This post is also available in: French

Clubhouse Is Exclusive, But Are the Privacy Risks Worth It?

This post is also available in: French

The security risks of the new app that everyone’s talking about—and listening to.

Clubhouse, the popular audio-based social media platform has come under scrutiny for its privacy policies and most recently for its large-scale data…”exposure.” 

Personal data, including social media handles, names, images, and contact information of 1.3 million users were compromised in a recent incident. On their official Twitter account, Clubhouse stated that to call this a data leak, a breach or a hack, would be false and misleading, as this information is already part of the app’s public API. 

And though anyone with the Clubhouse app may be able to access this information of other users, Clubhouse users themselves are not satisfied with their response. Security experts warn that this type of clickwrap-sanctioned “data leak” still opens up users to phishing and social engineering scams.

“We’ve seen situations like this before—Facebook with Cambridge Analytica and even the recent LinkedIn “breach” that was based on scraping public profile data,” explains Dashlane’s Chief Technology Officer, Frédéric Rivain. “Privacy settings are most often too complicated and not set to the most private options by default. Customers aren’t aware enough of what is being shared publicly or not.”

In a recent article, Status called Clubhouse a “privacy catastrophe,” saying the app is behind Facebook when it comes to privacy standards. We break down Clubhouse’s privacy policy and examine just how much users can trust the app with their personal data.

What is Clubhouse?

If you’re not yet acquainted with the app, it’s an invite-only social media platform where users can create digital “rooms” and host live, audio-only lectures, courses, networking groups—you name it. Users create a profile through its tidy, cream-colored interface and can then join and create different “clubs” and rooms within them.

Some of the more compelling aspects of Clubhouse: Once sessions end, the audio disappears—everything you hear is happening in real time. Clubhouse is also frequented by celebrities; listening in on a live TED Talk-like conversation led by Lindsey Lohan in real time through your phone speaker, knowing the only people that will hear it are in this room right now is kind of exhilarating, especially during these isolating times.

Clubhouse has quickly become a major social media platform, with 10 million users to date including celebrities, creatives, and whatever Elon Musk is. The app is currently rolling out a grant program to support creators and launched a creator accelerator program to help aspiring hosts build bigger platforms. And sorry, Android users—Clubhouse is currently only available for iOS. 

Similar to nearly every free internet tool, you may not be paying in dollars for Clubhouse, but you’re paying with your personal data.

What’s in Clubhouse’s privacy policy? 

Now that we’ve made Clubhouse sound so appealing that you’re not going to finish this article before downloading the app, let’s pull back the curtain on some of the security risks. 

Similar to nearly every free internet tool, you may not be paying in dollars for Clubhouse, but you’re paying with your personal data. It’s recommended that whenever you download a new app, you look closely at the terms of service and privacy policies. This can help you make an informed decision about how much of your data you are willing to give away in exchange for use of an app. Here’s a rundown of some the data collected by Clubhouse, according to their privacy policy, that might be worth taking a second look at. 

Your contacts are up for grabs

Users sign up and invite other users through a text message. Clubhouse has access to your phone’s contacts if you allow permission for the app to sync with your device, upload your contacts, or import information from your phone. You may have unknowingly done this when you signed up as the app originally required you to upload your contacts in order to send invitations. When it was first released, you couldn’t send invites to someone who was not in your contact list, nor could you pick and choose which contacts to share with the app. (Sorry for the spam, Mom!)

But as of March 12, 2021, Clubhouse no longer requires you to give the app full access to your contacts in order to invite someone. Even so, there’s a chance someone else with your number in their own contacts has given the app access, meaning your number could still in Clubhouse’s database even if this is the first time you’ve ever heard of it..

Once you upload your contacts, Clubhouse recommends people whom you might want to invite to the app. It also knows how many people have each of your friends’ phone numbers on their phone. For example, it will say: “Invite Sam Smith to Clubhouse (53 friends on Clubhouse).” That means 53 people on Clubhouse have Sam Smith’s phone number in their contacts and have given Clubhouse access to their phone’s address book (Sam sounds popular. Good for Sam.) 

Your usage is being tracked

The app collects usage data, including what kind of content you engage with or simply look at, plus “the features you use, the actions you take, and the time, frequency, and duration of your activities.” This means Clubhouse knows who you interact with on the platform as well as the nature of those interactions, such as how long you interact with a group or another account, person, or club, and the browser or device you use to access it. 

They claim to make a “reasonable and commercial effort” to enable Do Not Track signals, though as recognized by Status, enabling this signal is not possible within the app. 

Privacy settings are most often too complicated and not set to the most private options by default. Customers aren’t aware enough of what is being shared publicly or not.

