SecureMac, Inc.

The Checklist Podcast

SecureMac presents The Checklist. Each week, Nicholas Raba, Nicholas Ptacek, and Ken Ray hit security topics for your Mac and iOS devices. From getting an old iPhone, iPad, iPod, Mac, and other Apple gear ready to sell to the first steps to take to secure new hardware, each show contains a set of easy to follow steps meant to keep you safe from identity thieves, hackers, malware, and other digital downfalls. Check in each Thursday for a new Checklist!

Checklist 223: Visiting Clubhouse and Revisiting App Privacy Labels

Posted on March 21, 2021

If you spend any time on the socials, you’ve heard people talk about Clubhouse. It’s been around for close to a year, though it’s really taken off over the past few months. We’ll look at its safety, then look at Privacy Labels with Clubhouse as a sort of yardstick.

Trouble in the Clubhouse?

Clubhouse is a new social media platform that’s drawing all kinds of attention. At the moment, it’s still in beta testing, and is only available as an iOS app.

So what does Clubhouse do? It’s actually pretty simple. The app helps organizers set up audio-only conversations in public or private chat-rooms. But the chat-rooms can be big — like, really big: a Clubhouse chat can accommodate up to 5000 people. It’s been described by some as “SXSW on your phone”.

So far, so cool. But as with any new, fast-growing tech, there’s one basic question that has to be asked. Is it actually safe to use?

It depends who you ask.

The folks at the Stanford Internet Observatory have already uncovered some issues. For one thing, Clubhouse was sending user IDs and chat-room IDs in an unencrypted format, which is a potential privacy worry. The app’s API also had a flaw that let people take Clubhouse chat-room audio and broadcast it over a third-party website … not exactly what the app developers had in mind!

In a way, that sort of thing is only to be expected from any new app. It’s a pretty uncontroversial point to say that new apps are going to have flaws. Some of those flaws will impact security and privacy. 

In addition to this, though, some folks are worried about Clubhouse’s privacy policies. From the looks of it, the app collects a good amount of user data, including contacts data, user information, usage data, and more. The app also records private chats by default — though the developers say they only use this to handle unusual incidents, and that they delete any audio that they don’t end up using to address an issue.

There have also been some concerns over Clubhouse’s moderation policies. Again, unsurprising to anyone who’s actually spent more than five minutes on the Internet, but some people can be jerks online! Clubhouse forbids hate speech, abusive language, and other types of harassing behavior in its terms of service. But like any social media platform, figuring out content moderation is hard, and is always going to be an ongoing process. At the moment, Clubhouse hasn’t quite solved the issue of how to deal with ToS violations on its platform.

So what happens if you decide to use Clubhouse despite these concerns? Is there a way to do it a little more safely? Sure! Here are four tips:

  1. Be aware that Clubhouse has had — and probably still has — some security and privacy issues. Don’t assume that you’re really anonymous, and keep in mind that you’re being recorded … even in “private” chats.

  2. Keep your software up to date. As Clubhouse discovers security flaws, they will release patches. But you can’t get those patches if you don’t update your apps. If you’re a manual updater, make sure you check for newer versions of the app regularly. Or, if you want to keep things simple, make sure you’re set up for automatic updates.

  3. At the moment, the only way to get an active Clubhouse account is to be invited to the app by an existing user (though anyone can download the actual app). When you join, know that you don’t have to give the app access to your contacts. You can opt out of that, at least for the time being. It’s just that if you do, Clubhouse won’t allow you to invite any of your friends to the network yourself. If that’s OK with you, and you want to protect your privacy a bit, consider not sharing your contacts info with the app.

  4. Clubhouse’s privacy policy says that it can collect data about your contacts on other social platforms if you link your Clubhouse account to those platforms or if you use them as a sign-in option. If you’re concerned about your privacy, and Clubhouse asks you to, e.g., link your Twitter to the app, or to sign in with Facebook, you may want to avoid that. If you’re looking for a safe sign-in option, Sign in with Apple is about as good as it gets.

Privacy Labels revisited

Last week, an iMore story highlighted a report from a company called pCloud, which bills itself as “experts in online privacy …”. pCloud put together an analysis of various apps using the Privacy Labels in the App Store (something we’ve already discussed on The Checklist before). 

As you may have expected, lots of apps out there are collecting and sharing data. The biggest “over-sharers” were, perhaps unsurprisingly, Instagram and Facebook. Also not great: LinkedIn and Uber Eats!

But here’s the interesting thing. pCloud rated Clubhouse as one of the safest apps in the App Store. Given all that we’ve just talked about, that should come as a bit of a surprise!

So what’s going on? Are the “online privacy experts” at pCloud not all they’re cracked up to be? We wouldn’t go as far as to say that. More than anything, we think it’s a case of a methodology that doesn’t account for the way that apps (and app developers) behave in the real world.

pCloud, you see, was only going by the Privacy Labels in the App Store. But of course, those labels are self-reported by the apps’ developers! If there is a privacy issue that the developers themselves don’t know about — in other words, something that’s the result of a bug or security flaw — then it’s not going to be reflected in those labels. And as one Washington Post reporter discovered a few weeks ago, there are clear cases of developers who appear to be providing inaccurate information for their apps’ Privacy Labels. Whether that’s the result of mistakes, carelessness, or outright dishonesty is an open question. But in a way, the motivation is beside the point, because the end result is the same: The Privacy Labels in the App Store don’t always tell the full story. 

So by all means, make use of Privacy Labels … but take them with a grain of salt. And as always, do the hard work of researching new apps and new developers for yourself. Check out their reputation. Read past customer reviews. Do a web search to see if they’ve had previous issues. And then keep your ear to the ground by listening to podcasts like this one or following news outlets that cover digital privacy.

Do you have a security or privacy question you’d like to see answered on The Checklist? Write to us and let us know! To take a look at past show topics, and to get full audio and notes for those episodes, visit the Checklist archives.

Join our mailing list for the latest security news and deals