Rounding the Clubhouse Turn
Tuesday, 23 March 2021
I teach a couple of different computer security classes. One class includes how to spot fake web sites and scam services. Sadly, some "legitimate" services use these same scam techniques. I'm using quotes around "legitimate" because I'm not quite certain that all of them are really legitimate.
A good example of this came up last week with a group discussing a potentially altered picture. It sounded like fun (says the guy who runs FotoForensics). They said that they were meeting on Clubhouse.
Since I've been living in a cave for the last year (well, a man cave), I didn't hear any of the hoopla around Clubhouse. For those of you as clueless as me, this is a new Silicon Valley startup venture featuring audio-only chatrooms.
My first thought: audio only? Clubhouse sounds like a step backwards in technical advancements. VoIP has existed for years. Party-line chatrooms are common. Between Zoom, Jitsi, Facetime, Skype, Google Chat, etc., video has become the new baseline. Even Jabber and Discord have video chatrooms. Having a new service that provides audio-only chatrooms is like introducing a new text-based service to compete against IRC. (As if every video chatroom didn't also already have text chats and audio-only chat capabilities.) Why would anyone want to go backwards? Moreover, Clubhouse is only for iOS devices (iPhone, iPad, etc.). That keeps it locked up in a walled garden.
As an aside: Clubhouse has mentioned a possible Android version, but there is no release date. Clubhouse also hasn't announced any plans for a desktop application or browser-only option. Having developed a few iOS and Android apps, as well as browser-based media applications, I can attest that it doesn't take six months; they just haven't put any effort into it. One developer (unassociated with Clubhouse) has started work on a Python-based command-line interface for Clubhouse. (As with most things on the Internet: if you don't release an API, then someone else will reverse-engineer the protocol and build it for you as open-source code.)
Anyway, since the talk was on Clubhouse, I decided to take a look at the service before deciding whether to attend the discussion.
The app store says that it was created by "Alpha Exploration Co." From the app store, there are links to the developer's web site, app support, and the privacy policy.
The app support page is a basic FAQ, but it doesn't mention the company's name "Alpha Exploration Co." anywhere. There is no mention about who created, owns, or manages the app. At the bottom of the page are links to their Twitter account, jobs pages, and homepage -- which is also the 'developer website' from the app store.
The home page (aka 'developer website') is much more interesting, from a "lack of information" viewpoint. The site gives their product name and nothing else. Here is a screenshot that shows all of the text on the page:
If you look at their HTML source code, nearly half of the home page's HTML is devoted to user tracking and analytics. The rest is just plain HTML.
There are some links at the bottom of the page: Home, Jobs, Blog, etc.
Keep in mind, it doesn't matter if you can find the CEO, upper management, sponsors, and steering committee mentioned on other web sites (news outlets, LinkedIn, etc.). The question is, why isn't anything mentioned on their own web site?
In addition, they use a lot of third-party services. CloudFlare hosts their web site, notion.so hosts their documentation, Google provides their email, and airtable.com provides their feedback form. Another comment form linked to Zendesk (App Support → My Account & Profile → Contact Us → Zendesk). Given all of these third-party services, what does Alpha Exploration actually provide? All of this is indirection and tells nothing about the company. (Or maybe it tells us plenty...)
Since the terms of service listed the legal jurisdiction as California, I started by doing a California Business search for "Alpha Exploration". This search finds the company: business registration C4563531, ALPHA EXPLORATION CO., registered 02/05/2020. However, it's a foreign registration. In this case, foreign just means that the company is not primarily registered in California. They are listed as being a Delaware corporation.
It's very common for businesses to have a Delaware registration as a legal tax shelter. A Delaware Business search for "Alpha Exploration" turns up 4 results:
Only the first result was filed at the right time -- just before the California filing. Unfortunately, I can't find any other information about them. (Delaware wants $20 for more information, but there's no guarantee that there will be much more information.)
While Delaware provides minimal information, California's registration includes public documents. The initial registration lists the CEO as Paul Davison with a corporate address in Oakland, California. Google Street View shows this as a personal residence. (Given the other redirections, this was probably a screw-up. However, it's in the permanent record now.)
In contrast, the "Corporation - Statement of Information", filed 02/11/2021, lists the business address as 548 Market St., PMB 72878, San Francisco, CA 94103. Google Street View couldn't find this address. What I did find were a bunch of other companies -- some big, some small -- all using that same street address: Bearsumo, Lyft.com, Upward.net, etc. A Google search for "548 market st san francisco" turns up tons of companies using that address. That usually means there is a postbox service where companies can rent something that looks like a street address.
