Thursday Thoughts - 11 Febraury 2021
The app that everyone is talking about so far in 2021 is Clubhouse. Of course the fact you have to be “invited” to join lends a certain cachet but there are some real privacy concerns from sharing your address book to recording your conversations so check out my summary. Everyone seems to be on it and recommending that we check it out but I reserved judgement and waited for a few privacy professionals to start looking in to it. My piece below looks at what is so special about Clubhouse and considers if it is better than LinkedIn as a business networking site.
There is a database that compiles all previous breaches that has just appeared on the dark web. So if you have a habit of recycling user names and passwords across different services you know what to do. Also this week another Google Chrome Bug, the Facebook Data Protection Class Action, guidance on Pseudonymisation For Personal Data Protection.
Finally I include article by Jill Bottomley on the changes to furlough rules and redundancy.
Blogs and Videos of the Week
Alexander Hanff – Clubhouse - the next privacy nightmare you've never heard of
Debbie Reynolds – WhatsApp and Data Privacy
Sara Kay - Do Schools Need More Laughter?
Clubhouse – What is it and What are the Concerns
Do you love it or hate it. Or are you suffering FOMO because you aren’t on it yet and nobody as sent you an “invite”. Of the users who have spoken to some love it, others admit to having “lost” great chunks of time on it and others can’t see what the attraction is. What is so special about Clubhouse and is it better than WhatsApp and LinkedIn as a business networking social media site.
Clubhouse users engage with each other via voice only (which is attractive to those who don’t want to be on camera) and can be in privately or public chat rooms).
How many people have clicked straight through the consents and privacy thinking that because everyone is doing it the platform must be OK. Well here are a few things you may not know:
Clubhouse only works on Apple at the moment.
You can only be “live” in a room so there is no opportunity to listen at your convenience.
There is a way to back track who recommended a person and who recommended that person and backwards to the first person on the app.
Clubhouse collects LOADS of information not just account details. It knows what you create, share and your messages or communications with others. It will also track the people, accounts, and groups you are connected to and how you interact with them.
If you use their "Single Sign On" feature they take your contact details, content and account information from those other sites too.
In order to “invite” friends onto the platform Clubhouse REQUIRES you to share your address book. If you have a contact number of someone and you sync your contacts list, it will show you who among them is on Clubhouse.
Unless you send a message to your whole contacts list asking permission to share their numbers or use a burner phone that only has the numbers of people who are happy with this it will not fall under the “Household Activity exception”.
This means that as a private user Clubhouse are asking you to break the law by giving them access to your address book in order to send the invitation.
It is more concerning for a company as it is likely to be considered as a breach of GDPR and under the most recent Facebook precedent this means you are as liable as Clubhouse for the breach.
Clubhouse records the audio in a room while the room is live so that they can check if there is a “Trust and Safety” violation. Clubhouse makes this a condition of use.
In UK and EU mobile communications are meant to be kept confidential. So any recording of conversations requires the consent of all parties.
If you close the app while you are in a “room” you stay there and your mic stays is active if you left it on. That means you could still be “using” the app when you think you’ve closed it because the room is still open.
My own analysis is that I’ll pass on this particular brand and stick with the Social Media I am comfortable with (Linked In, Twitter and Facebook). I have no doubt the Data Protection Authorities across UK and Europe will soon have something to say about it in due course.
Clubhouse – Links to China and Ability to Track Backwards
On a separate note there is speculation that Clubhouse is under the control of the Chinese Military. Which means that if the conversation you are having could be seen as dissent DO NOT use clubhouse. There is a way to back track who recommended a person and who recommended that person and backwards to the first person on the app. It is frightening to think what an oppressive government or threat actor could do with this type of data. You can read more here: https://www.taiwannews.com.tw/en/news/4123186
The Massive Database of Previous Breaches
Worrying news that a “Compilation of Many Breaches” has been posted on line. It is apparently possibly the biggest-ever list of hacked user details and contains the data from a 2012 data breach at LinkedIn (117 million accounts) as well as Netflix login data. If you have a habit of recycling user names and passwords across different services you know what to do.....
