Tag Archives: Clubhouse

Clubhouse Chats have been Breached and Streamed Online

A Clubhouse user was able to find a way to share Clubhouse chats outside of the iOS app. According to Bloomberg, Clubhouse “permanently banned” that user, and has installed new “safeguards”. It is unclear what those safeguards are, or how effective they will be, given what is known about Clubhouse.

Stanford Internet Observatory reported that Agora, a Shanghai-based startup, with U.S. headquarters in Silicon Valley, created a platform for other software companies to build upon. Clubhouse is one of the apps using Agora’s platform. According to the Stanford Internet Observatory, “If an app operates on Agora’s infrastructure, the end-user might have no idea.” In short, Agora hosts Clubhouse’s traffic.

Stanford Internet Observatory’s analysts observed Clubhouse’s web traffic using publicly available network analysis tools, such as Wireshark. Their analysis revealed that outgoing web traffic is directed to servers operated by Agora. Joining a channel generates a packet directed to Agora’s back-end infrastructure.

The packet contains metadata about each user, including their unique Clubhouse ID number and the room ID they are joining. That metadata is sent over the internet in plaintext (not encrypted), meaning that any third-party with access to a user’s network traffic can access it. In this manner, an eavesdropper might learn whether two users are talking to each other, for instance, by detecting whether those users are joining the same channel.

Stanford Internet Observatory made it clear why Agora’s hosting of Clubhouse matters:

Because Agora is based jointly in the U.S. and China, it is subject to People’s Republic of China (PRC) cybersecurity law. In a filing to the U.S. Security and Exchange Commission, the company acknowledged that it would be required to “provide assistance and support in accordance with [PRC] law,” including protecting national security and criminal investigations. If the Chinese government determined that an audio message jeopardized national security, Agora would be legally required to assist the government in locating and storing it.

Chief Executive Officer of Internet 2.0, Robert Potter, posted an interesting thread about the Clubhouse situation on Twitter. He points out that it was not a “hack”. “A user set up a way to remotely share his login with the rest of the world. The real problem was that folks thought these conversations were ever private.”

In that thread. Robert Potter tweeted: “The end result of this whole clubhouse experience is that folks have put a lot of data online without considering the privacy implications. I’d strongly recommend people to build more encryption fenced communities for these sorts of conversations in the future.”

The more I learn about Clubhouse the more I think it is a bad idea. I am aware that there are people who enjoy checking out the newest apps, especially if there is a social aspect to them. In my opinion, joining this Clubhouse comes at too high a cost to people’s privacy.

Clubhouse Does Not Respect Your Privacy

Those of you who have started using Clubhouse may want to reconsider that decision. It turns out that Clubhouse does not respect your privacy at all. It also appears to be grabbing up people’s contact lists, which not only is intrusive on a person’s privacy but also could put some people in danger.

The Guardian reported that the live audio-chats had in conversation rooms disappear. That said, Clubhouse doesn’t have any features that would prevent someone from live-blogging the conversation or recording it and uploading it to YouTube.

Will Oremus posted on Medium about his experience with Clubhouse: “When I granted the app access to my contacts, within hours it was nudging me to invite my former pediatrician, barber, and a health worker who once cared for my dying father to join Clubhouse – and sending me push notifications every time someone from my contacts signed up so I could welcome them via a private chat and “walk them in”.

He pointed out that the contact list in your phone can include “old acquaintances, business associates, doctors, bosses, and people you went on a bad date with.”:

“…When you upload those numbers, not only are you telling the app developer that you are connected to those people, but you’re also telling it that those people are connected to you – which they might or might not have wanted the app to know. For example, say you have an ex or even a harasser you’ve tried to block from your life, but they still have your number in their phone; if they upload their contacts, Clubhouse will know you’re connected to them and make recommendations on that basis…”

Mashable reported that it is difficult to delete a Clubhouse account. To do it, you have to send Clubhouse an email in order to request a delete. It is unclear how long Clubhouse takes to process account deletion requests. Mashable also reported that Clubhouse requires access to your entire contact list for the purpose of sending invites.

Personally, I’m going to stay far away from Clubhouse. To me, it feels very sketchy to push users to give Clubhouse access to the contact list on their phone. I find it impossible to trust an app that demands to use the information on something that, for many, is extremely personal.