A person using the Clubhouse app on a smartphone

The buzzy social-networking app Clubhouse has been scrambling in recent weeks to respond to concerns from privacy and security experts about how the service collects and safeguards user data.

And yet, as the company works to fix the problems, it continues to attract new fans. Since launching last April, Clubhouse has exploded in popularity, exceeding 8 million downloads worldwide, according to the mobile analytics firm App Annie.

While some people use the platform to interact with friends, others are drawn to packed virtual conversations led by celebrity users such as Drake, Kevin Hart, Jared Leto, and Oprah Winfrey.

Unlike Facebook, Instagram, and Twitter, Clubhouse is audio-only, allowing anyone with an iPhone (there's no Android app) and an invitation from another user to join discussions on various topics in virtual rooms. The subject matter ranges from political headlines to musicals to bitcoin and beyond. To see what's happening, you simply click on a calendar icon.

More on Digital Privacy

“You can drop into a conversation about some specific medical news and potentially talk to a professor who is one of the leading minds in that field,” says Bryant Zadegan, a Clubhouse user who also moderates Reddit’s relationship-advice subreddit.

In the end, Clubhouse has a lot to offer, but is it worth the potential privacy and security trade-offs?  

Privacy advocates have raised questions about the contact data the app gathers from users’ smartphones and the difficulty in concealing their biographical information from public view. It's also important to note that none of the discussions on the platform are really private; other users might be listening and could also be recording them.

And not long ago researchers from the Stanford Internet Observatory unearthed troubling weak spots in Clubhouse's security protocols, particularly during data transmission.

"At Clubhouse, we care deeply about protecting our community," a company spokesperson said via email. "User privacy and security is a top priority at Clubhouse and we continue to invest in security resources, operate a bug bounty program in collaboration with HackerOne, and collaborate with the broader security and privacy community."

Clubhouse has addressed some concerns, but others remain. Here’s a closer look at what you need to know before joining the platform.

Do You Have to Share Your Contact List?

You don’t have to give Clubhouse access to every single contact in your phone to use the app, but doing so is the only way you can invite other users to Clubhouse.

Once you agree, the app shows you which of your contacts are using the app and how many friends they each have on the platform. Contacts who have the highest number of friends not on Clubhouse are listed first.

Sharing your contact list with Clubhouse also lets the company nudge you to welcome people you know when they join the platform by creating an audio room for the occasion. Be careful: It’s easy to accidentally click to join the room, which might be a problem if your contact list includes mere acquaintances, frenemies, and people whose numbers are in your phone because you’ve chosen to block them.

If you've already shared your contacts, the Clubhouse spokesperson says you can revoke access to the list using the settings app on your iPhone and contact Clubhouse support to delete all previous data. (You can also contact Clubhouse at support@joinclubhouse.com to delete an account, a feature the company says will be available directly within the app in the future.) 

What About Others Sharing Your Number?

You can use Clubhouse without providing access to your contact list as long as you don’t plan to invite anybody to the app. But that doesn’t stop other users from uploading your phone number along with their contact lists—and that’s become a sore spot for people who don’t even use the app.

Whitney Merrill, a privacy attorney, says she never offered Clubhouse her phone number, yet the company has it due to a friend. “It’s not possible to consent on behalf of people whose information is being shared,” she says. She is currently trying to get her information removed under the California Consumer Protection Act.

Clubhouse is gathering more contact information than necessary for functionality, Merrill contends. “It doesn't look like it's sharing for the purposes of facilitating the invite,” she says. “It's sharing to create a social network graph . . . that then surfaces to the user how many of your potential invite friends or contacts might be already on the platform.” 

Are Clubhouse Discussions Recorded?

By default, Clubhouse rooms are open and public, though you can join or start a social room to talk to people you follow or a closed room to chat with specific people.

But much like public streams on YouTube, Twitch, and other social media platforms, audio from the public and private rooms on the app could potentially be recorded by participants.

