DevOps Teams can learn from Clubhouse compliance woes Cloud Advocate

Cyberattacks are on the rise, which means the security of cloud-native application development is being aggressively scrutinized. As a result, there’s been an influx of stricter regulations and public awareness of security concerns as well as increased fines. All this to say, making sure your application infrastructure configurations are aligned to industry best practice before deployment can not only save you reconfiguration time and headaches, but can spare your organization from large data breaches or malware and subsequent compliance fines.

Buzz-worthy social media giant Clubhouse is the latest example of why incorporating security early in the development cycle is so important. Let’s take a deeper look.

Inside the Clubhouse

We’re sure you’ve heard of Clubhouse—the latest and greatest audio- and invite-only, social media app that was recently valued at $4 billion a mere year after its release. The app has accumulated approximately 14 million global downloads and boasts some pretty well-known members such as Elon Musk, Kevin Hart, and others who hosted “rooms” that nearly broke the internet. Clubhouse has gone in the way of OnlyFans, launching Clubhouse Payments, which allows users to send money to their favourite creators or speakers on the platform.

But as Clubhouse continues to launch new features and gain popularity, protecting sensitive data and adhering to compliance should be on everyone’s mind, from developers to executives.

And as we will explore, securing your business and its customers’ data is more critical and challenging than ever.

Exclusive access doesn’t mean more privacy

Personal privacy has been a hot topic, especially in the wake of the latest Facebook breach that led to personal data of 533 million users being leaked and potentially a multi-billion dollar fine from the GDPR.  LinkedIn followed suit just a week later by confirming that 500 million users had their personal data scraped and listed for sale on a popular hacker forum.  

Clubhouse touts itself as being an exclusive invite-only app, but does that mean your personal data is invite-only for hackers as well? The start-up has been surprisingly mute at addressing security concerns, so to find out more, we took a look at Clubhouse’s privacy policy. Here’s the breakdown:

  • Personal data collected: information “you” provide, audio, networks and connections, usage, communication data, social media data, and payment data (processed by Stripe, Inc.).
  • Personal data collected from third parties/available sources: If you create and/or authenticate with a third-party service such as Twitter, they may collect, store, and update information associated with that service, but they won’t publish anything without your permission.
  • How Clubhouse shares/discloses personal data: They can share the collected personal data without notice to the user (unless required by law) with vendors and services, during business transfers, or due to legal obligations.
  • Security: Without mincing words, Clubhouse says: “You use the Service at your own risk.” They mention the use of “commercially reasonable technical, administrative, and organizational measures” to protect personal data, but do not provide any further insight on what those measures are.
  • International users: Here is where Clubhouse has run into problems. Their policy states that by using the app, “you understand and acknowledge that your Personal Data will be transferred from your location to our facilities and servers in the United States, and where applicable, to the servers of the technology partners we use to provide our Service.” Those “technology partners” would be Agora.io, an audio tech start-up in Shanghai.

You may have noticed a couple of red flags yourself—regardless, others have certainly taken notice.

We took a deeper look at Clubhouse’s lurking compliance issues and here’s what we found:

  • Stanford University’s Internet Observatory (SIO) investigated in Feb. 2021 and found that room metadata was being relayed to servers it believed were hosted in China, and audio data to servers managed by Chinese entities.
  • January 24, 2021: A user managed to stream content from the app on their website (it was not a malicious or a “hack” according to SIO chief technology officer David Thiel).
  • March 2021: Under investigation by the National Commission for Computer and Liberties (CNIL), a French privacy watchdog group for potentially violating the General Data Protection Regulation (GDPR). CNIL found that Clubhouse isn’t established in the European Union (EU), meaning it can be investigated by any EU data protection authority.
  • Clubhouse’s privacy policy is only in English, which exposes the company to sanctions, according to Klaus Muller, executive director of The Federation of German Consumer Organizations (VZBV).
  • Recording voice chats for incident reporting causes concerns that audio messages are not end-to-end encrypted. This is a problem in the EU under the ePrivacy Directive (2002/58/EC) that states confidentiality of conversations is required, and any interception can only occur with legal consent of all involved parties.
  • April 2021: Reports surfaced of 1.3 million user records leaked from Clubhouse, but the tech-giant quashed the rumors quickly, saying that the data posted on the hacker forum was public profile information from the app. However, one may find it concerning that anyone with a token can query the entire body of public Clubhouse user information in one sweep.

