In a previous article, we discussed “Clubhouse: Security and Privacy Issues“.
Clubhouse offers a tool for audio communication that can be used to participate in discussing points of view about different topics and to interact with them. The application also allows much freedom and ease for creating rooms and discussing political, religious, sexuality, and sexual topics, which are taboos in many societies and countries, and that led many users to anonymity and concealing their true identity, by using symbolic pictures instead of personal photos, and fake names in place of their real ones. The question still however is, are hiding personal photos and using fake names guarantee that individuals on Clubhouse are not recognized and their identities are not revealed? Generally, not using personal data and photos in Clubhouse -as well as in other social media platforms- helps people not to be immediately recognized. However, when it comes to how effective it is in protecting the secrecy of accounts owners’ identities, we should talk about the means through which information and data are capable of revealing a Clubhouse -or other social media means- account identity.
Accounts identities pitfalls
As it is the case with other applications and services used by individuals for communication and public space activities, Clubhouse users may expose their data that are stored within their accounts to leaks if they neglected protecting their digital privacy and security. This is true even in the case of using an anonymous or fake account. In the following we mention some pitfalls:
Determining account geographic location: even if some users depend on fake information for creating their Clubhouse accounts; their geographic location may be determined through their device’s IP address, which can be obtained by many methods. By obtaining the IP address, the geographic area from which a device accesses the Internet can be determined. If a government was the targeting party or the ISP was involved, a detailed address can be extracted.
Malicious links, can have different forms and tactics for obtaining users’ data and information, e.g. by sending a malicious link to the targeted account, thus when the victim clicks or interacts with the link the attacking entity can obtain personal data. Malicious links can use fake web pages or use social engineering tactics, and they can also include malware. In other cases, some malicious links can cause leakage of data stored within a browser, like the data used to auto-fill forms in websites.
In advanced espionage, the attacking entity can access all the contents of a device (a phone or a PC) by hacking into it with any of the spying software widely used by governments (e.g. NSO products). This kind of software can lead to remote control of a device, including access to files, photos, GPS, and controlling the device’s camera and microphone.
Accounts and individuals’ identities can be determined by using voice analysis, and voice-print recognition programs and tools. Voice-prints can be compared to ones stored in large databases collected in many ways, especially with the wide spread of audio and video clips on the Internet in general and social media means in particular.
Some entities and governments use their power and relations to access accounts data through tech and social media companies’ employees. As an example, Twitter employees provided the Saudi government with accounts data including those of Saudi dissidents.
On the other hand, some governments communicate with tech companies, like social media ones, to request data and details of many accounts. The cooperation of companies with such requests is subject to each company’s policy in addition to their conviction of the legality of the request.
Can we protect our privacy and anonymity?
Generally speaking, there is no full security on the Internet. All systems and services can be hacked, and the full security of any device or software is unobtainable. We however recommend some tools and behaviors that can help increase privacy and prevent surveillance on the Internet:
- Choosing a password: You should use a strong password that contains symbols, digits, and capital and small letters. We also recommend using one of the password management programs like KeepPassXC.
- Do not register your Clubhouse account by using your accounts in other social networks or services. Create your account yourself.
- Using a phone number other than your basic one can lead to more anonymity, especially if local laws do not require providing personal information to get a SIM card.
- Never interact with any link, compressed file, photo, or video in an SMS or a message received in an illogical context, as a message can arrive from a hacked account of a friend, family member, or public figures.
- Use Internet browser add-ons that help protect against surveillance, like ublock origin – Privacy Badger.
- Use incognito browsing.
- Use TOR browser.
- Activate Two Factor Authentication, on all accounts and platforms that offer it.
- Do not store an account’s sign-in data (user name and password), and personal data within the browser.
- Use VPN on all PCs, phones, and tablets, and on all operating systems (Windows, Mac, Linux, Android, and iOS), with activating Kill Switch feature that disconnects the device from the Internet in case connection to VPN failed or it was not working. The following are some VPN companies whose services can be used:
- Proton VPN – offers free and paid subscriptions.
- TunnelBear – offers free (limited bandwidth) and paid subscriptions.
- Mulvad – paid subscription only.
- NordVPN – paid subscription.
Before using VPN
- Review local laws where you live to make sure it is legal to use VPN.
- In some countries, it is recommended to select a VPN server manually.
We have discussed above some methods and techniques that can be used for revealing accounts and individuals identities on social media networks, either by governments or individuals, the most serious danger however resides in any hacking or data leakage operation which social media companies themselves can be targeted with, especially if the company collects accounts data in one place including account name, phone number, and e-mail address. This is what happened in the last few months when a database containing more than half a billion Facebook accounts data were leaked. The leaked data contained names, phone numbers, and e-mails for the accounts. A few years ago, as well, LinkedIn was subject to a leakage operation where e-mail addresses and passwords of 164 millions accounts were published. Additionally hundreds of hacking and leakage operations occurred, you can find out about them via Have I Been Pwned site.