I found a company called Earthclass Mail that provides this type of mail service redirection with the physical address of 548 Market St. This kind of false physical address is really common with scams and fake services. Although some legitimate companies do it too, it's usually a glowing red flag that there's a problem. (The only thing worse is when fake companies list an address that doesn't exist or doesn't belong to them.)
Most of the news reports are product promotions and advertorials (ads disguised as news). However, there were a few news reports that raise concerns:
The media coverage around Clubhouse seems to come in waves. First there were the initial press releases promoting it for investors and using celebrities to bring in traffic. However, each time there is bad news (e.g., a security breach or questions about privacy), there are additional waves of promotional news coverage. To me, this looks like a conscious effort to bury any bad news under a flood of celebrity endorsements.
Beyond the mass media coverage, I didn't find many regular people talking about Clubhouse. It appears to be just another chatroom, competing against other well-established text, audio, and video chat software. It seems to be popular for the sake of being new and popular.
But I still have a Clubhouse question... The app is free. And they say they don't sell personal information. I also see nothing that says that they have ads. In contrast, I see $99 for an Apple Store developer license, lots of third-party services that are not free (CloudFlare, notion.so, lever.co, etc.), as well as operational and legal costs for their business registrations, privacy policy, and terms of service (which reads like a lawyer's template). I see the outgoing expenses, but I see no incoming revenue. If this is correct, then how does Clubhouse generate money?
I asked this to a friend of mine who specializes in business workflows. His reply: "I don't think it generates money." He described a common startup scheme, where the first step is the build an audience. Then you either attract investors or go public. Meanwhile, those investors try to figure out how to make money from the slush pile that is created. He added, "I have not seen ads, but it's a hucksters dream. Many will pay for a stage to present a book or class that can be purchased." Basically, Clubhouse seems to be a company with the end goal of making money fast from investors and then selling out. While they are currently collecting personal information, they don't have to worry about how to monetize it until later. (Or ever; if they sell quickly enough then it becomes someone else's problem.)
Perhaps this is why some outlets are reporting how, after raising $100 million in investor capital, Clubhouse is dying and the momentum has stalled. To me, this doesn't look like an app with future grown potential; it looks like a tech-based pump-and-dump.
Given all of this, I decided to not join Clubhouse for the photo discussion. I don't think joining a sketchy free platform that collects personal information for unknown reasons is worth the cost to attend.
A good example of this came up last week with a group discussing a potentially altered picture. It sounded like fun (says the guy who runs FotoForensics). They said that they were meeting on Clubhouse.
Since I've been living in a cave for the last year (well, a man cave), I didn't hear any of the hoopla around Clubhouse. For those of you as clueless as me, this is a new Silicon Valley startup venture featuring audio-only chatrooms.
My first thought: audio only? Clubhouse sounds like a step backwards in technical advancements. VoIP has existed for years. Party-line chatrooms are common. Between Zoom, Jitsi, Facetime, Skype, Google Chat, etc., video has become the new baseline. Even Jabber and Discord have video chatrooms. Having a new service that provides audio-only chatrooms is like introducing a new text-based service to compete against IRC. (As if every video chatroom didn't also already have text chats and audio-only chat capabilities.) Why would anyone want to go backwards? Moreover, Clubhouse is only for iOS devices (iPhone, iPad, etc.). That keeps it locked up in a walled garden.
As an aside: Clubhouse has mentioned a possible Android version, but there is no release date. Clubhouse also hasn't announced any plans for a desktop application or browser-only option. Having developed a few iOS and Android apps, as well as browser-based media applications, I can attest that it doesn't take six months; they just haven't put any effort into it. One developer (unassociated with Clubhouse) has started work on a Python-based command-line interface for Clubhouse. (As with most things on the Internet: if you don't release an API, then someone else will reverse-engineer the protocol and build it for you as open-source code.)
Anyway, since the talk was on Clubhouse, I decided to take a look at the service before deciding whether to attend the discussion.
Application
As I mentioned, Clubhouse is only available at the Apple app store: "Clubhouse: Drop-in audio chat". When looking at any new app, there are a few things I always check:- How many people are using it? The Apple app store doesn't tell you how many people have downloaded it, but they do tell you how many people have reviewed it. As I write this blog entry, there are over 428,000 reviews. (That's huge.) The number of users is often a good first heuristic for determining whether something is legitimate; scam apps usually don't have massively large numbers of users. ("Usually" is the key word here; not "always".)