Now, you could look at the issues raised and think: “Haters gonna hate.” But whether it’s a malicious witch-hunt to poke holes in Clubhouse’s seemingly invincible armour or not, the concerns are still very much real.

According to Alexander Hann, privacy advocate and co-founder of SynData AB, Clubhouse is in violation of GDPR “and does not fall under the Household Activity exception.”

Since Clubhouse requires a user to upload their device address books when creating an account, this means that a friend of yours with an account may have already shared your data without your consent.

“As a company, you cannot use personal data provided by a third party unless that data has been provided lawfully and… unless there is consent, disclosure of that personal data in this way is not lawful,” stated Hann in his LinkedIn post.

Why compliance matters

Whether you’re building the next big thing called Treehouse or not, you’re still building rapidly in the cloud, which means compliance still applies.

“When developers push new technology into the hands of early adopters, the risks are easy to ignore or think of as a problem of tomorrow,” said Jeremy Turner, head of intelligence at Coalition, in an article regarding Clubhouse’s recent security woes. “When in reality, they should develop data security measures as thoroughly as you develop next user experiences. Early-stage development risks always seem to be over the horizon—until they’re not.”

For Clubhouse, being at odds with GDPR is far from ideal. Despite being implemented merely three years ago, it had an immediate effect on the industry. GDPR requires organizations to report all breaches within 72 hours of being discovered, and those who fail to comply with its rules can face significant penalties up to 20 million euros or 4% of their worldwide annual revenue for the prior financial year, whichever is greater.

In January 2019, Google was hit with a steep 50 million euros GDPR fine. Yep, even businesses based outside of the EU are subject to GDPR regulations. Article 3 states that businesses based in the EU, those based outside the EU but are offering goods and services to people in the EU, and organizations that monitor online behaviour of those in the EU are subject to GDPR provisions.  

Evidently, meeting compliance is tricky business because of its ever-changing nature, the complexity of the regulations, and the fact it can vary significantly throughout different regions. That’s why building security into your application and infrastructure development pipeline as early as possible and implementing continuous checks is critical.

What you can do about it

Ensuring your applications meet compliance doesn’t necessarily mean more work for you or your organization. Automation is key to making sure you’re aligned with compliance best practices without disrupting your workflow.

Need more reasons to automate? How about these:

  • Improves architecture and application quality
  • Automatic malware detection on the files in cloud storage
  • Bridges the gap between DevOps and SecOps teams with assurance that security is properly taken care of

There’s lots of tools out there to help you meet compliance and protect sensitive data, and using a platform approach will further simplify security for the entire organization. Trend Micro Cloud One™ is a purpose-built security services platform for cloud builders that will help you achieve just that.

Welcome to club Trend Micro Cloud One

Let’s cut to the chase—our complete file storage security and cloud security posture management services only take minutes to set up so you can immediately gain visibility into the risk posture of your cloud service configurations and detect whether your cloud storage contains malware.

As we’ve discussed, automation is key. Trend Micro Cloud One™ – Conformity auto-checks against over 750 cloud configuration and compliance best practices and provides step-by-step instructions on how to remediate. Receive even more value by shifting security and compliance to the earliest phase of your CI/CD pipeline where you can leverage the CloudFormation Template Scanner. Instantly run infrastructure-as-code templates through the API before infrastructure is deployed, so you have peace of mind that your cloud infrastructure is fully compliant.

Customers have assurance that for the cases where they must have their Amazon Simple Storage Service (S3) buckets open for a business purpose, or it is left open by human error, their business is safe from receiving malicious files into their file-storage repository. It also prevents malicious files from being distributed to customers or negatively affect other areas of our business.

By providing instant visibility into your cloud service misconfigurations to improve your security posture, as well as continuous assurance against malicious content, you’ll have confidence that your business’s critical data will be safe.

Read More HERE