The developers of the Clubhouse chat room audio app plan to add additional encryption to prevent it from transmitting ping to servers in China after Stanford researchers said they found vulnerabilities in their infrastructure.
In a new report, the Stanford Internet Observatory (SIO) said it has confirmed that Shanghai-based Agora Inc., which makes real-time engagement software, “provides back-end infrastructure for the Clubhouse application.” SIO also found that Clubhouse’s unique ID numbers – not usernames – and chat room IDs are transmitted in plain text, which would likely give Agora access to the original Clubhouse audio. So anyone looking at Internet traffic can compare IDs in shared chat rooms to see who’s talking to each other, SIO tweeted, noting “For mainland China users, this is worrying.”
SIO researchers said they found metadata from a Clubhouse room “being relayed to servers that we believe are hosted in” the People’s Republic of China, and found that the audio was being sent to “servers managed by Chinese entities and distributed around the world. . “As Agora is a Chinese company, it would be legally obliged to help the Chinese government locate and store audio messages if local officials say the messages pose a threat to national security, the researchers assumed.
Now it has told SIO that it does not store audio or user metadata except to monitor network quality and charge its customers, and as long as the audio is stored on servers in the United States, the Chinese government will not be able to access the data.
Now did not immediately respond to a request for comment on Sunday, but said Bloomberg in a statement that “you do not have access to share or store personally identifiable end user data. Voice or video traffic from users outside of China – including users in the U.S. – is never routed through China. ”The company declined to comment on its relationship with the Clubhouse.
The Clubhouse told researchers in a statement that when the app was launched, developers decided not to make it available in China “due to China’s privacy history”. However, some users in China have found an alternative solution to download the application, the company said, “which meant that – until the application was blocked by China earlier this week – the conversations in which they participated could be transmitted by Chinese servers. “.
The company told SIO it would implement changes “to add encryption and locks to prevent Clubhouse customers from transmitting ping to Chinese servers” and said it would hire an outside security company to review and validate the updates. The Clubhouse did not immediately respond to a request for comment on Sunday.
Clubhouse is an invite-only and iOS live audio app that has become popular with many in Silicon Valley, including Tesla CEO Elon Musk, whose debut at the Clubhouse earlier this month drew thousands of simultaneous listeners. The company was recently valued at $ 1 billion.