Doing so without the consent of Clubhouse and all speakers does violate the company’s terms of service. But Clubhouse’s privacy policy states that it “cannot control the actions of users on the platform, who may seek to use third party apps or devices to record, store, or share content or communication without other users' prior consent.”

In fact, this past weekend a user who has since been banned from Clubhouse streamed audio feeds from multiple rooms into their personal website.

Clubhouse records audio, too. In its privacy policy, it states that users consent to having audio temporarily recorded in case the company has to look into reports of a community standards violation. Clubhouse says the audio is deleted immediately after a session if there is no incident reported or immediately after an investigation is completed.

What Information Can Other Users See?

If you don't have an invite to join Clubhouse, you can download the app and put your name on a waitlist. That alerts people who have your phone number on their contact list that you want in.

When you join Clubhouse, your profile is public. It includes your name, the name of the person who invited you in (with a link to their profile), the day you joined, your bio (if you add one), any groups you’re a member of, and, should you choose to add them, links to your Twitter and Instagram accounts.

Clubhouse requires people to use their legal name, but you can make a correction to your name and add a “creator alias,” such as a stage name, alongside your legal name if you’re a public figure. You can make each of those changes only once. 

If You Block Someone, What Can They See?

When you block another user, it keeps them from seeing or joining rooms you create, moderate, or elect to speak in. If a blocked user is speaking in a room, Clubhouse hides the room from your feed but lets you know at the bottom of the feed that the room exists. And if a user has been blocked by many people in your network, you’ll find a warning icon on their profile.

But anyone you block can still see your profile, including your bio, your followers, the people you follow, and the groups you’re in—information that could prove useful to someone determined to harass you.

“In theory, an abuser can go and target a survivors’ acquaintances, other people they follow,” says Zadegan. “You should be able to block somebody and have your profile completely disappear.”

Whether a user is blocked or not, moderators can mute or remove speakers. Clubhouse will also let you know if you end up in a room with a person others in your network have blocked.

You can report rule violations to Clubhouse, too. (If you do it during a session, the audio recorded can be used in an investigation.) Clubhouse may respond with a warning, restrictions, or action against the account (temporary or permanent). It may even contact law enforcement. 

How Secure Is Clubhouse?

While Clubhouse has resolved some security issues, others remain.

On Feb. 12, the Stanford Internet Observatory said it had determined that Clubhouse was transmitting user IDs and channel IDs in plain text to Agora, a Shanghai-based software service company, allowing eavesdroppers to see which users were talking to one another. In its latest update, Clubhouse issued a fix that halted that practice.

Brian Pak, CEO of the cybersecurity R&D startup Theori, reviewed the code changes and noticed a few other tweaks, too. Clubhouse had turned on geofencing to limit users to servers in specific regions—excluding mainland China, for example. It also took steps to enable encryption that would limit Agora’s access to raw audio data, though the platform will need to take an additional step (assigning encryption keys for each channel) for this to happen.

Those are welcome developments, Pak says. They’re also services offered by Agora all along.

“It seems that Clubhouse did not thoroughly review the Agora documentation, since neither encryption nor geofencing were configured by Clubhouse,” says Pak. While that isn’t necessarily malicious, it does show that security was not a top priority, he adds.

Jack Cable, a researcher at Stanford Internet Observatory, reviewed the network connections and says that while Clubhouse no longer appears to be routing traffic through servers in mainland China, it was still pinging Hong Kong as of Feb. 19.

For the moment, the encryption stops the data from being transmitted in plain text between Clubhouse and Agora servers, and geofencing likely keeps it from passing through networks in mainland China.

"We don't operate in China and no data is transmitted or stored in China," the Clubhouse spokesperson said.

But Agora currently still has access to metadata, raw audio data, and the encryption keys.

“For everyday users who are having intentionally public conversations on Clubhouse, it's not necessarily a huge concern,” says Cable. That said, he doesn’t recommend using Clubhouse for sensitive conversations, particularly if you’re concerned about information landing in the hands of the Chinese government, which has the power to compel Agora to intercept live communications or release data.