In just over a few months, Clubhouse, the audio-based social media app, has emerged in a disruptive fashion. Its format seems familiar: a bit twitter, a bit linkedin, a bit phone call to Aunt Concetta. Can you talk about and with everyone: a chat about inspiration with your favorite singer? A nice conversation with half the radio world, comparisons on politics with the most famous pollsters? A bar where many differences break down.
The expansion of Clubhouse, however, dramatically shows the security and privacy deficiencies of this app: they will force the company to run for cover very soon.
Clubhouse is still in beta and only available on iOS for invitations. Until recently he had only ONE room. Today it offers its users the possibility of creating them at will: it is essentially group audio chats. They can be interactive, with a moderator who "calls" from time to time people to talk and converse, or one-way. According to reported, Clubhouse has over 10 millions of users and a value that already exceeds a billion dollars. The still relatively elitist character of the app causes several celebrities to populate the rooms, creating a curious mix of entertainment and friendly conversation. What could go wrong?
Clubhouse has an Achilles heel as big as a house: affects the amount of privacy that its users should expect, and in general the security of the entire system. When you experience such growth, everything increases: the level of exposure, the threats, the number of people “probing” the platform to steal data.
One of the researchers who studied Clubhouse's possible data passes explains that the app doesn't have anti-scraping mechanisms. That is, Clubhouse does not have a "shield" against those who want to take conversations, even from multiple rooms, and transmit them elsewhere. Or record and save them for analysis.
Stanford's Clubhouse Safety Analysis
Recent Clubhouse-related security issues range from general vulnerabilities to infrastructure questions. Just over a week ago, researchers from the Stanford Internet Observatory i have aimed spotlights on the platform when they found that the app was broadcasting Clubhouse user IDs in an unencrypted way, meaning a third party could potentially track users' actions in the app. The researchers further pointed out that part of the Clubhouse infrastructure is managed by a Shanghai-based company and it appeared that the app's data had been traveling across China for at least some time, potentially exposing users to surveillance. targeted or even widespread Chinese government.
Then came the confirmation a week ago: Bloomberg has confirmed that a third party website was collecting and compiling audio from Clubhouse conversations. Earlier on Monday, further revelations followed that conversations in the Clubhouse had been tapped from an unaffiliated Android app , allowing users of that operating system to hear what was being said in real time.
More mature social networks like Facebook have more developed mechanisms to block their data, both to prevent violations of user privacy and to defend the data they hold as an asset. But even they may still have potential exposures from scraping techniques creative .
The Clubhouse itself was analyzed for its aptitude to encourage the sharing of user directory data. The app requires you to share your contact list to invite other people on the platform, being the invitation system. This helps create a sense of exclusivity and privacy, sure, but many users have pointed out that the app also provides suggestions based on which phone numbers in your contacts are also in the contacts of the most Clubhouse users. In other words, if you and your friends all use the same florist, doctor (or drug dealer), they could very well show up on your recommended invite list.
From Clubhouse comes a No Comment. For how long?
Clubhouse did not respond to requests made by several outlets to comment on its recent security issues. It detailed the specific changes it intends to make, including cutting passages on Chinese servers and tightening its encryption. A little further on this: generic "guarantees" to prevent problems from occurring (or repeating). There is still a feeling that Clubhouse hasn't thought properly about its safety, in short.
And we haven't considered privacy yet
When starting a new Clubhouse room, you can choose between three settings: a room "open" to any user, a "social" room open only to the people you follow and a "closed" room with limited access. Each has its own (implicit) level of privacy, which Clubhouse could make more explicit.
"I think for public rooms, Clubhouse should better understand that 'public' means public for all users, since anyone can participate and register, take notes, etc." David Thiel, chief technology officer of the Stanford Internet Observatory. "For private rooms, they can communicate that, as with any communication mechanism, an authorized member can record content and identity."
And the abuses?
Like any major social network, Clubhouse also has to cope the abuses on its platform. The app's terms of service prohibit hate speech, racism and harassment (a starting from November) and the platform offers some moderation features. You can block users, or report them, or report an entire room. The biggest problem with Clubhouse, however, is general: people can use the platform without the responsibility that their content is saved. Apparently, in short (apparently) verba volant. This may encourage some users to make offensive or derogatory comments, in the belief that they are not registered and therefore not face consequences.
But is it really so?
Stanford's Thiel says Clubhouse currently temporarily stores recordings of discussions. In case they can be used for reports of abuse. And this is a snake biting its own tail. Why? If it introduces (as required) end-to-end encryption for data security, it will have a harder time logging. If he has trouble recording, he will have a hard time fighting abuse. Abuse, privacy, data security are interconnected: it will not be easy to make ends meet.
Again: even with encryption, the possibility of any Clubhouse user recording conversations on his own is not eliminated. And that's not something Clubhouse can easily fix.
However, and this must do so as soon as possible, Clubhouse can be transparent about these things, informing users on the conduct to be held. Because Clubhouse looks like that friendly bar where you can suddenly meet a celebrity, but of course it is NOT an intimate and confined place. And it pays to know how to speak and what to say.