- When were the reviews created? Look at the dates for the reviews. Scam apps often have a burst of reviews and then nothing. Real apps usually have a steady flow of new reviews. Clubhouse seems to have started with a burst of comments, but there are still new comments trickling in.
- What were the reviews? Generic "best app ever" reviews are probably bots or paid reviews. Look for people who actually give details and list pros and cons. Also, look at the low reviews: 5-stars could be fanboys, while 1-star and 2-star reviews are often either people who had the wrong expectations or who are pointing out legitimate problems. With Clubhouse, there are 5-star reviews that include wish lists and things that could be made better. There are also 1- and 2-star reviews that mention how some people are charging for joining rooms, bad audio quality, difficulty with the user interface, etc. There may also be privacy issues. As one person wrote, "I dont like that anyone who has my number can find me on the app without my consent."
- What are the permissions? This determines what the application can collect. Clubhouse currently requires access to usage data, diagnostics (in case of a crash), contact information (email, name, and phone number), your contact list, usage data, user content for audio data, and unique identifiers (both user and device). Some of this is understandable, like needing audio access for an audio chatroom. However, the contact list and personal contact information seems over-reaching for a chatroom application. Also, the crash information often includes extreme details related to the device; if it crashes, then you give up any privacy you might have had.
- How often is it updated? Some apps are released once and never changed. Others have detailed descriptions about what has been changed. With Clubhouse, the version history on the app page shows frequent updates. However, they all have the same description:
Hey there! We're constantly adding new features, improving the product and fixing bugs. For full details, please see the release notes in the app. Thank you!
Making changes without describing what changes are being made is suspicious. And requiring someone to install the app in order to see the changes to the app is a red flag. (If the only way to learn what changes were made to the app is to first install the app, then that's a 100% scam move.)
After browsing their web pages, I did eventually stumble upon their release notes -- you don't have to install the app to see it. Go to their app support page and then to their release notes. Then you can see what is new in each release. Finding out what is new in an application shouldn't be a scavanger hunt. - What is the cost? Clubhouse is listed as "free". Moreover, the app currently does not have ads and the privacy policy says that they don't sell your personal information. So how do they make money? Remember: Apple charges developers $99 per year to have an app in the app store. Running servers for handling the chatrooms isn't free, and neither is the bandwidth. They have plenty of out-going revenue, but I'm not seeing where the funds to keep it going are coming from. To me, this is a red flag.
Tracking Ownership
The next big thing to look at is the developer: who created the app?The app store says that it was created by "Alpha Exploration Co." From the app store, there are links to the developer's web site, app support, and the privacy policy.
The app support page is a basic FAQ, but it doesn't mention the company's name "Alpha Exploration Co." anywhere. There is no mention about who created, owns, or manages the app. At the bottom of the page are links to their Twitter account, jobs pages, and homepage -- which is also the 'developer website' from the app store.
The home page (aka 'developer website') is much more interesting, from a "lack of information" viewpoint. The site gives their product name and nothing else. Here is a screenshot that shows all of the text on the page:
If you look at their HTML source code, nearly half of the home page's HTML is devoted to user tracking and analytics. The rest is just plain HTML.
There are some links at the bottom of the page: Home, Jobs, Blog, etc.
- Home: Takes you back to the same page.
- Jobs: Goes to lever.co, a job placement site. The current openings include "General application", HR, "Trust & Safety Specialist", and "Trust & Safety Senior Specialist".
- The opening for General application says "This is our general application form. We understand we may not have an opening that is a match right now. However, we are growing quickly and if you think you might be a good fit for our team, we’d love to hear from you!" In other words, this is a placeholder.
- The HR position provides more details about the product than you'll find anywhere the product's web pages -- and it only contains 31 words:
Clubhouse is a new type of social product based on voice. It allows people everywhere to talk, tell stories, develop ideas, deepen friendships, and meet interesting new people around the world.
The job description goes on to say that they are looking for someone to help promote their service to candidates. - The two Trust & Safety openings are almost identical (I think there are a dozen words that differ), and both explicitly mention promoting the platform: "You’ll be a voice for Clubhouse users and communities."
Although they have a few job positions listed, the emphasis seems to be more on promoting the platform than actually doing the task listed in the job titles. - Blog: There are a lot of self congratulations and a little description of the service. But mostly there is talk about their investors and funding. To me, this reads like a company who's only purpose is to generate investment capital.
