privacy to achieve growth, instead of continuing to grow at privacy’s expense.
Define a Privacy Strategy. Clubhouse should take a step back and decide what type of company it wants to be when it comes to privacy. It should have a defined privacy strategy coming from the top: its founders, investors, and Board members. The Clubhouse Board should be asking governance questions about Clubhouse’s privacy strategy. Its founders should be thinking hard about what that high-level privacy strategy is, how to execute on it, and how to reflect it in its business model. And its investors should be protecting their LPs’ investments by advising Clubhouse to pursue a fiscally responsible approach to scaling.
Adopt a Privacy-Protective Business Model. Social media companies are notorious for their privacy-invasive business models, with user privacy often sacrificed for the sake of growth. As Clubhouse defines its business model, it should assess the privacy implications of such a model and avoid revenue incentives that are pitted against user privacy. Being thoughtful about its business model and related privacy impact will help Clubhouse build with intention before it turns into a monstrous structure that is too difficult to tear down and rebuild.
Implement Privacy & Security by Design and Engineering. Clubhouse should incorporate privacy and security into its product development life cycle. This means honoring user preferences when it comes to personal data and not deploying dark patterns to manipulate users to give up control over such data. It must build safe products that secures — through end-to-end encryption or other appropriate security measures— any personal information it processes, particularly sensitive information, such as audio recordings and location data.
Put Users First. Clubhouse should put its users first and avoid the tired growth-at-all-costs social media strategy. It could promise a duty of loyalty to its users when it comes to their personal data. At the end of the day, its users will determine its future. Losing user trust inevitably means losing users.
Assign Privacy Ownership, Equipped With Resources. Clubhouse needs to establish an expert team to own its internal privacy and security functions, with proper authority and resources to do their jobs. This could mean hiring a Chief Privacy Officer and a Chief Information Security Officer, with appropriate teams and budgets.
Transparency & Communications. Lastly, Clubhouse needs to be transparent about its privacy practices. This point goes beyond privacy policies written in legalese and fine print. It extends to building just-in-time notifications about data collection and other privacy features into its products. It also means engaging in strategic privacy communications with users, stakeholders, and regulators, instead of misleading or gaslighting them.
As Clubhouse continues to build, it needs to lay a solid privacy foundation, the building blocks of which are a defined privacy strategy and a privacy-protective business model. Such a foundation will need to be reinforced by privacy design and engineering and a users-first approach, and further cemented by privacy ownership and transparency. Without such a solid privacy foundation, Clubhouse could collapse under the pressures of global regulatory scrutiny over privacy, the developing consumer sentiment and marketplace demand for privacy, and the mounting need for privacy innovation. It’s better to rebuild an unstable structure early on than to keep building an unsafe one that will only become uninhabitable or collapse years later.
