Skip to main content

Clubhouse: Are users in the Middle East safe from digital authoritarianism?

Citizens and activists across the Middle East have flocked to the new social network. But it is not the safe haven many crave
Clubhouse appears to be unsafe. (Reuters)
In countries throughout the region, where digital authoritarianism has conditioned many to live in fear of constant surveillance, people have flocked to the app (Reuters)

Full of emancipatory promise, Clubhouse seems to have tapped into the yearning of many across the Middle East for an outlet for stifled political and personal expression.

The audio-only app, which allows users to set up or attend discussion rooms on topics of their choosing, hit 10 million users worldwide in February - a fivefold increase on the previous month, having only launched in April 2020.

In countries throughout the region, where digital authoritarianism has conditioned many to live in fear of constant surveillance, people have flocked to the iOS-only app, which has been at the top of many national download lists.

From Egypt to Oman, Turkey to Saudi Arabia, users have been gathering to discuss politics, identity, sexuality, patriarchy, religion and racism - even to coordinate protests.

Clubhouse: A new avenue of free speech, or yet another tool of repression?
Marc Owen Jones
Read More »

The app has been hailed as a free-speech haven. “It’s even possible that Clubhouse may finally help fulfil the promise of the ‘Arab Spring’ demonstrations from a decade ago,” one Bloomberg columnist recently wrote.

But Clubhouse appears to be unsafe. The app collects reams of data on users, who are easily identifiable, while there's little stopping others - including pro-government informants or secret police - from surveilling or doxxing users talking about taboo or sensitive topics. Worse, the company may even be forced to share the information it collects with law enforcement.

“I think people in the region need to be very cautious when using the app,” Joe Westby, a researcher for Amnesty Tech, told Middle East Eye. “The early promise of platforms to connect people and enable greater freedom of expression can quickly turn sour.”

Endless data

Clubhouse retains an awful lot of information about its users. Besides name and number, data collected include information about device, location, and IP address; what users listen to, when they log in and for how long; and “the actions you take”, according to the app’s privacy policy. This in practice means the company can collect data about anything users do on Clubhouse.

It also records all the audio. This is only kept in case a user reports an incident, they say, and is otherwise deleted. But, according to a recent Stanford Internet Observatory (SIO) blog, it is “exceedingly unlikely” that audio on Clubhouse is end-to-end encrypted, making it potentially accessible to others outside the conversation.

What’s more, if someone logs into the app using a service such as Twitter or Facebook, Clubhouse “may collect, store, and periodically update information associated with that… account”, according to SIO.

It is unclear exactly what the app does - or might do in future - with all this data, as its owners haven’t yet said how they plan to make money. The platform reportedly wants to earn revenue through tips, subscriptions and tickets for events, rather than ads, but the privacy policy says it may share data with a long list of third-party companies, including advertisers - “without further notice to you”.

Clubhouse also uses cookies and other technology to track activity elsewhere on the internet - even when the app is closed - to send ads.

Little anonymity

Any one company holding that amount of information about users is a major concern. A data breach on Clubhouse or any of the third parties it shares user information with could be disastrous.

"We take commercially reasonable steps to ensure our service providers adhere to the security standards we apply to your personal data," Clubhouse writes in its privacy policy.

While Clubhouse has a bug bounty program, whereby hackers are rewarded for disclosing security flaws, even without an Ashley Madison-style data breach, users can easily be identified, because the app requires users to give a real name and identity.

Clubhouse may even “require users to provide identity verification” if one person reports another for using a fake name.

This lack of anonymity makes for fewer bots and trolls, but means users will likely censor themselves from saying anything that might be deemed a challenge to social norms.

It also makes users vulnerable to surveillance by agents of the state.

“It is very common for governments to monitor social media and listen to people's conversations,” Marwa Fatafta, Middle East and North Africa (MENA) policy manager at Access Now, told MEE. “I would suspect that the governments and their agents are already on the app, and listening.”

“In my opinion, it's really a matter of time until we hear someone has been arrested because of their speech on the platform,” she added.

“As soon as tech platforms gain in popularity they can be victims of their own success,” said Westby, “insofar as the authorities quickly cotton on to what is perceived to be a new, hidden channel for communications.”

Another risk is doxxing by rogue users.

'It's really a matter of time until we hear someone has been arrested because of their speech on the platform'

- Marwa Fatafta, Access Now

There have also been instances, in Saudi Arabia for example, of sensitive conversations being screen-recorded and posted online.

In Egypt, a pro-government TV show claimed it had uncovered - and recorded - a “terrorist” network on Clubhouse.

Clubhouse doesn’t allow users to screen-record, and added “safeguards” to prevent such incidents from happening again after one user in China was caught streaming conversations elsewhere online. But, it admits, "we cannot control the actions of users on the platform who may seek to use third-party apps or devices to record, store, or share content or communication without other users' prior consent".

The SIO blog detailed other ways in which app users were identifiable, including how individual audio tracks correspond to specific user IDs. Clubhouse responded to the report by saying it was reviewing security practices and is “deeply committed to data protection and user privacy”.

Contacts

Family and friends of Clubhouse users could be at risk of identification, too.