- Contact: I kid you not, there is nothing listed. The only thing on this page is a link to their Support page that is hosted on a different web service: notion.so.
At the bottom of the page is a link to airtable.com, which hosts their feedback and feature request form. However, that form doesn't mention the product anywhere. If you didn't know that this was for Clubhouse, then you'd never figure that out from their contact page or feedback request form. - Guidelines: This page does mention the service's name. (Whew.) It talks about roles and expected behavior from members. Nothing stands out as odd, except that the contact says to email them rather than use their feedback form.
- Press: I had expected a long list of the media outlets that reviewed Clubhouse. But that's not there at all. There is only a contact email address and a PDF that contains the product's name. The PDF was created on 2021-02-18 23:52:38 -0800 using Adobe Illustrator 25.2 for the Mac. The artist seems to be someone named "aaron".
- Privacy: The privacy policy is disheartening. It is one of the only places on the web site that lists the company's name (Alpha Exploration Co.), but it doesn't list the company's address, owners, etc. The privacy policy says that they collect a lot of personal information and they may share it with other companies. Although they explicitly say that they do not sell your data, they also say that they will provide it to vendors and service providers.
At the end of the privacy policy, they list an email address at alphaexplorationco.com. As far as I can tell, this domain is only mentioned on the privacy policy and terms of service pages; it's not mentioned anywhere else on the Clubhouse web site. A quick DNS check finds that the email is handled by Google's mail service and the domain has no web page. Beyond 'we run Clubhouse', there is literally nothing about this company on any of these web pages. - Terms of Service: Nowhere do they mention where the company is located, an address for the company, etc. (The address at the end of the form is for the "Complaint Assistance Unit of the Division of Consumer Services of the California Department of Consumer Affairs" and not for Clubhouse or Alpha Exploration.) At best, they mention that the legal jurisdiction is Northern California and San Francisco County.
- Who owns it?
- Who runs it?
- Where are they located? Even something like "what country?" is unanswered. (The legal jurisdiction is not necessarily where the company is located.)
Keep in mind, it doesn't matter if you can find the CEO, upper management, sponsors, and steering committee mentioned on other web sites (news outlets, LinkedIn, etc.). The question is, why isn't anything mentioned on their own web site?
In addition, they use a lot of third-party services. CloudFlare hosts their web site, notion.so hosts their documentation, Google provides their email, and airtable.com provides their feedback form. Another comment form linked to Zendesk (App Support → My Account & Profile → Contact Us → Zendesk). Given all of these third-party services, what does Alpha Exploration actually provide? All of this is indirection and tells nothing about the company. (Or maybe it tells us plenty...)
Business Registrations
The only thing that does appear in the Privacy Policy, Terms of Serivce, and app page is the company name: Alpha Exploration Co. If they are a company, then they should be registered somewhere.Since the terms of service listed the legal jurisdiction as California, I started by doing a California Business search for "Alpha Exploration". This search finds the company: business registration C4563531, ALPHA EXPLORATION CO., registered 02/05/2020. However, it's a foreign registration. In this case, foreign just means that the company is not primarily registered in California. They are listed as being a Delaware corporation.
It's very common for businesses to have a Delaware registration as a legal tax shelter. A Delaware Business search for "Alpha Exploration" turns up 4 results:
FILED | FILE NUMBER | ENTITY NAME |
---|---|---|
1/29/2020 | 7824787 | ALPHA EXPLORATION CO. |
6/23/2020 | 3114603 | ALPHA EXPLORATION CO SPV LLC |
11/10/2014 | 5636268 | ALPHA EXPLORATION GROUP, LLC |
5/29/2019 | 7441857 | ALPHA EXPLORATION TECHNOLOGIES CORP |
Only the first result was filed at the right time -- just before the California filing. Unfortunately, I can't find any other information about them. (Delaware wants $20 for more information, but there's no guarantee that there will be much more information.)
While Delaware provides minimal information, California's registration includes public documents. The initial registration lists the CEO as Paul Davison with a corporate address in Oakland, California. Google Street View shows this as a personal residence. (Given the other redirections, this was probably a screw-up. However, it's in the permanent record now.)
In contrast, the "Corporation - Statement of Information", filed 02/11/2021, lists the business address as 548 Market St., PMB 72878, San Francisco, CA 94103. Google Street View couldn't find this address. What I did find were a bunch of other companies -- some big, some small -- all using that same street address: Bearsumo, Lyft.com, Upward.net, etc. A Google search for "548 market st san francisco" turns up tons of companies using that address. That usually means there is a postbox service where companies can rent something that looks like a street address.
