Clubhouse, the invitation-only audio chat app launched nearly a year ago, has run into a security problem, with one user sharing audio chats outside the user base.
Clubhouse hasn’t offered details of the privacy breach, although it has said that recording or streaming audio without the speaker’s permission is against the app’s terms of service. In late February, “an individual temporarily streamed multiple rooms from their own feed to a website,” a Clubhouse spokeswoman said. “This individual’s account has been permanently banned from the service, and we have added additional safeguards to prevent people from doing this in the future.”
It’s unclear what steps Clubhouse has taken to prevent further sharing of audio chats.
Clubhouse, launched last April as an iPhone app, features audio chats involving topics such as music, technology, fitness, investing, leadership, and sports. Several celebrities host discussions on the app, with Elon Musk interviewing trading app Robinhood’s CEO Vladimir Tenev in late January.
While some Clubhouse chats, such as Musk’s interview of Tenev, appear to be intended to generate wider publicity, in some other cases, it seems that users expected conversations to be private, even though the app encourages them to expand their social networks.
When one user shared audio chats outside Clubhouse, some security and privacy experts called it a cyberbreach, while others suggested it came from a lack of privacy controls in the app.
The incident was “by definition a hack or breach,” said Amir Tarighat, founder and CEO of Achilleion, a cybersecurity startup based in Los Angeles. It appears that a user reverse-engineered the app’s application programming interfaces to record and stream the audio elsewhere, he told the Washington Examiner.
Clubhouse’s privacy policy says the app only records chatrooms temporarily for trust and safety violations. This means that users had a reasonable expectation of privacy, he added.
Tarighat also said that users should be aware that Clubhouse is still in an early beta stage. “I think people have to operate with extra caution when using an early-stage product that is growing in popularity,” he said.
While the shared audio resulted from a breach, the app also has a lack of privacy controls, said David Lynch, a Clubhouse user and content lead at Payette Forward, a tech support and advice website.
When a user tries to record the conversation of a Clubhouse room on the same device he or she is using to participate on the call, a pop-up generally will appear saying that it’s against user policy to record Clubhouse rooms and share them publicly, Lynch told the Washington Examiner.
However, “no matter what privacy controls Clubhouse sets up, there’s always going to be the possibility that someone in the room is recording the conversation with a separate device,” Lynch said. “Someone could put their phone on speaker and record the conversation using their laptop.”
Users need more information, he added. “Clubhouse should be more transparent about the fact that there should be no presumption of privacy, even in closed or private rooms,” Lynch said. “Users should operate under the assumption that they’re always being recorded.”
Early Clubhouse adopter Ivy Astrix, an executive in Canada’s regulated substances industry, suggested the incident wasn’t a typical cyberbreach scenario. Instead, it was a user deploying the Clubhouse API outside of the app. Clubhouse is built on Agora, an audio streaming software package. Users have been able to reverse-engineer it to build their websites and applications or allow the general public to listen to Clubhouse chats, she told the Washington Examiner.
The situation stems from a lack of API controls or a “Clubhouse-certified developer program by which aspiring developers would have to agree to a code of conduct or principles,” she added.
Users should be aware that conversations may not be private, Astrix said. “Users should practice good operational security in assuming that their conversations are very public and not saying anything they wouldn’t want quoted elsewhere,” she added.
Meanwhile, Clubhouse needs a “serious reworking” of its security model, she added. “Currently, it’s trivial for any current user to repeat the recent incident,” she said. “They also should capitalize on the willingness of third parties to add value to the app and introduce a developer program … so that use of the API can be controlled to those who want to add value to the app and are giving users full disclosure of the risks of their products.”
