A group of researchers at the Stanford Internet Observatory determined that the Clubhouse’s data protection practices allowed its users’ data, possibly including its raw audio, to be potentially accessed by the Chinese government.
In a new report, SIO researchers reveal that Clubhouse uses the Chinese company Agora, which provides a real-time voice and video engagement platform, to provide its back-end infrastructure. This means that Clubhouse uses the Agora platform for your application’s “nuts and bolts” infrastructure.
This is where it starts to get alarming: SIO researchers found that when users join a channel in the Clubhouse, a package containing metadata about each user is sent to Agora’s back-end infrastructure. Metadata includes the users’ unique Clubhouse ID and the room ID they are joining. It is not encrypted, “which means that any third party with access to a user’s network traffic can access it”.
“That way, a snooper can find out if two users are talking to each other, for example, detecting whether those users are joining the same channel,” wrote the researchers.
G / O Media can receive a commission
In addition, the researchers found that Agora would likely have access to Clubhouse raw audio traffic. This means that if the audio is not encrypted from end to end – something that the SIO says is “extremely unlikely” – Agora can intercept, transcribe and store the audio.
Some of you may be wondering why it is important if the Clubhouse has a Chinese provider, which also has offices in Silicon Valley. This is extremely important because it means that Agora must comply with China’s cybersecurity law. The researchers note that Agora itself recognized that it would be obliged to provide assistance and support to China in matters related to national security and criminal investigations. In other words:
“If the Chinese government determined that an audio message threatened national security, Agora would be legally required to assist the government in locating and storing it,” they wrote.
According to the report, Agora states that it does not store audio or user metadata, except to monitor the quality of the network and charge its customers. However, the researchers note that it is still theoretically possible for Chinese governments to access Agora networks and record user data.
Now said Reuters on Saturday there were no comments on any relationship with the Clubhouse. A spokesman said he does not have access to or store personal data and that he does not route voice and video traffic generated outside of China, including traffic from US users, through China.
Gizmodo contacted Agora to comment on the researchers’ findings. We will update this blog if we receive a response.
The SIO highlighted the potential risk faced by Chinese Clubhouse users if the government is able to identify users of the application, especially due to the recent activity of the application in the country. Before the government blocked it earlier this week, Chinese users on the app openly discussed the Uighur concentration camps in Xinjiang and the Tiananmen Square protests, among others, restricted topics in China.
This identification of users by the government can lead to reprisals and punishments, or even to veiled threats.
“Conversations about the Tiananmen protests, Xinjiang camps or Hong Kong protests can qualify as criminal activity. They’ve qualified before, ”said the researchers.
The researchers decided to reveal these security problems because the flaws were easy to find. In addition, they said the problems pose immediate security risks for millions of Clubhouse users, especially those in China. The SIO team also discovered other security flaws that it reported to the Clubhouse in particular and said it would reveal when they were fixed or after a certain time.
The Clubhouse responded to SIO’s report and said it was “deeply committed to data protection and user privacy”. The application stated that, although it did not launch the Clubhouse in China, some found an alternative solution to download the application and that “the conversations of which they were part could be transmitted by Chinese servers”.
In the response, which the researchers published in full, the Clubhouse said the researchers helped them to identify areas where they could strengthen their data protection.
“For example, for a small percentage of our traffic, network pings containing the user ID are sent to servers worldwide – which may include servers in China – to determine the fastest route for the customer,” said Clubhouse . “In the next 72 hours, we will implement changes to add additional encryption and locks to prevent Clubhouse customers from transmitting ping to Chinese servers.”
Gizmodo contacted the Clubhouse to comment on the SIO report. We will make sure to update this blog if we receive a response.