Currently, the only way to get on to the app is by receiving an invite. But for a user to have the privilege of inviting others along, Clubhouse asks for access to their entire address book - a major risk.

Saudis check their phones in front of a poster of Saudi Crown Prince Mohammed bin Salman in Riyadh on 15 November 2017 (Fayez Nureldine/AFP)
Saudis check their phones in front of a poster of Saudi Crown Prince Mohammed bin Salman in Riyadh on 15 November 2017 (Fayez Nureldine/AFP)

“It's very common for governments to surveil the relatives and friends of activists,” said Fatafta. “Whatever data they can get their hands on, they'll take it.”

In many countries in the region, she added, people need to provide an ID number or copy of a passport when buying a SIM card. So having names linked to numbers on the app makes it even easier for authorities to track someone down.

This contacts-for-invites exchange also means that if one person downloads Clubhouse and allows it to access their address book, the app has all of those contact details, unbeknownst to those people - who may never have even heard of the app.

The practice may be a violation of the EU’s General Data Protection Regulation, but the legislation doesn’t apply in the Middle East.

“Unfortunately, data protection is the least priority for [many of the region’s governments],” said Fatafta. “If you are actively monitoring and surveilling your citizens, you are not interested in data protection.”

“In whatever MENA country you take, you have no clue as a citizen who has access to your data and who's sharing it,” she added. “So even if you want to remedy that and say no - well, good luck.”

Law enforcement

One of the most concerning parts of the Clubhouse privacy policy is the fact that the app may share user information with authorities, “if required to do so by law… including to meet national security or law-enforcement requirements”. This, too, may happen without users knowing.

'You use the service at your own risk… no internet or email transmission is ever fully secure'

- Clubhouse privacy policy

"Recognising the global nature of the internet,” the policy reads, “you agree to comply with all local rules and laws regarding your use of the service, including as it concerns online conduct and acceptable content."

The problem with this, said Fatafta, is that “laws in the region are repressive, vague and broadly worded in a way that governments can - and do - interpret any sort of online speech and activity to prosecute activists, journalists, human rights defenders, or any ordinary citizen that has an unfavourable view of the regime.”

In a particularly egregious case last year, Egypt sentenced five TikTok influencers to prison time and fines for "violating public morals" in videos involving singing and dancing. Their sentences were overturned in January.

Many companies have clauses agreeing to share information with authorities in certain circumstances. In 2019, Netflix removed an episode of a US comedy show after Saudi Arabia complained about its criticism of the war in Yemen and the Khashoggi killing.

What isn’t clear is whether, if at all, Clubhouse would challenge law-enforcement requests.

“What would Clubhouse do if the government of Saudi Arabia, or the government of Egypt, according to its own laws and regulations, required tech companies to hand in personal information of individuals who are implicated in so-called cyber crimes?” asked Fatafta.

Control to delete

Often activists in the Middle East run the risk of security forces confiscating their devices and trawling through their social media accounts, said Fatfta, “grabbing what they consider as evidence against you”. So it’s crucial to be able to delete an account, and quickly.

But there’s no option to delete an account in the Clubhouse app. Instead, users have to send an email, and how long it takes Clubhouse to respond is not stated.

"Please note that we will need to verify that you have the authority to delete the account," reads the app's privacy policy, which also states, alarming, that even if you do manage to delete, "certain activity generated prior to deletion may remain stored by us and may be shared with third parties".

Clubhouse says it keeps personal data post-deletion “for as long as reasonably necessary” and “while we have a business need to do so”, among other reasons. This in practice means they can keep user personal data for as long as they want.

In the security section of its privacy policy, Clubhouse writes that it implements “commercially reasonable” measures to protect users’ personal data, but that “you use the service at your own risk… no internet or email transmission is ever fully secure”.

"We are not responsible for circumvention of any privacy settings or security measures contained on the service, or third-party websites," it adds.

“We would expect the company to be taking steps to identify the risks to users' freedom of expression and association, or potential human rights abuses that could be linked to its operations, and then taking appropriate mitigating action to prevent those harms, including through the use of encryption,” Westby, of Amnesty Tech, said.

Clubhouse didn’t reply to a request for comment on the findings set out in this article.

Clubhouse conversations have been recorded and posted online as an intimidation tactic (Illustration by Hossam Sarhan/MEE)
Clubhouse conversations have been recorded and posted online as an intimidation tactic (Illustration by Hossam Sarhan/MEE)

After a year of coronavirus restrictions, Clubhouse has provided a space for people craving interactions outside of their immediate bubble.

But it has also fulfilled another need, Fatafta said, “for people to express their minds, to find connections along ideological, political and social lines”.

“For the LGBT community, for example, you can't express yourself, be it visually, verbally or physically in a public space - or even sometimes in private circles - in the region,” she added. “It’s an unfortunate and sad reality.”

Many, therefore, seem to be enjoying a newfound sense of freedom on Clubhouse, she said, “but I don’t see that freedom staying for long".

“Governments in the region see the internet as a threat… they're extremely innovative in finding ways to control it. Clubhouse is not an exception.”