Clubhouse: Are users in the Middle East safe from digital authoritarianism?
Full of emancipatory promise, Clubhouse seems to have tapped into the yearning of many across the Middle East for an outlet for stifled political and personal expression.
The audio-only app, which allows users to set up or attend discussion rooms on topics of their choosing, hit 10 million users worldwide in February - a fivefold increase on the previous month, having only launched in April 2020.
In countries throughout the region, where digital authoritarianism has conditioned many to live in fear of constant surveillance, people have flocked to the iOS-only app, which has been at the top of many national download lists.
The app has been hailed as a free-speech haven. “It’s even possible that Clubhouse may finally help fulfil the promise of the ‘Arab Spring’ demonstrations from a decade ago,” one Bloomberg columnist recently wrote.
But in spite of the enthusiasm, Clubhouse appears to be unsafe. The app collects reams of data on users, who are easily identifiable, while there's little stopping others - including pro-government informants or secret police - from surveilling or doxxing users talking about taboo or sensitive topics. Worse, the company may even be forced to share the information it collects with law enforcement.
“I think people in the region need to be very cautious when using the app,” Joe Westby, a researcher for Amnesty Tech, told Middle East Eye. “The early promise of platforms to connect people and enable greater freedom of expression can quickly turn sour.”
It also records all the audio. This is only kept in case a user reports an incident, they say, and is otherwise deleted. But, according to a recent Stanford Internet Observatory (SIO) blog, it is “exceedingly unlikely” that audio on Clubhouse is end-to-end encrypted, making it potentially accessible to others outside the conversation.
What’s more, if someone logs into the app using a service such as Twitter or Facebook, Clubhouse “may collect, store, and periodically update information associated with that… account”, according to SIO.
Any one company holding that amount of information about users is a major concern. A data breach on Clubhouse or any of the third parties it shares user information with could be disastrous.
While Clubhouse has a bug bounty program, whereby hackers are rewarded for disclosing security flaws, even without an Ashley Madison-style data breach, users can easily be identified, because the app requires users to give a real name and identity.
Clubhouse may even “require users to provide identity verification” if one person reports another for using a fake name.
This lack of anonymity makes for fewer bots and trolls, but means users will likely censor themselves from saying anything that might be deemed a challenge to social norms.
It also makes users vulnerable to surveillance by agents of the state.
“It is very common for governments to monitor social media and listen to people's conversations,” Marwa Fatafta, Middle East and North Africa (MENA) policy manager at Access Now, told MEE. “I would suspect that the governments and their agents are already on the app, and listening.”
“In my opinion, it's really a matter of time until we hear someone has been arrested because of their speech on the platform,” she added.
“As soon as tech platforms gain in popularity they can be victims of their own success,” said Westby, “insofar as the authorities quickly cotton on to what is perceived to be a new, hidden channel for communications.”
Another risk is doxxing by rogue users.
'It's really a matter of time until we hear someone has been arrested because of their speech on the platform'
- Marwa Fatafta, Access Now
There have also been instances, in Saudi Arabia for example, of sensitive conversations being screen-recorded and posted online.
In Egypt, a pro-government TV show claimed it had uncovered - and recorded - a “terrorist” network on Clubhouse.
Clubhouse doesn’t allow users to screen-record, and added “safeguards” to prevent such incidents from happening again after one user in China was caught streaming conversations elsewhere online. But, it admits, "we cannot control the actions of users on the platform who may seek to use third-party apps or devices to record, store, or share content or communication without other users' prior consent".
The SIO blog detailed other ways in which app users were identifiable, including how individual audio tracks correspond to specific user IDs. Clubhouse responded to the report by saying it was reviewing security practices and is “deeply committed to data protection and user privacy”.
Family and friends of Clubhouse users could be at risk of identification, too.
Currently, the only way to get on to the app is by receiving an invite. But for a user to have the privilege of inviting others along, Clubhouse asks for access to their entire address book - a major risk.
“It's very common for governments to surveil the relatives and friends of activists,” said Fatafta. “Whatever data they can get their hands on, they'll take it.”
In many countries in the region, she added, people need to provide an ID number or copy of a passport when buying a SIM card. So having names linked to numbers on the app makes it even easier for authorities to track someone down.
This contacts-for-invites exchange also means that if one person downloads Clubhouse and allows it to access their address book, the app has all of those contact details, unbeknownst to those people - who may never have even heard of the app.
The practice may be a violation of the EU’s General Data Protection Regulation, but the legislation doesn’t apply in the Middle East.
“Unfortunately, data protection is the least priority for [many of the region’s governments],” said Fatafta. “If you are actively monitoring and surveilling your citizens, you are not interested in data protection.”
“In whatever MENA country you take, you have no clue as a citizen who has access to your data and who's sharing it,” she added. “So even if you want to remedy that and say no - well, good luck.”
'You use the service at your own risk… no internet or email transmission is ever fully secure'
"Recognising the global nature of the internet,” the policy reads, “you agree to comply with all local rules and laws regarding your use of the service, including as it concerns online conduct and acceptable content."
The problem with this, said Fatafta, is that “laws in the region are repressive, vague and broadly worded in a way that governments can - and do - interpret any sort of online speech and activity to prosecute activists, journalists, human rights defenders, or any ordinary citizen that has an unfavourable view of the regime.”
In a particularly egregious case last year, Egypt sentenced five TikTok influencers to prison time and fines for "violating public morals" in videos involving singing and dancing. Their sentences were overturned in January.
Many companies have clauses agreeing to share information with authorities in certain circumstances. In 2019, Netflix removed an episode of a US comedy show after Saudi Arabia complained about its criticism of the war in Yemen and the Khashoggi killing.
What isn’t clear is whether, if at all, Clubhouse would challenge law-enforcement requests.
“What would Clubhouse do if the government of Saudi Arabia, or the government of Egypt, according to its own laws and regulations, required tech companies to hand in personal information of individuals who are implicated in so-called cyber crimes?” asked Fatafta.
Control to delete
Often activists in the Middle East run the risk of security forces confiscating their devices and trawling through their social media accounts, said Fatfta, “grabbing what they consider as evidence against you”. So it’s crucial to be able to delete an account, and quickly.
But there’s no option to delete an account in the Clubhouse app. Instead, users have to send an email, and how long it takes Clubhouse to respond is not stated.
Clubhouse says it keeps personal data post-deletion “for as long as reasonably necessary” and “while we have a business need to do so”, among other reasons. This in practice means they can keep user personal data for as long as they want.
"We are not responsible for circumvention of any privacy settings or security measures contained on the service, or third-party websites," it adds.
“We would expect the company to be taking steps to identify the risks to users' freedom of expression and association, or potential human rights abuses that could be linked to its operations, and then taking appropriate mitigating action to prevent those harms, including through the use of encryption,” Westby, of Amnesty Tech, said.
Clubhouse didn’t reply to a request for comment on the findings set out in this article.
After a year of coronavirus restrictions, Clubhouse has provided a space for people craving interactions outside of their immediate bubble.
But it has also fulfilled another need, Fatafta said, “for people to express their minds, to find connections along ideological, political and social lines”.
“For the LGBT community, for example, you can't express yourself, be it visually, verbally or physically in a public space - or even sometimes in private circles - in the region,” she added. “It’s an unfortunate and sad reality.”
Many, therefore, seem to be enjoying a newfound sense of freedom on Clubhouse, she said, “but I don’t see that freedom staying for long".
“Governments in the region see the internet as a threat… they're extremely innovative in finding ways to control it. Clubhouse is not an exception.”