Joining an audio-only session seems harmless, but Clubhouse’s approach to security makes the platform risky for users. Security experts say that users need to understand the real risks and then build up personal security defenses when using the app.
Brian Kime, a senior analyst of security and risk at Forrester, said that any app that becomes popular quickly is less likely to be built with security in mind.
“We saw this with Parler, where it was pretty easy for people to scrape the entire site’s messages and content,” he said. “And an app that has as much celebrity use as Clubhouse is likely attracting a range of threat actors that would love to get their hands on Clubhouse’s user data.”
“With GDPR, consent has to be freely given, it has to be specific and has to be affirmative,” Henein said. “Clubhouse is on pretty shaky ground and I expect them to have to modernize their privacy language sooner or later.”
Brian Gant, an assistant professor of cybersecurity at Maryville University, said that Clubhouse takes a very aggressive approach to collect user data. Instead of accessing a user’s contact list when the app is in use, Clubhouse proactively uploads an individual’s contact list to its servers when he or she starts using the app.
“At the end of the day, leadership will have to decide how to straddle the line of convenience and making the app well-known as opposed to putting in safeguards for security,” Gant said.
Clubhouse did not respond to emailed requests for comment on these possible security risks. The app’s terms of service was updated on April 5, 2021. References to sharing contact lists are described in terms of “if you chose to share” this information. The terms of service also states that In certain circumstances providing personal data is optional but if a user chooses not to provide that data, some features of the service will be unavailable.
Jerry Ray, COO of enterprise data security and encryption company SecureAge, said that he sees two types of security risks for people using Clubhouse: The threat of exposure of recorded voice content and the threat of exposure of customer or account ID and associated personally identifiable information.
“In either case, that threat could have come from an exploit of a technical vulnerability within the Clubhouse app or infrastructure, or it could have come from the humans behind the voices, who can record anything their ears can hear by countless analog means, regardless of the Clubhouse feature of preventing recordings within the app or devices running it.”
Nader said the same basic rule about all social media platforms applies to Clubhouse: Be wary of free services.
“It’s one thing to say that you’re giving access to your address book, it’s another thing entirely for an app to siphon that information off into their cloud,” he said.
Here’s why Clubhouse represents a security risk and what you can do to limit your personal attack surface.
Why you should worry about your privacy on Clubhouse
Gant said one red flag is that Clubhouse doesn’t use end-to-end encryption.
“Basically the attack surface has increased tenfold with third-party individuals having the ability to intercept these communications or conduct malicious behavior,” he said.
Gant said the app also has national security risks in the form of intelligence gathering.
“You could potentially have people tracking your actions in the app and that’s a concern, even if it’s just some of the time,” he said.
Even if the company isn’t interested in espionage, Clubhouse sessions could be used to develop user profiles and associated marketing messages. Gartner’s Henein said that audio files of freeform conversations may seem to have little value on the surface, but the data could be used for sentiment analysis.
“As we saw with Cambridge Analytics, innocuous information can be used to influence your decision making,” he said.
Heinen said that this information can be used to design spear phishing attacks.
“Most individuals will use the same password on many accounts, so if one of those providers has an issue, you’ve been compromised across the whole thing,” he said.
According to an article on Inc., the Clubhouse terms of service specifies that recordings of the sessions are kept for a short period of time to deal with harassment. If a user reports bad behavior during a session, Clubhouse reviews the session to address the claim.
According to the app’s terms of service, if no incident is reported in a room during a session, Clubhouse deletes the temporary audio recording when the room ends. Also audio from muted speakers and audience members is never captured, and all temporary audio recordings are encrypted.
Ray said that recordings must be available internally for content review or evidence for actions taken against bad actors to support Clubhouse’s policy of limiting hateful or abusive speech.
“Anything saved on their servers, from content to user info, is potentially vulnerable to data breach,” he said.
Even though the chances are low that audio could be leaked from Clubhouse, the negative impact is real, Ray said.
“Any regret from errant words in email, chat messages, social media commentary, ephemeral message services, Tweets or similar will be amplified to roaring levels through voice,” he said. “We speak more quickly than we can think, and voices are infinitely and indelibly more attributable to people and personalities than typed words.”
Ironically, Clubhouse’s policy of not recording the sessions could make it harder to prove that a manipulated audio clip is fake.
“A fake voice recording made from fragments of recorded content can’t easily be disputed when there’s no evidence of the original,” he said.
Five tips for boosting your security on Clubhouse
Kime said that people who decide that joining a new social media platform is important for their business or their brand should take a few steps to lower the related security risk.
First, don’t log in to an app with a Google, Microsoft, or social media account.
“Sure, it’s easy, but you give access to some of the information associated with that account to the other app and you can’t control how long the app retains that data,” Kime said.
Second, always use a unique password and ensure the app is receiving automatic updates.
Clubhouse invites are sent via text and associated with a particular phone number. Kime recommends against using your primary phone number to access the service.
“Consider using a secondary phone number, whether via a separate SIM card or a VOIP number like Google Voice, rather than your primary number for apps like this since the app downloads all of your contacts at this moment,” he said.
Fourth, when you’re using Clubhouse, use a headset or earbuds to reduce the chance of the app picking up audio from family and coworkers.
“Since there is no way to go back and edit out background noise, you don’t want your children’s privacy affected,” he said. “While Clubhouse may not be monetizing user data yet, they likely will in the future.”
Finally, assume that everything said to anyone, regardless of the Clubhouse room type they might be in, will be available to the public, according to Ray of SecureAge.
“They should also avoid using the app as a secure communications tool, however tempting that may become as its popularity and feature set grows,” he said. “Leverage the public outreach, targeted audience potential, and real-time thrills for building business, but don’t run business on it.”