1. Change passwords now, use 3 random words or a password manager and add 2 factor authentication
2. Check on haveibeenpwned.com to see if you appear on the list and change the passwords or logins for the accounts that have been compromised, and on any accounts using the same password.
Using WhatsApp in Schools and Businesses
WhatsApp is a great communication tool for individuals and we have seen it used by health professions during the pandemic but only where there was no alternative and it would save lives. There are however great risks in using WhatsApp to share personal data in business, particularly in Trusts and Schools. Not least the privacy issues of sharing personal phone numbers with everyone in the chat, or the very real temptation to cross post from one chat to another. There is also the fact that WhatsApp is on your personal phone and this has safeguarding implications for those in schools and those working with vulnerable adults. The ICO says it may be used in limited circumstances but in my opinion it is not suitable for ‘business as usual’ communication at all.
Google Chrome Bug
There is another new Google Chrome bug which targets Windows, Mac, and Linux users. So make sure you have updated your software to the latest available version immediately because criminals can exploit the loophole if the targeted device is running an older version of the apps or OS. Take this as an excuse to check you have high-end antivirus software installed on all your connected devices.
Facebook Data Protection Class Action
A class action has been launched against Facebook by journalist and writer Peter Jukes on behalf of himself and around one million other Facebook users in England and Wales. The claim alleges that Facebook allowed a third-party app “This Is Your Digital Life” to access the personal data of users without their knowledge or consent between November 2013 and May 2015. The App harvested the personal data of both app users and their Facebook friends.
Pseudonymisation For Personal Data Protection
The European Union Agency for Cybersecurity has published a report which explores advanced pseudonymisation techniques and specific use cases. This will be useful for healthcare and those involved in cyber security and information sharing in cybersecurity in order to support data controllers and processors in implementing them. More details can be found here: https://www.linkedin.com/company/dpoinnovation/
Amendments to GDPR
Following a review of GDPR a number of amendments have been tabled for resolution by the European Parliament. Some of these may make their way into UK legislation. You can see the proposed changes here: https://www.europarl.europa.eu/doceo/document/LIBE-AM-663032_EN.pdf
Data Breach Notifications
The European Data Protection Board is inviting comments on their Data Breach Guidelines 01/2021. This lists when you should provide a Data Breach Notification and when you don’t need to (e.g. when both parties are trusted).
UK Data Sharing Code of Practice
The Privacy Connect Manchester online workshop to discuss the new ICO Data Sharing Code of Practice will take place on 18 Feb 2021. You can find details here: https://www.privacyconnect.com/workshops/privacyconnect-manchester-2/
Change to the Furlough Scheme and Redundancies
If your business that needs to make redundancies did you know that unlike last year, you can’t use the furlough grant towards the notice pay. Many employers with limited cash reserves are holding back from starting redundancy processes. This is even though they know they’ll have to make some redundancies. The reason is because they cannot afford to take their staff off furlough and cover the cost of both notice pay and redundancy pay at the end of furlough. You can read more from Jill Bottomley here: https://smallbusiness.co.uk/this-change-to-the-furlough-scheme-could-lead-to-more-costly-redundancies-2552105/
Videos and Blogs of the Week
Alexander Hanff – Clubhouse - the next privacy nightmare you've never heard of
Alexander is not a big fan of Clubhouse. Having read his blog this week I can understand why. If you have the time and your interest was piqued by my brief summary then you will be wanting to read this blog in full: https://www.linkedin.com/pulse/clubhouse-next-privacy-nightmare-youve-never-heard-alexander-hanff/
Debbie Reynolds – WhatsApp in depth from a Data Privacy and Cybersecurity perspective
Sara Kay – Do Schools need More Laughter
With children spending a significant amount of time behind their computer screens with little social interaction and even less opportunity to “let off steam”. Sara discusses the “pressure cooker full of worries, concern, anxiety and insecurities” which is building up in Children as well as their Teachers and Parents . In this blog Sara suggests using laughter as a perfect antidote for the challenges of a school day. You can read her blog here: https://www.linkedin.com/pulse/do-schools-need-more-laughter-sara-kay/