Clubhouse’s privacy problem: your data may be going to China

Clubhouse is now the app of the moment. In the midst of the pandemic, with restrictions and social isolation, its success was immediate because it introduced a new form of virtual contact. 

In countries like Brazil, even companies have joined the trend, offering lectures with personalities in exchange for visibility. Politicians, artists, and celebrities joined the social network, causing many users to fiercely compete for invitations to the network that is exclusive to the iOS operating system.

But just like with Zoom, whose popularity also exploded during the pandemic, serious security and privacy issues soon emerged. It seems that success has not kept up with concerns about the security of  users' data.

Clubhouse depends on a Chinese company, Agora Inc., for back-end operations. This means that Agora is responsible for processing the app's data traffic and audio production.

In the end, it seems that Clubhouse is only responsible for its user experience. 

Your data is going to China 

Christian Perrone, coordinator of the Rights and Technology sphere of the Institute of Technology and Society of Rio de Janeiro (ITS Rio) said that “the closest analogy we can make is what happened to Zoom at the beginning of the pandemic, that with too much traffic, the company passed data through servers in China.”

It is unlikely that the role of Agora Inc. would spark the same controversy as Tik Tok, yet it is still worrisome to know that all audio goes through Chinese servers. 

Nathan Freitas, programmer, security expert and director of the Guardian Project, says that “there are a few fundamental issues with Clubhouse.”

First, he explains that “the basic protocol doesn't seem to utilize encryption even at the transport layer in all of the places”. This means that “your audio or participation [data] move throughout the Internet and it's not always protected.”

Second, possibly one of the most pressing issues surrounding the app is that, says Freitas, “the company that Clubhouse relies upon for many of its audio features and infrastructure is based in China, so even if you are a global user of Clubhouse, your communications are moving in and out of China through some government-regulated censorship and surveillance system.”

Clubhouse is not as private as you might think

Finally, “the protocol interface itself seems to be fairly easy to reverse engineer and there already has been a number of third-party utilities and apps and people exporting streams of so-called private audio to external websites.”

This means that any and all conversations you have at Clubhouse “should be considered fully public as if they were was on a podcast,” sentences Freitas

Recently, a hacker attack demonstrated that it was possible to relay live audio from chat rooms within the app with some ease.

“With the explosion of rooms for more private conversations, even involving confidential content, it will be important that users understand that conversations are not end-to-end encrypted as in some messaging apps, explains Carlos Affonso, Professor at the Law School of the Rio de Janeiro State University (UERJ).

Not like Tik Tok, but still worrisome

Clubhouse promised they would improve their security, but experts doubt that they are able to do so – and China can have free access to all conversations. In fact, several audios were leaked and posted on a Chinese website by a now-banned user who built his own system around the JavaScript toolkit used to compile the Clubhouse application. It is unknown whether this was the action of a sole user or if the Chinese government was somehow behind the exploit.

The geopolitical repercussions could be enormous, although, as Perrone explains, Clubhouse is quite different from Tik Tok. 

“In the Tik Tok case there is the issue of the company itself being related to a Chinese company, but in the case of Clubhouse, it is a secondary company,” he says, adding that “it changes a bit the geopolitical issue and also the kind of access to data that companies can have.” 

“In the case of TikTok, the parent company, ByteDance, was the primary data controller, it could influence the subsidiary in the US to give access to the data stored on US servers. In the case of Agora Inc., it is not a data controller, it provides services, it is a data provider and does not necessarily have access to the same amount of data or control over that data,” Perrone further explained.

When you sign up, you share your friends’ data

Yet another issue is the so-called “shadow profile.” Shadow profiles are created every time a company, through an activity of its user or customer, starts processing data of other people who do not have an account or any relationship with it. Perrone notes that even “a person like you or me, who has never joined Clubhouse,” will have our data stored in the company’s servers. 

“The company has information about us, has access to people's agenda and contact information. That is a big data protection problem because you are not aware of what is going on,” he explains.

In other words, once someone subscribes to Clubhouse, they are giving permission for the app to access their contact list and the ability to map all of your network – who are your friends, who are their friends, etc.

Clubhouse, then, “transforms your friends who have logged into the app and opened their contacts list into real "leakers" of other people's personal data.

And with each new user the network of contacts increases, since access to the address book is a requirement for sending an invitation,” stresses Affonso, adding that “the company's privacy policy is quite general about how data is collected and what can be done with it.”

And all experts agree that it is quite worrisome that Clubhouse has such unrestricted access to third-party internet users without them being aware of it. 

“A company you have never contacted, never communicated with, never gave any consent to access your data, has personal data about you. It starts to be a problem, especially when we think about personal data legislation that presupposes control and transparency about how and what data companies have about you,” worries Perrone.

In the end, it is unknown if Clubhouse will be able to go through the same process as Zoom and solve a significant part of its privacy problems, but issues such as information traffic going through China will remain. Choosing to join the Clubhouse is a decision that affects not only the security of the data of those who have received and accepted an invitation, but also of all their friends and extended network.

About the author: Raphael Tsavkko Garcia is a Brazilian freelance journalist published by Al Jazeera, Foreign Policy, Undark, The Washington Post, among other news outlets. He also holds a PhD in Human Rights from the University of Deusto.