Clubhouse(1): Security and Privacy Issues

In this Page:

In March 2020, Clubhouse was launched as one of the startup social media applications, it depends on direct audio communication only. The application acquired wide attention in many countries and communities, especially after Elon Musk joined it in last January. Now, around half a million rooms are created on the application every day.

As other social media means, Clubhouse faces basic issues concerning security and privacy. This issue is justified when it comes to Clubhouse for the importance of topics presented and discussed through it, which never lacks political, religious, gender, and sexual conversations which are taboos in many countries and societies.

Before talking about security and privacy issues in Clubhouse, it is important to point out the positive step taken by the application in last July, when it canceled its invitations system. Clubhouse has concluded its beta stage, that lasted since it was launched in March 2020 till July 2021, where joining the application required receiving an invitation from one of the application’s accounts, requiring sharing all the contacts on a phone with Clubhouse to be able to send an invitation. Such contacts may include name, phone number, and additional information like work, e-mail, and even home address. Now, as the application became open and the invitations system is canceled, it is no longer necessary to share contacts with the application.

Invitation to join the application

Before launching the latest release of the application, where the invitations system was canceled, the application acquired more than 30 million users. All these accounts publicly included the name/account that made the invitation for someone in the “Nominated by” field. This may cause security, social or cultural problems for either party, due to the stances or statements of the other party within the application, whose location conditions may allow more freedom of expression, especially considering the security and social mentality prevailing in some countries and societies. This led many persons to communicate with the company asking for the link to those who invited them to be removed after some of them were subjected to harassment because of opinions voiced by those who invited them to the application. The company was responsive to some of the requests but not to the others.

Who do we follow, and who follows us

The application needs a number of factors to determine which rooms should be visible for users when they sign in, most importantly are the persons, accounts, or clubs one follows. This procedure is similar to Twitter.

The lists of accounts and clubs users follow are public in Clubhouse, anyone can see them, and the application does not allow hiding the lists or controlling access to them, which may expose the account owner to social or security harassment, as happened before with Soha (fake name), an activist who was questioned by a security agency in Syria because of her following of Facebook accounts and pages which are critical of the regime.

Who listens to what

One of the publicity means Clubhouse uses for promoting available or active rooms is sending notifications to accounts following users when they join a room. Additionally, the application has a page that lists all active accounts and the rooms their owners are in at the time. This information is available for everyone mutually following the account.

This is completely different from browsing Facebook for example, as one may access any page or public group and read posts and conversations without his/her friends knowing about this activity. It is also the same with Twitter and Instagram.

This prevents many from joining rooms with controversial titles, whether political, religious, or sexual, as the general idea is that joining a room means approving its title and whatever is said in it, or at least being interested in the topic or the title. This actually is not necessarily the case however, many thus are led to create accounts with fake names so that they can join any room without being embarrassed, ashamed, or questioned.

Weak account protection

Creating a Clubhouse account depends on phone number, as activating an account and verifying its ownership is done by sending a code in an SMS to the phone number. This is also the case when trying to sign-in to the account from a new device. The fact that the application is satisfied with a code sent through SMS for signing-in into an account, is not a good policy at all. It may cause accounts to be easily pirated, as there are many ways for obtaining the code sent to the phone number by hackers. It is also possible to obtain a line sim chip with the same number (SIM swapping), depending on social engineering and other methods like involving a phone company employee. Something similar did happen to Jack Dorsey, Twitter CEO, whose Twitter account was hacked in 2019.

Texting within the application

In mid-July, Clubhouse added the option of texting within the application, which had a wide popularity. The company has mentioned that more than 90 million text messages were sent in the first week after activating the feature.

This feature, while important, is considered as an unsafe communication mean, for several reasons:

  • All exchanges are stored on the company’s servers.

  • Communication system does not use End-to-End encryption, which means the company can access and read exchanged contents.

  • So far the application does not offer the possibility of deleting any of the in or out messages.

  • The application only requires SMS for verifying account identity when signing-in. As mentioned above, this leads to issues concerning securing devices whether in case of hacking or successful activation of the same phone number on a different device.

Recording sessions conversations

There are two kinds of session recording in Clubhouse:

  1. Recording by participants: The application requires the approval of all speakers in a room before recording part or all of the session’s content. However, hundreds, even thousands of records of Clubhouse sessions are everywhere on social media. Technically, however, Clubhouse can’t prevent recording rooms or sessions contents.

  1. Recording by the company: The company records all sessions, including private ones, and keeps this till the end of the session. According to the company, this is for inspecting the contents in case one attendant filed a complaint about a violation committed within a room, otherwise, the record is discarded.

The company however did not explain if it might use records for any other purpose, like voice recognition technologies, or if it will share records with third parties. The company’s policy does not mention how long a record is kept in case of a complaint.

Fake copies

Since Clubhouse was launched in March 2020, and till May 2021, the application was only available for iOS devices, and wasn’t available for Android ones. The lack of an Android version, while Clubhouse made its API available, made it possible to develop unofficial versions of the application for Android devices, as well as the PC. Many users who do not have iPhone devices used unofficial versions of the application making their devices, data, and conversations vulnerable to hacking.

What steps Clubhouse should take to enhance security and privacy?

Although Clubhouse is a startup application and the company responsible for it is a small one considering human resources, as the number of its employees is about 58 persons, but as the application is widely popular, which can’t be separated from the nature of topics and conversations made through it; the company is required to focus more on security and privacy aspects of the application which should include:

Ceasing to activate accounts by phone number

With the beta version over, and making the application public by canceling the invitations system, the company should stop linking accounts to phone numbers, and allow registration with an e-mail address, while keeping registration with phone number optional, as is the case with Wire for example, which will facilitate not revealing the identity of accounts, especially in case company’s data is leaked.

Increasing privacy

This is by adding settings within the account allowing users to control:

  • Showing/hiding who invited them to the application.

  • Showing/hiding the accounts they follow, and those following them.

  • Controlling sending/not sending notifications about the room they join.

  • Controlling showing/not showing the rooms they join.

Protecting accounts from hacking

Clubhouse should increase the security of the sign-in process by adding or making Multi-Factor Authentication available so that the account owner can add a password, secret code or additional verification means besides the code sent by SMS. Such system is available in messaging applications like Signal and Whatsapp.

Making texting within the application more secure

Texting within the application is undoubtedly a very important and necessary feature, but Clubhouse should use a more secure messaging system through an Open Source encryption protocol that encrypts messages end-to-end, with allowing messages deletion.

Handling technical problems

The company should work on getting rid of unofficial copies of the application, whether they work on phones, PCs, or 3rd party platforms, as they allow access to rooms and accounts data from outside the application. It already happened last April that data of 1.3 million accounts were collected and published.

At last, it should be noted that Clubhouse is a social media platform, it is not a safe communication tool. It is not designed for this purpose in the first place. It also does not satisfy the minimum requirements of security and privacy, as the company is able to access the contents of public and private audio conversations, as well as textual messages. Additionally, any attending person can record and publish a session with no knowledge or approval of the speakers.

One more aspect that has nothing to do with the company, the nature of Clubhouse operation depending on audio rooms and chat, is considered a very important source for companies and individuals for collecting a large number of voices, which easily allow Machine Learning for voice recognition, which in turn can easily be used in Deep Fake operations for a person, and can be abused or cause security and social problems, especially with rapid technical evolution, that uncovering such forgery would become so difficult.