Questions about Clubhouse security, privacy just keep adding up
For an invite-only social media app, Clubhouse sure seems to be dealing with a lot of data protection issues.
The app, where users congregate in “rooms” for audio-only conversations, has attracted more than 10 million reported downloads, with a range of big names signing up. With that sudden prominence, though, researchers and frustrated users have articulated concerns about a number of security issues in the app, catapulting Clubhouse into a club of startups that dealt with an influx of interest before ironing out major security issues, a group that includes Zoom and established social media companies.
Former Clubhouse users complained on Twitter and to Mashable on Tuesday about the difficulty of deleting their account, an issue that contributed to safety concerns for people who would be at risk if they mixed their personal and professional lives.
Sex workers, for instance, have historically encountered abuse, harassment and employment discrimination in instances when aspects of their private lives are made public. The issue is particularly acute on Clubhouse, where users must agree to share their list of contacts with the app in order to invite a friend. Even users who declined to share their contacts with the app could have identifying information exposed in the event that one of their contacts authorizes Clubhouse to access their information.
The result has been to inadvertently out sex workers, and then make it difficult for affected parties to delete their account, and thus protect themselves, as Mashable reported.
Clubhouse did not immediately respond to a request for comment on this story.
Revelations about difficulties in the account deletion process surfaced weeks after researchers from Stanford University discovered that Agora Inc., a Shanghai-based provider of engagement software, transmitted Clubhouse users’ ID numbers and chatroom ID details, though not their username, in plaintext. The discovery meant that Agora would have had access to some raw Clubhouse audio files, and as a China-based company could be required to provide that information to the communist government.
As a result of the findings, the firm told Stanford researchers it would build in “additional encryption and blocks to prevent Clubhouse clients from ever transmitting pings to Chinese servers.”
The episode is reminiscent of the way the video-conferencing provider Zoom routed free calls through servers in China, providing Beijing with an avenue to gather information about the conversations and participants.
While Zoom later apologized and changed its procedures, that company also came under intense scrutiny for security shortcomings at the onset of the COVID-19 pandemic, when adoption skyrocketed by roughly 470%, according to the company. Zoom adoption grew by more than 800% over the past three years, according to an external analysis from Okta.
Security researchers also noticed a software flaw that allowed users to stream content from the Clubhouse app to their website, an issue the app later told Bloomberg it would address with additional “safeguards.”
Update, March 4, 5:15pm ET: This story has been updated to include more specific figures about Zoom’s adoption rates in 2020, and mention that the company also changed its procedures regarding the transfer of data through Chinese servers.