I found a company called Earthclass Mail that provides this type of mail service redirection with the physical address of 548 Market St. This kind of false physical address is really common with scams and fake services. Although some legitimate companies do it too, it's usually a glowing red flag that there's a problem. (The only thing worse is when fake companies list an address that doesn't exist or doesn't belong to them.)
Look who's talking
Finally, I looked for who is talking about this service. The first result on Google is their homepage (which is funny since the web page doesn't describe the app at all.) Then comes a bunch of news reports. When a startup has venture capital, they usually put out press releases that get picked up by media outlets. What you end up with are articles that all seem similar because none of the reporters actually used the product -- they just reword the press releases. However, this is really good at drawing attention toward a new product. (In the scam world, we'd call this the "pump" part of "pump and dump".)Most of the news reports are product promotions and advertorials (ads disguised as news). However, there were a few news reports that raise concerns:
- One Business Insider report mentions that "Clubhouse is being investigated by a French internet watchdog, following a complaint over data privacy". This same issue was reported by Complance Week. It seems that I'm not the only person to show concern about the data that Clubhouse is collecting.
- Another Business Insider report discusses the spread of misinformation over Clubhouse.
- And Security Magazine reported last month on a recent security breach at Clubhouse. This compromised user's personal information that was collected by the service. The article notes, "Security leaders have criticized the app for launching without much regard for privacy." It also quotes one security engineer as saying, "The trouble is that the audio data is built on a Chinese-based platform, which means some of that data is sent back to China." (Great, the same problem Zoom has.)
The media coverage around Clubhouse seems to come in waves. First there were the initial press releases promoting it for investors and using celebrities to bring in traffic. However, each time there is bad news (e.g., a security breach or questions about privacy), there are additional waves of promotional news coverage. To me, this looks like a conscious effort to bury any bad news under a flood of celebrity endorsements.
Beyond the mass media coverage, I didn't find many regular people talking about Clubhouse. It appears to be just another chatroom, competing against other well-established text, audio, and video chat software. It seems to be popular for the sake of being new and popular.
SHOW ME THE... money?
At this point, we have a new product competing against old technology that is receiving unexpectedly high media coverage. They are missing a corporate web site and have almost nothing about their own product on their own web site. The product's homepage seems to be nothing more than a façade or a placeholder, and their blog seems aimed more toward investors than customers.But I still have a Clubhouse question... The app is free. And they say they don't sell personal information. I also see nothing that says that they have ads. In contrast, I see $99 for an Apple Store developer license, lots of third-party services that are not free (CloudFlare, notion.so, lever.co, etc.), as well as operational and legal costs for their business registrations, privacy policy, and terms of service (which reads like a lawyer's template). I see the outgoing expenses, but I see no incoming revenue. If this is correct, then how does Clubhouse generate money?
I asked this to a friend of mine who specializes in business workflows. His reply: "I don't think it generates money." He described a common startup scheme, where the first step is the build an audience. Then you either attract investors or go public. Meanwhile, those investors try to figure out how to make money from the slush pile that is created. He added, "I have not seen ads, but it's a hucksters dream. Many will pay for a stage to present a book or class that can be purchased." Basically, Clubhouse seems to be a company with the end goal of making money fast from investors and then selling out. While they are currently collecting personal information, they don't have to worry about how to monetize it until later. (Or ever; if they sell quickly enough then it becomes someone else's problem.)
Perhaps this is why some outlets are reporting how, after raising $100 million in investor capital, Clubhouse is dying and the momentum has stalled. To me, this doesn't look like an app with future grown potential; it looks like a tech-based pump-and-dump.
Given all of this, I decided to not join Clubhouse for the photo discussion. I don't think joining a sketchy free platform that collects personal information for unknown reasons is worth the cost to attend.
Honestly, that's the average app update these days. 'Optimized the experience. Bug fixes and performance enhancements. Please leave us a review!'
And you get that from companies with plenty of money, including those founded by Sam Walton and Bill Gates.
It's as irritating to me as error messages that just say "oops! Something went wrong!"... grr.
There is a video on Twitter where (Paul D.) talks about the app.
But after more than 18 months, I still agree with you, many things are not correct about this app : it is toxic with no moderation, no safety for kids, full of bullies and suspicious users, and only God knows who detain our personal data.
Thanks for the blog.