In just over a few months, Clubhouse, the audio-based social media app, has emerged in a disruptive way. Its format seems familiar: a little twitter, a little linkedin, a little phone call to Aunt Concetta. You can talk about and with everyone: have a chat about inspiration with your favorite singer? A nice conversation with half the radio world, discussions on politics with the most famous pollsters? A bar where many differences break down.
The expansion of Clubhouse, however, dramatically shows the security and privacy shortcomings of this app: they will force the company to take action very soon.
Clubhouse is still in beta and only available on iOS for invites. Until recently it only had ONE room. Today it offers its users the possibility of creating them as they wish: they are essentially group audio chats. They can be interactive, with a moderator who "calls" people to speak and converse from time to time, or one-way. According to reported, Clubhouse has over 10 millions of users and a value that already exceeds one billion dollars. The still relatively elitist character of the app means that several celebrities populate the rooms, creating a curious mix of entertainment and friendly conversation. What could go wrong?
Security, amigo
Clubhouse has an Achilles heel the size of a house: affects the amount of privacy that its users should expect, and in general the security of the entire system. When you experience growth like this, everything increases: the level of exposure, the threats, the number of people "probing" the platform to steal data.
One of the researchers who studied Clubhouse's data leaks explains that the app has no anti-scraping mechanisms. That is, Clubhouse does not have a "shield" against those who want to take conversations, even from multiple rooms, and transmit them elsewhere. Or record them and save them for analysis.
Stanford's security analysis of Clubhouse
Recent security issues related to Clubhouse range from general vulnerabilities to infrastructure questions. Just over a week ago, researchers from the Stanford Internet Observatory i have aimed spotlights on the platform when they discovered that the app was transmitting Clubhouse user IDs unencrypted, meaning a third party could potentially track users' actions on the app. The researchers also pointed out that some of Clubhouse's infrastructure is operated by a Shanghai-based company, and it appeared that the app's data was traveling through China for at least some of the time, potentially exposing users to surveillance Chinese government targeted or even widespread.
Then came the confirmation a week ago: Bloomberg has confirmed that a third-party website was collecting and compiling audio from conversations in Clubhouse. Earlier Monday, further revelations followed that conversations in Clubhouse had been taken from an unaffiliated Android app , allowing users of that operating system to hear what was being said in real time.
More mature social networks like Facebook have more developed mechanisms to block their data, both to prevent violations of user privacy and to defend the data they hold as an asset. But even they may still have potential exposures from scraping techniques creative .
The Clubhouse itself was analyzed for its ability to encourage the sharing of users' address book data. The app requires you to share your contact list to invite other people to the platform, as the system is invitation-based. This helps create a sense of exclusivity and privacy, sure, but many users have pointed out that the app also makes suggestions based on which phone numbers in your contacts are also in the contacts of the most Clubhouse users. In other words, if you and your friends all use the same florist, doctor (or drug dealer) they may very well appear on your list of suggested people to invite.
From Clubhouse comes a No Comment. For how long?
Clubhouse did not respond to requests made by several outlets to comment on its recent security issues. It detailed the specific changes it intends to make, including cutting passages on Chinese servers and tightening its encryption. A little further on from this: generic "guarantees" to prevent problems from occurring (or recurring). There is still the feeling that Clubhouse has not adequately thought about its security, in short.
And we haven't considered privacy yet
When you start a new Clubhouse room, you can choose between three settings: a room “open” to any user, a “social” room open only to people you follow, and a “closed” room with limited access. Each has its own (implicit) level of privacy, which Clubhouse should make more explicit.
“I think for public rooms, Clubhouse should make it clearer that 'public' means public for all users, since anyone can join and record, take notes, etc.,” he says David thiel, chief technology officer of the Stanford Internet Observatory. “For private rooms, they can communicate that, as with any communication mechanism, an authorized member can record content and identity.”
And the abuses?
Like any major social network, Clubhouse also has to cope the abuses on its platform. The app's terms of service prohibit hate speech, racism, and harassment (a starting from November) and the platform offers some moderation features. You can block users, or report them, or report an entire room. The biggest problem with Clubhouse, however, is a general one: people can use the platform without the responsibility of having their content saved. Apparently, in short (apparently) verba volant. This may encourage some users to make offensive or derogatory comments, in the belief that they are not registered and therefore will not face consequences.
But is it really so?
Stanford's Thiel says Clubhouse currently temporarily stores recordings of discussions. In case they can be used for reports of abuse. And this is a snake biting its own tail. Why? If it introduces (as required) end-to-end encryption for data security, it will have a harder time logging. If he has trouble recording, he will have a hard time fighting abuse. Abuse, privacy, data security are interconnected: it will not be easy to make ends meet.
Again: even with encryption, the possibility of any Clubhouse user recording conversations on his own is not eliminated. And that's not something Clubhouse can easily fix.
However, and this must be done as soon as possible, Clubhouse can be transparent about these things, informing users on the conduct to be followed. Because Clubhouse looks like that friendly bar where you can suddenly meet a celebrity, but obviously it IS NOT a small, intimate place. And it pays to know how to speak and what to say.
Anyway, net of these (significant) security problems, it is a social network that really has a lot of charm. And in fact, with all the necessary precautions and education, I jumped into it. If you are there too and want to have a chat with me, look for Gianluca Riccio on Clubhouse.