Friday, February 26, 2021

Clubhouse Wants to Upload Your Contacts’ Phone Numbers

Will Oremus:

When you join the fast-growing, invite-only social media app Clubhouse — lucky you! — one of the first things the app will ask you to do is grant it access to your iPhone’s contacts. A finger icon points to the “OK” button, which is also in a bolder font and more enticing than the adjacent “Don’t Allow” option. You don’t have to do it, but if you don’t, you lose the ability to invite anyone else to Clubhouse.

Via Nick Heer:

The permission dialog iOS presents users before an app is able to access their contacts is, in a sense, being presented to the wrong person: can you really consent on behalf of hundreds of friends, family members, and acquaintances? From a purely ethical perspective, the request ought to be pushed to every contact in the directory for approval, but that would obviously be a nightmare for everyone.

There are clearly legitimate uses for doing this. Allowing people to find contacts already using a service, as Clubhouse is doing, is a reasonable feature. It does not seem like something that can be done on-device, so the best solution that we have is, apparently, to grant apps permission to collect every contact on our phones. But that is a ludicrous tradeoff.

Guilherme Rambo:

Just had a poke at the Clubhouse app with a proxy, given the recent concerns about contacts usage. The bad part is that it uploads all of your contact’s phone numbers (surprise!). The good part is that that’s the ‘only’ thing it uploads about them.

[…]

Another problem is that the API used to upload the phone numbers doesn’t seem to be using SSL pinning.

Dave Verwer:

I saw some suggestions that Apple should solve this with a Photos.app style “select which contacts can be accessed” permission, but is anyone going to go through their contacts manually, picking and choosing? I have just under a thousand records in mine from many years of personal+work life, and I bet that’s nothing compared to some people. It’s not practical. Maybe a solution would be to let the permission be on groups rather than individual contacts, but who’s contact database is that well organised? Mine isn’t.

The other popular theory on how to solve this is that Apple should provide an API to hash contact information, allowing apps to match people without getting access to personal information. That’s one of those ideas that feels better and solves one aspect of the problem, but bad situations are inevitable when you match a full contacts database.

Previously:

Update (2021-03-15): Jane Manchun Wong:

Clubhouse no longer requires contacts access for sending invites in the latest update!

You can now directly enter the number, or use the iOS contact picker (which doesn’t require contacts access) to send invite

8 Comments RSS · Twitter

For me the biggest issue with Clubhouse privacy-wise is the lack of a private profile option. Anyone with your phone number can see your profile, name, who you follow, who follows you. This is a privacy bomb waiting to explode.

The real solution here is regulation. Make it illegal for companies to retain or use for marketing any non-user's (people who haven't voluntarily signed up for a service) information that is taken from their users. It can only be used for a single immediate purpose and then discarded. That would allow users to hit a "find my friends who are already on this service" or "invite these people" button, without the company keeping this information to use for other purposes.

Worf: Because we all know that if there's one thing big tech loves to do, it's comply with both the letter and spirit of regulation!

After all, it was EU regulations that solved cookie tracking, and the phone charger problem, once and for all. And commerce in the US since 1975 has been metric as far as the eye can see, thanks to 15 USC 205(b).

I don’t get the desire for SSL pinning.

If they did that, users would not be able to verify which data leaves their device the way Rambo has done. A secret channel between my device and their servers seems more Problemfall than whatever attack it might prevent.

(Also, I think there are no one-way hashes for phone numbers. There are too few possible numbers, so can always brute force it.)

@Peter You can’t just hash the phone number on device, but perhaps Apple could do something like App Attest where they have a server that takes a phone number and processes it on the server in a way that can’t be reversed or brute-forced? Or perhaps Apple even tells the app which opaque identifiers match?

Sam: I knew someone was going to pull that old canard that boils down to: "Laws aren't perfect, enforcement isn't perfect, and people don't follow them perfectly, so why bother at all?" I, for once, like living in a society where murder is illegal versus one where it isn't, even if the system isn't flawless and the occasional murder still occurs.

Regulation may not solve privacy problems perfectly, but in cases where strict technical solutions are infeasible, they're better than nothing. But if you have a better solution I'd sure love to hear it.

Wes Campaigne

I think @Peter is right about hashing phone numbers not really helping at all. The input domain is small enough that making a rainbow table would be pretty trivial.

For the hashing to be functional (from a social graph perspective), the output needs to be stable/consistent across time and across devices. Even if Apple runs it on a server that adds some salt to the hashes, or returns an entirely opaque identifier, I don't think there's a way they could balance "quickly hash all the phone numbers in my address book for upload" against "don't let a determined adversary gradually hash all possible phone numbers".

And Apple performing the equality comparison themselves doesn't scale — if the goal is to match my contacts with any existing member of a social network, you'd need to make n*m calls to Apple's service to find matches for each new user. (i.e. say I have 1k contacts and the service has 10M users, that's 10B calls just to find my matches.)

@Wes I see what you’re saying, but there’s got to be a way to do this. Another way of looking at it is that Apple already has everyone’s (iCloud) Contacts, so it’s only really being asked to store a boolean for whether a given contact is in Clubhouse, and then filter a given user’s contacts by that.

Leave a Comment