Frédéric Rivain, CTO at Dashlane

Third-party apps create additional holes

If you authenticate another app like Twitter through Clubhouse, Clubhouse may “collect, store, and periodically update information associated with that third-party account, such as your lists of friends or followers.” Essentially, whatever Twitter knows about you, Clubhouse will also know about you if you give it permission.

Your audio isn’t totally ephemeral

You: Wait, but you said the audio ~*disappears*~ after a session is over! 

Us: Ah, yes, it disappears for us mortals, but it still exists as far as developers are concerned. And, maybe…China? 

According to their privacy policy, Clubhouse records and temporarily retains audio from live sessions, “solely for the purpose supporting incident investigations.” The audio is used if a user reports an incident falls under a violation of “trust and safety,” and is deleted after the investigation is complete. Temporary audio is encrypted, and according to the policy, audio from users with muted speakers is not recorded or retained. 

As pointed out in a recent article by Status, audio recorded on Clubhouse passes through third-party apps, which do not have an obligation to delete your personal data. The article also mentions that Clubhouse audio uses “server-side encryption,” meaning that they are able to decrypt data. According to their privacy policy, these third-party vendors could include “providers of hosting services, audio applications and infrastructure, [and] cloud services.”

Audio recorded on Clubhouse passes through third-party apps, which do not have an obligation to delete your personal data.

But even more alarming is the lack of secure infrastructure in the app, as discovered by the Stanford Internet Observatory, and reported by Bloomberg. Shanghai-based startup Agora Inc. provides backend infrastructure to Clubhouse. As a Chinese company (though they have offices in Silicon Valley), Agora Inc. is required by law to “assist the government in locating and storing” audio messages that have been deemed by authorities to compromise China’s national security. As Clubhouse gains popularity in China, privacy concerns by mainland Chinese users have rightly been raised. Clubhouse user IDs, which are a sequence of numbers (not a username) are transmitted in plain text over the internet. SIO explains in this Twitter thread that these number sequences can be easily intercepted by anyone monitoring internet traffic to identify who users are talking to. 

Agora told Bloomberg that it “does not have access to share or store personally identifiable end-user data. Voice or video traffic from non-China based users—including U.S. users—is never routed through China.” Yet if unencrypted metadata is transmitted through servers in the People’s Republic of China, the Chinese government would theoretically be able to access that data with or without Agora. 

Also according to Bloomberg, a senior researcher at Trend Micro, Frederico Macci, discovered that the Agora software library used by Clubhouses is outdated, which not only means its encryption is compromised, but also that this version sends data to China through several hardcoded IP addresses. Clubhouse is technically banned in China due to government efforts to censor certain topics discussed within the app, but mainland Chinese users can still access it via VPN. 

So what’s all this data for?

According to Clubhouse, there are various ways they use your data, for example:

  • To facilitate network connections, recommend content, and further personalize the service for you
  • To develop new products and services
  • Sharing it for the purposes of targeted advertisements

Clubhouse claims to not sell the data it collects. So then how does Clubhouse make money? 

Short answer? It doesn’t. For now.

Clubhouse is currently free to join and it doesn’t even display ads in the app. But the company, valued at $4 billion, recently launched a paid subscription service similar to Patreon, where users can charge subscribers for exclusive content. As of now, Clubhouse does not take a cut from these payments—content creators get 100% of funds from subscribers through direct payments, though users will have to pay a small processing fee that goes to Stripe, a partner of Clubhouse. As of now, only a small group of users can accept payments in the initial rollout of this new feature. 

But the validity of the company’s claim not to sell user data is under scrutiny. A number of regulators in Europe have launched an investigation into Alpha Exploration Co., Clubhouse’s parent company, to determine whether the app is in noncompliance with the GDPR. The investigations are in response to a petition that raised concerns surrounding Clubhouse’s privacy policy, claiming that Clubhouse sells a “secret database” of users’ contacts to third parties.

The validity of the company’s claim not to sell user data is under scrutiny. An investigation into claims that Clubhouse sells a “secret database” of users’ contacts to third parties is currently underway.

What you can do

If you’d like to take more control over your privacy settings with Clubhouse, there are two quick fixes:

  1. Go into your iPhone settings, scroll down to Clubhouse. Under Allow Clubhouse to Access switch off Contacts
  2. In the Clubhouse app, tap Settings, the gear symbol in the upper righthand corner. Click Account, then tap to disconnect Twitter and Instagram

It’s likely that the app’s privacy policy will continue to change over time, and that the app will eventually monetize. Stay up to date as their policies—and their business model—continue to develop. 

    Dashlane

    Dashlane is a web and mobile app that simplifies password management for people and businesses. We empower organizations to protect company and employee data, while helping everyone easily log in to the accounts they need—anytime, anywhere.

    Read More