How to Use Clubhouse, the Audio-Only, By-Invite App, Without Giving Up All of Your Data
The popular social media platform has sparked concern from privacy and security experts. Here's how to protect yourself.
The buzzy social-networking app Clubhouse has been scrambling in recent weeks to respond to concerns from privacy and security experts about how the service collects and safeguards user data.
And yet, as the company works to fix the problems, it continues to attract new fans. Since launching last April, Clubhouse has exploded in popularity, exceeding 8 million downloads worldwide, according to the mobile analytics firm App Annie.
While some people use the platform to interact with friends, others are drawn to packed virtual conversations led by celebrity users such as Drake, Kevin Hart, Jared Leto, and Oprah Winfrey.
Unlike Facebook, Instagram, and Twitter, Clubhouse is audio-only, allowing anyone with an iPhone (there's no Android app) and an invitation from another user to join discussions on various topics in virtual rooms. The subject matter ranges from political headlines to musicals to bitcoin and beyond. To see what's happening, you simply click on a calendar icon.
What About Others Sharing Your Number?
You can use Clubhouse without providing access to your contact list as long as you don’t plan to invite anybody to the app. But that doesn’t stop other users from uploading your phone number along with their contact lists—and that’s become a sore spot for people who don’t even use the app.
Whitney Merrill, a privacy attorney, says she never offered Clubhouse her phone number, yet the company has it due to a friend. “It’s not possible to consent on behalf of people whose information is being shared,” she says. She is currently trying to get her information removed under the California Consumer Protection Act.
Clubhouse is gathering more contact information than necessary for functionality, Merrill contends. “It doesn't look like it's sharing for the purposes of facilitating the invite,” she says. “It's sharing to create a social network graph . . . that then surfaces to the user how many of your potential invite friends or contacts might be already on the platform.”
Are Clubhouse Discussions Recorded?
By default, Clubhouse rooms are open and public, though you can join or start a social room to talk to people you follow or a closed room to chat with specific people.
But much like public streams on YouTube, Twitch, and other social media platforms, audio from the public and private rooms on the app could potentially be recorded by participants.
In fact, this past weekend a user who has since been banned from Clubhouse streamed audio feeds from multiple rooms into their personal website.
What Information Can Other Users See?
If you don't have an invite to join Clubhouse, you can download the app and put your name on a waitlist. That alerts people who have your phone number on their contact list that you want in.
When you join Clubhouse, your profile is public. It includes your name, the name of the person who invited you in (with a link to their profile), the day you joined, your bio (if you add one), any groups you’re a member of, and, should you choose to add them, links to your Twitter and Instagram accounts.
Clubhouse requires people to use their legal name, but you can make a correction to your name and add a “creator alias,” such as a stage name, alongside your legal name if you’re a public figure. You can make each of those changes only once.
If You Block Someone, What Can They See?
When you block another user, it keeps them from seeing or joining rooms you create, moderate, or elect to speak in. If a blocked user is speaking in a room, Clubhouse hides the room from your feed but lets you know at the bottom of the feed that the room exists. And if a user has been blocked by many people in your network, you’ll find a warning icon on their profile.
But anyone you block can still see your profile, including your bio, your followers, the people you follow, and the groups you’re in—information that could prove useful to someone determined to harass you.
“In theory, an abuser can go and target a survivors’ acquaintances, other people they follow,” says Zadegan. “You should be able to block somebody and have your profile completely disappear.”
Whether a user is blocked or not, moderators can mute or remove speakers. Clubhouse will also let you know if you end up in a room with a person others in your network have blocked.
You can report rule violations to Clubhouse, too. (If you do it during a session, the audio recorded can be used in an investigation.) Clubhouse may respond with a warning, restrictions, or action against the account (temporary or permanent). It may even contact law enforcement.
How Secure Is Clubhouse?
While Clubhouse has resolved some security issues, others remain.
On Feb. 12, the Stanford Internet Observatory said it had determined that Clubhouse was transmitting user IDs and channel IDs in plain text to Agora, a Shanghai-based software service company, allowing eavesdroppers to see which users were talking to one another. In its latest update, Clubhouse issued a fix that halted that practice.
Brian Pak, CEO of the cybersecurity R&D startup Theori, reviewed the code changes and noticed a few other tweaks, too. Clubhouse had turned on geofencing to limit users to servers in specific regions—excluding mainland China, for example. It also took steps to enable encryption that would limit Agora’s access to raw audio data, though the platform will need to take an additional step (assigning encryption keys for each channel) for this to happen.
Those are welcome developments, Pak says. They’re also services offered by Agora all along.
“It seems that Clubhouse did not thoroughly review the Agora documentation, since neither encryption nor geofencing were configured by Clubhouse,” says Pak. While that isn’t necessarily malicious, it does show that security was not a top priority, he adds.
Jack Cable, a researcher at Stanford Internet Observatory, reviewed the network connections and says that while Clubhouse no longer appears to be routing traffic through servers in mainland China, it was still pinging Hong Kong as of Feb. 19.
For the moment, the encryption stops the data from being transmitted in plain text between Clubhouse and Agora servers, and geofencing likely keeps it from passing through networks in mainland China.
"We don't operate in China and no data is transmitted or stored in China," the Clubhouse spokesperson said.
But Agora currently still has access to metadata, raw audio data, and the encryption keys.
“For everyday users who are having intentionally public conversations on Clubhouse, it's not necessarily a huge concern,” says Cable. That said, he doesn’t recommend using Clubhouse for sensitive conversations, particularly if you’re concerned about information landing in the hands of the Chinese government, which has the power to compel Agora to intercept live communications or release data.