Stanford Researchers Find Security and Privacy Issues in Clubhouse App

Last Updated: June 1, 2021

Social media platforms keep springing up by the day. As a result of this proliferation, the threats netizens face keep increasing. One such entrant into the space is Clubhouse. Although less than a year in the industry, it also has evoked litigation from users concerned about its seeming privacy concerns. We will analyze these concerns below.

What is Clubhouse?

Clubhouse (CH) is an audio-only, iPhone-only social media platform for engaging in a variety of discussions. Mobile device users that aren’t using iPhones are restricted from using the app, even after downloading it. Furthermore, it works using an invite-only process. Users have to be invited by friends already part of the network. Alternatively, they have to get to the top of a ranking system Clubhouse employs.

To know what topic is being discussed, you just click on the calendar icon. Conversations revolve around a lot of things — from fashion to politics and even cryptocurrencies. Clubhouse gives the appearance of exclusivity and has played host to several celebrities, including Elon Musk.

Privacy Concerns Regarding Clubhouse

Some of the privacy concerns users have noted regarding Clubhouse include:

1. Infiltration of Users’ Contact List

When signing up for Clubhouse, a prompt requests access to the user’s contact list. The idea is to help you identify people on your contact list who are on CH. You can then connect with them from there. This is quite similar to what various other social media platforms do. Thus, ordinarily, there should be no concerns there. 

However, Clubhouse goes a step further. CH rifles through your contacts, locating persons who have friends on the platform. It then cross-references this with the persons who are already on CH. It even does this for people who have no intention of signing up. By granting this simple access, CH knows the number of everyone on your contact list, and how many of their friends are on the network.

2. Recording of Voice Notes

Clubhouse routinely records the voice conversations on the platform. Throughout the period when the room is live, all voice communications are recorded. The exceptions are the audio from muted users. 

These recordings, they claim, aid investigations. Thus, when a user complains about any room, the recordings are then referred to. Upon completion of the inquiry, these voice recordings are deleted. Also, the voice conversations are also deleted if there is no complaint from the session. 

However, there have been concerns about the propriety of the voice recordings in the first place, its use notwithstanding. More so, it is also disconcerting the amount of power the company wields over these recordings. It is the sole determiner of whether abuse occurred or not, giving it the license to either delete the recordings or retain them. Questions have also been raised regarding the claim that the recordings are end-to-end encrypted as Clubhouse claims.

Apart from Clubhouse, other participants may decide to record the sessions. If such a person does not obtain the permission of all the members of that room, that is a violation of the site’s terms. However, Clubhouse makes it clear that it is not responsible for third-party recordings. 

3. English-only Privacy Policy

Clubhouse has also come under fire because its privacy policy is written only in English. This automatically shuts out users who are unfamiliar with the language. This move is strange because Clubhouse’s only requirement is that prospective users have an iOS device. 

Privacy Concerns Noticed by the Stanford University Internet Observatory Team

Early in March 2021, researchers from Stanford University (under the aegis of the Stanford Internet Observatory) discovered some serious privacy breaches on the platform. Unlike the speculative/hypothetical scenarios painted above, these breaches are current and have already exposed users to nefarious elements.

Firstly, the researchers found out that Clubhouse was not encrypting its users’ identifiers before transmission. This loophole makes the person vulnerable, basically, to everyone on the internet. Anyone with the means can track the activities of users on the platform without any restrictions. 

Furthermore, the researchers discovered that a company working with Clubhouse has its office in Shanghai. This is greatly troubling because it ostensibly suggests that users’ data get transmitted to China at some point. Although there is currently no concrete evidence to back up the speculation, this suggests that Chinese authorities can access and monitor users’ data. 

Finally, just like the prediction above, Bloomberg recently gathered that some third party was gathering Clubhouse audio recordings. The recordings are then made available to users outside Clubhouse.

How to Keep Safe While on Clubhouse

To remain safe while using Clubhouse, do the following:

1. Do Not Allow Clubhouse Access to Your Contact List

When the popup shows up requesting access to your contact list, simply decline. Clubhouse cannot force you to accept this feature. Also, it cannot ignore your wish to access your list. 

Do understand that you will not know who on your contact list is on the app when you deny Clubhouse access. You will also be unable to invite people to join you (and follow a conversation). If this isn’t a big deal for you, deny the app access when it requests it. 

2. Revoke Access

If you have already downloaded the app and previously allowed access to your contact list, you can revoke it. Go to your iPhone settings and disable access for that specific app. Also, you can reach out to Clubhouse to wipe all of your data from its storage. This deletes all the information the site has on you.

Conclusion

It is a valid argument to posit that Clubhouse gathers more data than necessary. This raises privacy concerns for its users. Also, you could run into security threats from other users. However, do your best to make sure you are safe the whole time. Clubhouse is fairly new; hence a lot of regulations do not exist for it now. Nonetheless, the expectation is that its level of privacy will be upgraded with time.