Privacy and security lessons in Clubhouse, Nurserycam leaks
Audio-conferencing app Clubhouse has taken the Apple universe by storm, with millions of downloads in 2021. iphone users can chat live in Clubhouse “rooms”. When a session ends, it is deleted. Users rave about excellent technical quality but Clubhouse has some problems. Moderation is up to users; there’s no “block” option to stop trolls, and no way to report abuse.
There may also be security and surveillance issues. A user recently recorded feed from many rooms (including closed rooms, which nobody should be able to enter without invites) and streamed chats. This may be embarrassing, given that chats are supposedly private.
Can sensitive personal data or metadata also be picked up in a Clubhouse hack? Maybe. It depends on if the hacker can get into the users’ devices. The app has been banned in China, which doesn’t like the concept of private conversations. But ironically, Clubhouse processes global data in Chinese servers, which raises some more concerns.
Another popular app, Nursery cam, which lets parents keep an eye on their children, has obvious issues. A white hat hacker recently alerted about a loophole that could be exploited to harvest usernames, passwords, names, email addresses, etcetera. This is quite apart from the fact that the app tracks kids by design.
Deep versus dark
Data illegally harvested from such breaches is usually sold in dumps on the “Dark Web”. This is often confused with the “Deep Web”. These are not the same things.
Think of the internet as a very large city. Only about 1 per cent of it is mapped and indexed by search engines like Google and Bing — that’s the “Open Web”. The unindexed 99 per cent is the Deep Web. The Deep Web includes your email and bank account. Google Drive, Onedrive, and other cloud storage are also Deep Web as are government databases of taxpayers, municipal records, etc. These are deliberately unindexed to protect private data. You can access Deep Websites like your email or net-banking, without any problems.
But a tiny unindexed area of that city is like the fictional Diagon Alley in Harry Potter’s London.
This is the Dark Web. Some really unusual, and quite often illegal resources exist here. The Dark Web hosts transactions involving data, drugs, extreme porn, software cracks for pirated programs, virus source codes, and so on. Intelligence agencies also meet there (not on Clubhouse!) to stay in touch with field agents.
Accessing the Dark Web requires some knowhow. Everyone is anonymous. Dark websites don’t have normal urls and can’t be reached by normal
browsers. Any visitor must be very careful to obscure personal information and make sure they can’t be tracked back.
One reason to visit is to check if your digital identity or data is compromised. If your email id, or credit card details have been stolen, they’re likely to be offered for sale here. So tech researchers do track what’s going on.
Typically, Indians don’t take privacy seriously and there are no laws to protect private personal data. India also has a surfer population of above 500 million and is the world’s biggest data consumer. Many services are online and citizens are actively encouraged to do online transactions (which the government can track). The digitisation has increased due to the pandemic.
Realitycheck
Many cyber-security organisations work to plug the big data-leaks and breaches. Europ Assistance for example, offers a solution called Cyberior for antifraud protection and digital ID monitoring. It claims to have 165 million customers in 25 countries. Cyberior creates a unique consumer profile for users, and it monitors personal information, device security, financial transactions, and so on. It will alert you if your data does get hacked. It also offers cyber-insurance and free demos.
Cyble is another cybersecurity solution with a more corporate focus.
Websites such as haveibeenpwned.com and www.avast.com/hackcheck allow surfers to check if their data is showing up on Dark Web databases.
Unfortunately, even if your data doesn’t show up, it could, at some stage, be stolen. Nor will any given cybersecurity solution offer 100 per cent protection. But users with basic knowledge and privacy awareness are a little less likely to be compromised.