A group of researchers from the Stanford Internet Observatory determined that Clubhouse’s data protection practices allowed its users’ data, including their raw audio, for access by the Chinese government.
In a new report, SIO researchers reveal that Clubhouse uses Chinese company Agora, which provides a real-time voice and video engagement platform, to deliver its back-end infrastructure. This means that Clubhouse uses Agora’s platform for the “nuts and bolts” infrastructure of its app.
This is where the alarming starts: the SIO researchers found that when users join a channel on Clubhouse, a packet of metadata about each user is sent to Agora’s back-end infrastructure. The metadata includes the user’s unique clubhouse ID and the room ID they join. It is not encrypted, “meaning any third party with access to a user’s network traffic can access it.”
“In this way, an eavesdropper can learn whether two users are talking to each other, for example by detecting whether those users are joining the same channel,” the researchers wrote.
G / O Media can receive a commission
In addition, researchers found that Agora would likely be able to access Clubhouse’s raw audio traffic. This means that if the audio is not end-to-end encrypted – something the SIO says is “extremely unlikely” – Agora can intercept, transcribe and store the audio.
Some of you may be wondering why it matters if Clubhouse has a Chinese provider, which also has offices in Silicon Valley. This is extremely important as it means that Agora must comply with China’s cybersecurity law. The investigators point out that Agora herself has admitted that it would be mandatory to provide China with help and support in matters related to national security and criminal investigations. In other words:
“If the Chinese government determined that an audio message would endanger national security, Agora would be legally obliged to assist the government in locating and storing it,” they wrote.
According to the report, Agora claims it does not store any user audio or metadata other than to monitor network quality and bill its customers. However, researchers note that it is theoretically still possible for the Chinese governments to leverage Agora’s networks and capture the user data.
Now told Reuters Saturday that it had no comment on any relationship with Clubhouse. A spokesperson said it does not have access to personal data and that it does not route voice and video traffic generated outside of China, including traffic from US users, through China.
Gizmodo reached out to Agora to comment on the researchers’ findings. We will update this blog if we hear anything.
The SIO highlighted the potential risk to Clubhouse users in mainland China if the government could identify users of the app, especially given recent activity on the app in the country. Before the government blocked it earlier this week, Chinese users were using the app discussed openly the Uyghur concentration camps in Xinjiang and Tiananmen Square are protesting, among other issues, limited in China.
This identification of users by the government could lead to retaliation and punishment, or even veiled threats.
“Talks about the Tiananmen protests, the Xinjiang camps or the Hong Kong protests can be classified as criminal activity. They have qualified before, ”said the researchers.
Investigators decided to expose these security vulnerabilities because the flaws were easy to find. In addition, they said the issues pose immediate security risks to Clubhouse’s millions of users, particularly those in China. The SIO team also discovered other security flaws it privately reported to Clubhouse and said it would disclose them when they were fixed or after a certain deadline.
Clubhouse responded to the SIO report, saying it was “deeply committed to data protection and user privacy.” The app stated that although Clubhouse was not launched in China, some had found a solution to download the app and that “the conversations they were part of could be sent through Chinese servers.”
In the response, which the researchers published in full, Clubhouse said the researchers had helped them identify areas where it could strengthen data protection.
“For example, for a small percentage of our traffic, network pings containing the user ID are sent to servers around the world – including servers in China – to determine the fastest route to the customer,” said Clubhouse. “Over the next 72 hours, we will be making changes to add additional encryption and blocks to prevent Clubhouse clients from ever sending pings to Chinese servers.”
Gizmodo reached out to Clubhouse for a comment on the SIO report. We will make sure to update this blog if we hear back.