The security risks of the new app that everyone’s talking about—and listening to.
Clubhouse, the popular audio-based social media platform has come under scrutiny for its privacy policies and most recently for its large-scale data…”exposure.”
Personal data, including social media handles, names, images, and contact information of 1.3 million users were compromised in a recent incident. On their official Twitter account, Clubhouse stated that to call this a data leak, a breach or a hack, would be false and misleading, as this information is already part of the app’s public API.
And though anyone with the Clubhouse app may be able to access this information of other users, Clubhouse users themselves are not satisfied with their response. Security experts warn that this type of clickwrap-sanctioned “data leak” still opens up users to phishing and social engineering scams.
“We’ve seen situations like this before—Facebook with Cambridge Analytica and even the recent LinkedIn “breach” that was based on scraping public profile data,” explains Dashlane’s Chief Technology Officer, Frédéric Rivain. “Privacy settings are most often too complicated and not set to the most private options by default. Customers aren’t aware enough of what is being shared publicly or not.”
If you’re not yet acquainted with the app, it’s an invite-only social media platform where users can create digital “rooms” and host live, audio-only lectures, courses, networking groups—you name it. Users create a profile through its tidy, cream-colored interface and can then join and create different “clubs” and rooms within them.
Some of the more compelling aspects of Clubhouse: Once sessions end, the audio disappears—everything you hear is happening in real time. Clubhouse is also frequented by celebrities; listening in on a live TED Talk-like conversation led by Lindsey Lohan in real time through your phone speaker, knowing the only people that will hear it are in this room right now is kind of exhilarating, especially during these isolating times.
Clubhouse has quickly become a major social media platform, with 10 million users to date including celebrities, creatives, and whatever Elon Musk is. The app is currently rolling out a grant program to support creators and launched a creator accelerator program to help aspiring hosts build bigger platforms. And sorry, Android users—Clubhouse is currently only available for iOS.
Similar to nearly every free internet tool, you may not be paying in dollars for Clubhouse, but you’re paying with your personal data.
Now that we’ve made Clubhouse sound so appealing that you’re not going to finish this article before downloading the app, let’s pull back the curtain on some of the security risks.
Your contacts are up for grabs
Users sign up and invite other users through a text message. Clubhouse has access to your phone’s contacts if you allow permission for the app to sync with your device, upload your contacts, or import information from your phone. You may have unknowingly done this when you signed up as the app originally required you to upload your contacts in order to send invitations. When it was first released, you couldn’t send invites to someone who was not in your contact list, nor could you pick and choose which contacts to share with the app. (Sorry for the spam, Mom!)
But as of March 12, 2021, Clubhouse no longer requires you to give the app full access to your contacts in order to invite someone. Even so, there’s a chance someone else with your number in their own contacts has given the app access, meaning your number could still in Clubhouse’s database even if this is the first time you’ve ever heard of it..
Once you upload your contacts, Clubhouse recommends people whom you might want to invite to the app. It also knows how many people have each of your friends’ phone numbers on their phone. For example, it will say: “Invite Sam Smith to Clubhouse (53 friends on Clubhouse).” That means 53 people on Clubhouse have Sam Smith’s phone number in their contacts and have given Clubhouse access to their phone’s address book (Sam sounds popular. Good for Sam.)
Your usage is being tracked
The app collects usage data, including what kind of content you engage with or simply look at, plus “the features you use, the actions you take, and the time, frequency, and duration of your activities.” This means Clubhouse knows who you interact with on the platform as well as the nature of those interactions, such as how long you interact with a group or another account, person, or club, and the browser or device you use to access it.
Privacy settings are most often too complicated and not set to the most private options by default. Customers aren’t aware enough of what is being shared publicly or not.Frédéric Rivain, CTO at Dashlane
Third-party apps create additional holes
If you authenticate another app like Twitter through Clubhouse, Clubhouse may “collect, store, and periodically update information associated with that third-party account, such as your lists of friends or followers.” Essentially, whatever Twitter knows about you, Clubhouse will also know about you if you give it permission.
Your audio isn’t totally ephemeral
You: Wait, but you said the audio ~*disappears*~ after a session is over!
Us: Ah, yes, it disappears for us mortals, but it still exists as far as developers are concerned. And, maybe…China?
Audio recorded on Clubhouse passes through third-party apps, which do not have an obligation to delete your personal data.
But even more alarming is the lack of secure infrastructure in the app, as discovered by the Stanford Internet Observatory, and reported by Bloomberg. Shanghai-based startup Agora Inc. provides backend infrastructure to Clubhouse. As a Chinese company (though they have offices in Silicon Valley), Agora Inc. is required by law to “assist the government in locating and storing” audio messages that have been deemed by authorities to compromise China’s national security. As Clubhouse gains popularity in China, privacy concerns by mainland Chinese users have rightly been raised. Clubhouse user IDs, which are a sequence of numbers (not a username) are transmitted in plain text over the internet. SIO explains in this Twitter thread that these number sequences can be easily intercepted by anyone monitoring internet traffic to identify who users are talking to.
Agora told Bloomberg that it “does not have access to share or store personally identifiable end-user data. Voice or video traffic from non-China based users—including U.S. users—is never routed through China.” Yet if unencrypted metadata is transmitted through servers in the People’s Republic of China, the Chinese government would theoretically be able to access that data with or without Agora.
Also according to Bloomberg, a senior researcher at Trend Micro, Frederico Macci, discovered that the Agora software library used by Clubhouses is outdated, which not only means its encryption is compromised, but also that this version sends data to China through several hardcoded IP addresses. Clubhouse is technically banned in China due to government efforts to censor certain topics discussed within the app, but mainland Chinese users can still access it via VPN.
So what’s all this data for?
According to Clubhouse, there are various ways they use your data, for example:
Clubhouse claims to not sell the data it collects. So then how does Clubhouse make money?
Short answer? It doesn’t. For now.
Clubhouse is currently free to join and it doesn’t even display ads in the app. But the company, valued at $4 billion, recently launched a paid subscription service similar to Patreon, where users can charge subscribers for exclusive content. As of now, Clubhouse does not take a cut from these payments—content creators get 100% of funds from subscribers through direct payments, though users will have to pay a small processing fee that goes to Stripe, a partner of Clubhouse. As of now, only a small group of users can accept payments in the initial rollout of this new feature.
The validity of the company’s claim not to sell user data is under scrutiny. An investigation into claims that Clubhouse sells a “secret database” of users’ contacts to third parties is currently underway.
If you’d like to take more control over your privacy settings with Clubhouse, there are two quick fixes: