Clubhouse Security and Privacy | Avast

Seemingly overnight, a new social network — Clubhouse — is popping up everywhere. On January 31, Elon Musk tweeted that he would be on Clubhouse. On February 10, The New York Times reported that Facebook is already looking to build a Clubhouse competitor. Even The Economist has taken notice of Clubhouse.

At the time of writing, it was already the number six free social networking app in the App Store. For a bit of context, Facebook Messenger comes in at number two, WhatsApp at number three, and Telegram at number seven.

Clubhouse is an audio-only social media app that lets users join in rooms, either with friends or strangers. Rooms are often themed by a specific topic.

Any new social media app can raise concerns about security and privacy. This post is meant to give you a quick meaningful overview of Clubhouse’s safety, security, and privacy, so you can better understand its key features and make an informed decision on whether or not to join.

In a nutshell, Clubhouse asks for and gathers less information than other popular social media apps and has a number of safety features. Additionally, it has a seemingly robust response framework for moderating and dealing with disruptive, harassing members. To use Clubhouse effectively and more safely, you should understand the importance of who you follow and the role of moderators in rooms, as explained below.

First, something for parents: It’s important to understand that, at the time of this writing Clubhouse is not intended for anyone under 18, period. Clubhouse is very explicit about this in their documentation. That being said, there is no age checking nor content or topic filters present in the app. That’s important to note because there are a number of adult topic rooms, and because you’re talking with rooms full of strangers. With these things in mind, no matter how much your kid may want to join because it’s trending, you should not let them.

Getting started with Clubhouse

Clubhouse is currently an invitation-only platform. In order for new members to join, existing members need to send invitations in the form of an SMS message from the app. When you join, you’ll enter your phone number, be asked if you want to import your Twitter profile, choose a username, and choose a photo. During this process, the app will also ask you to allow notifications and grant it access to your contacts.

Finally, you’re asked to pick some interests which will be used to help Clubhouse suggest “rooms” relevant to your selections. 

How Clubhouse works

Once you’ve started up the app, you’ll find yourself on the home screen, which is also referred to as the “feed,” “hallway,” “all rooms screen,” or “lobby” (more details can be found in the New User Guide). The home screen displays a number of interest-themed “rooms” that are currently active. It also gives you the option to start a room.

As mentioned, Clubhouse’s central concept revolves around these “rooms.” People in rooms are divided into “moderators” (who control  the room), “speakers” (who can talk in  the room)  and “listeners” (who can only hear). There are three types of rooms: “open” (open to anyone), “social” (limited to those the moderators follow), and “closed” (limited only to explicitly added members). Open, themed rooms can display their topics as a way of allowing others to find them. 

An important thing to note is how Clubhouse uses a “circle of trust” model for their social rooms, meaning that trust is transitive: If Alice trusts Bob and Bob trusts Carol, then Alice trusts Carol as well. This means that it’s very important to pay attention to who you follow (and thus trust) if you’re going to use social rooms.

When you join a room for the first time, Clubhouse will ask you to enable your microphone. You can enter rooms with a disabled mic but not start them. Once you enter a room, you’re categorized as a listener and aren’t able to speak. To speak, you have to first be made a speaker by one of the room’s moderators. You can do this by clicking the “raise hand” icon in the room to attract the moderators’ attention and ask them to make you a speaker. Once you become a speaker, you can talk and interact with others (until you or a moderator returns you to a listener role). This controlled speaker model helps prevent people from disrupting the room by controlling the ability to speak and giving moderators the ability to quickly shut down (and even eject) disruptive speakers.

The moderator plays a key role in rooms. Each room starts with a single moderator, and he or she can then additionally grant the moderator role to anyone in the room. Any moderator can speak, add, mute, and remove other speakers as well as block, remove, and report others in the room. 

Essentially, moderators run their respective rooms, and any and all moderators have equal power, including the ability to make new moderators. This means that if you start a room, you want to think carefully about who you make a moderator. 

Moderators also have the ability to limit “hand raising” in the room to those followed by speakers only, or turn it off entirely.

Clubhouse rooms are like an audio-only Zoom call, but with more moderator control than most Zoom calls. This means that some smaller rooms are more like group calls and very large rooms especially the topic-themed ones are almost like a podcast and talk radio show hybrid.

The Clubhouse profile

Your Clubhouse profile provides single-stop shopping for the information that you choose to share about yourself with others, as well as the information you can get on other members. All profiles are fully visible to all Clubhouse users there are no controls to hide your profile or specific data in the profile from others.

Notably, Clubhouse profiles don’t advertise location. There’s your display name, your username, the number of people you follow and the number of followers you have, a short bio, and links to your Twitter and Instagram channels (although it’s not sharing content with or from either network). Your profile also displays your join date as well as who invited you to the platform.

