Enlarge /. The clubhouse still has a long way to go to reassure its users that its privacy and security policies are fully followed.
Carsten Koall | Getty Images
In the past few months, the audio-based social media app Clubhouse has become Silicon Valley's newest disruptive darling. The format looks familiar to me: Part Twitter, part Facebook Live, part Telephoning. However, as Clubhouse continues to expand, its security and privacy flaws have been increasingly scrutinized – and the company has struggled to fix issues and live up to expectations.
Clubhouse, which is still in beta and only available for iOS, offers its users "rooms" which are essentially group audio chats. They can also be set as public addresses or panel discussions, with some users “speakers” and the rest being spectators. The platform reportedly has over 10 million users and is valued at $ 1 billion. As of last year, it's been an invite-only paradise for the Silicon Valley elite and celebrities, including an appearance by Elon Musk earlier this month. However, the company is grappling with both specific security issues and short-lived questions about how much privacy its users should expect.
"With smaller, newer social media platforms, we should pay attention to our data, especially when it goes through a tremendous growth, a lot of controls are tested," says security researcher Robert Potter. "Things you might have gotten away with with just 100,000 people on the platform – you increase those numbers tenfold and the exposure increases, the threat increases, the number of people examining your platform increases."
Recent security concerns regarding Clubhouse range from security vulnerabilities to questions about the underlying infrastructure of the app. Just over a week ago, researchers at the Stanford Internet Observatory put the platform in the spotlight when they found that the app was transmitting users' clubhouse IDs and chat room identification numbers in clear, meaning that a third party may be tracking your actions online could have app. The researchers also indicated that some of Clubhouse's infrastructure is operated by a Shanghai-based company and that the app's data has been transmitted through China at least intermittently, potentially exposing users to targeted or even widespread surveillance by the Chinese government were. Then, on Sunday, Bloomberg confirmed that a third-party website was scraping and compiling audio from clubhouse discussions. Further revelations followed early Monday that clubhouse discussions for a disconnected Android app had been scraped off so that users of that operating system could overhear in real time.
Potter, one of the researchers who studied the various clubhouse data scraping projects, explains that these apps and websites did not appear malicious. They just wanted to make clubhouse content accessible to more people. However, the developers were only able to do this because Clubhouse had no anti-scraping mechanisms that could have prevented it. For example, the clubhouse did not limit how many rooms a single account can stream at the same time, so anyone can create an application programming interface to stream each public channel at the same time.
More sophisticated social networks like Facebook have more sophisticated mechanisms for locking their data in place, both to prevent violations of user privacy and to defend the data they store as an asset. But even they can have potential exposure from creative scraping techniques.
The clubhouse has also been scrutinized for its aggressive collection of user contact lists. The app urges all users to share their address book details so Clubhouse can help you connect with people you know who are already on the platform. You will also need to share your contact list in order to invite other people to the platform as the clubhouse is still available by invitation only, which gives a feeling of exclusivity and privacy. However, numerous users have pointed out that when inviting others, the app also makes suggestions based on which phone numbers in your contacts are also in the contacts of most clubhouse users. In other words, if you and your local friends use the same florist, doctor, or drug dealer, they might very well appear on your list of suggested people to invite.
The clubhouse did not respond to a request from WIRED for comment at press time on the recent security incidents. In a statement to researchers at the Stanford Internet Observatory, Clubhouse outlined specific changes that were planned to increase security, including cutting off pings to servers in China and strengthening encryption. The company also announced that it is working with a third-party data security firm to help address the changes. In response to the rogue website that re-streamed clubhouse discussions, the company announced to the media that it had permanently banned the user behind it and added additional "safeguards" to prevent the situation from happening again occurs.
While Clubhouse seems to be taking feedback from researchers seriously, the company wasn't fully aware of all of the security enhancements it implemented or plans to add. Given that the app does not appear to offer end-to-end encryption to its users, the researchers still feel that Clubhouse has not adequately considered the security situation. And do so before you even get to grips with some of the basic privacy issues the app raises.
When opening a new clubhouse room, you can choose from three settings: an "open" room is accessible to everyone on the platform, a "social" room only allows people you follow, and a "closed" room restricts that Access to invited people. Each has its own implicit level of privacy that clubhouse could make more explicit.
"I think for public spaces, the clubhouse should give users the expectation that public means public for all users, since anyone can join and record, take notes, and so on." says David Thiel, Stanford Internet Observatory's chief technology officer. "In private rooms, they can convey that an authorized member can record content and identities as with any communication mechanism. So make sure you both set expectations and trust the participants."
According to Stanford's Thiel, Clubhouse is currently temporarily storing records of discussions for review in the event of abuse claims. If the company were to implement end-to-end encryption for security reasons, it would be even more difficult to keep an eye on the abuse as it would not be able to easily create these records. Every social media platform faces some version of that tension. However, security experts agree that the benefits of end-to-end encryption are worth the additional challenge of developing more nuanced and creative anti-abuse solutions when needed.
Even end-to-end encryption does not rule out the additional possibility that a clubhouse user externally records the conversation he is in. Clubhouse cannot simply solve this. But it can at least set expectations accordingly, no matter how friendly and confidential the conversation feels. "The clubhouse should only be clear about what it will add to your privacy," says Potter, "so that you can choose what to talk about accordingly."
This story originally appeared on wired.com.