If you’d like to check out another member’s shortened profile, you can do so by clicking on their icon within a room.

Is Clubhouse safe?

In its documentation, Clubhouse often talks about the importance of safety. This is borne out by the fact that they have a separate safety guide which details their features for blocking users and reporting incidents.

Any Clubhouse user can block or report another user. You can click on anyone’s profile in a room and the options below will be displayed.

In addition, even if someone has left the room, you can still report a recent speaker when you click the three dots in the upper right of the room.

Clubhouse also says in their documentation that you can report an incident after a room has ended using the gear icon in your user profile.

As noted earlier, moderators for rooms have a number of safety tools at their disposal. Most importantly, Clubhouse makes clear in their documentation their expectations that moderators will be active and responsible for the quality and safety of the rooms they host.

What about Clubhouse’s privacy?

An important point about Clubhouse’s privacy that also relates to safety is the recording of audio in rooms. Clubhouse says in their privacy policy:

“Solely for the purpose of supporting incident investigations, we temporarily record the audio in a room while the room is live. If a user reports a Trust and Safety violation while the room is active, we retain the audio for the purposes of investigating the incident, and then delete it when the investigation is complete. If no incident is reported in a room, we delete the temporary audio recording when the room ends. Audio from (i) muted speakers and (ii) audience members is never captured, and all temporary audio recordings are encrypted.”

In plain terms: The audio content of rooms is deleted as soon as the room ends, unless there is an incident investigation.

It’s also notable that unlike other social media apps, Clubhouse does utilize iPhone’s location services. The only location information they obtain, as their privacy policy says, is “a rough estimate of your location from your IP address”.

Clubhouse does not request permission to access your camera or photos. Since it’s an audio app, this should be expected, but because many social media apps ask for these permissions anyway, it’s notable.

As noted earlier, Clubhouse does request permissions for your microphone so you can speak. It will also request permission to access your calendar if you choose to use the feature to create reminders for upcoming rooms you’re interested in.

Finally, it requests permission to access your contacts if you want to share invitations. When you send an invitation, the app looks through all of your contacts and displays people your non-member contacts may know who are using Clubhouse. This is likely done by cross-referencing other Clubhouse members’ shared address books and meant to encourage you to share with those who would already know people on Clubhouse. This can certainly be seen as an unsettling “feature”.

There is no specific provision in their privacy policy for questions that European users may have surrounding GDPR. In the “International Users” section of their policy, it states: 

“By using our Service, you understand and acknowledge that your Personal Data will be transferred from your location to our facilities and servers in the United States, and where applicable, to the servers of the technology partners we use to provide our Service.”

In other words: by using their service, United States privacy laws apply.

Clubhouse doesn’t explicitly state where it stores user data, but the above would imply the United States.

They do include provisions to comply with the California Consumer Privacy Act (CCPA) with guidance for how California residents can exercise their rights under the act.

They clearly state that the company “does not sell your Personal Data.” They indicate that they use data to improve the service and will share with vendors and third parties “assist us in meeting business operations needs.” In practical terms, it appears they use data for their needs but don’t use it conjunction with other sites and services.

Clubhouse’s security

Because Clubhouse has limited access to your phone, the security risks it poses to the data on your device are somewhat decreased. Clubhouse has no access to your location information, camera, or photos. This means it’s limited in what could happen with a security problem to your contacts, calendar and microphone.

That said, there was a report in Turkish media of a security issue that enabled people to join rooms without showing themselves and bypass the moderator controls, enabling the intruder to potentially disrupt the rooms akin to “Zoombombing.” This appears to have been the result of manipulating the Clubhouse services directly. There is no official information about this from Clubhouse, but the article indicates that they’re aware and working on the issue. This highlights the potential types of security issues that Clubhouse may face moving forward.

In conclusion

Clubhouse is a new app that’s taking off, likely due to the fact that it has identified a social gap: voice-only gatherings. In a world where people are tired of Zoom video meetings, this can be appealing. Clubhouse rooms are also similar to the radio or podcasts, in that you can listen to while doing other things. In fact, Clubhouse’s community standards guide encourages people to “Enjoy multitasking…people are often doing other things while they Clubhouse!”

Compared to other social media apps, Clubhouse is notable for strictly adhering to the idea of “least privilege” in terms of the permissions it requests and how user data is handled. The app has made safety, moderation, and incident response key principles and features from the outset, which significantly sets it apart from other social media apps and platforms.

Most importantly, Clubhouse is simple to use and embodies some key, simple safety, security and privacy concepts for safer use.

*** This is a Security Bloggers Network syndicated blog from Blog | Avast EN authored by Avast Blog. Read the original post at: