A group of researchers from the Stanford Internet Observatory have determined that Clubhouse’s home protection practices make it possible to access users’ data, possibly their raw sound, by the Chinese government.
In a new report, SIO researchers reveal that Clubhouse is using the Chinese company Agora, which provides a real-time platform for voice and video engagement, to provide its back-end infrastructure. This means that Clubhouse uses Agora’s platform for the “nut-and-bolt” infrastructure of its app.
This is where it starts to get worrisome: the SIO researchers found that when users join a channel in Clubhouse, a packet of metadata about each user is sent to Agora’s back-end infrastructure. The metadata contains users’ unique clubhouse IDs and the room IDs they join. It is not encrypted, “which means that any third party who has access to a user’s network traffic has access to it.”
“In this way, a listener can hear whether two users are talking to each other, for example by determining whether the users are joining the same channel,” the researchers wrote.
G / O Media can get a commission
In addition, researchers have found that Agora is likely to have access to Clubhouse’s raw audio traffic. This means that Agora can intercept, transcribe and store the audio if the audio is not end-to-end encrypted – something which, according to the SIO, is ‘extremely unlikely’.
Some of you may be wondering why it matters whether Clubhouse has a Chinese supplier that also has offices in Silicon Valley. This is extremely important because it means that Agora must comply with Chinese cyber security legislation. The researchers point out that Agora itself conceded that it would be obliged to provide China with assistance and support in matters related to national security and criminal investigations. In other words:
“Should the Chinese government decide that an audio message endangers national security, Agora will be legally obliged to assist the government in locating and storing it,” they wrote.
According to the report, Agora claims that it does not store audio or metadata from users, other than to monitor the quality of the network and bill its customers. However, researchers note that it is still theoretically possible for the Chinese governments to exploit Agora’s networks and record the user data.
Agora tells Reuters Saturday that he did not comment on any relationship with Clubhouse. A spokesman said it did not have access to or store personal information and that it did not direct voice and video traffic generated outside China, including traffic from US users, through China.
Gizmodo contacted Agora for comment on the researchers’ findings. We will update this blog when we hear it.
The SIO emphasizes the potential risk that Chinese users of Clubhouse face on the mainland, if the government can identify the users of the app, especially given the recent activity in the country. Before the government blocked it earlier this week, Chinese users on the app openly discuss the Uighur concentration camps in Xinjiang and Tiananmen Square are among the topics discussed in China.
This identification of users by the government can lead to retaliation and punishment, or even covert threats.
‘Talks about the protesters of the Tiananmen, Xinjiang camps or protests in Hong Kong may qualify as criminal activities. “They have qualified before,” said the researchers.
Researchers decided to bring these security issues to light because the bugs were easy to spot. In addition, they said the issues pose immediate security risks for the millions of Clubhouse users, especially those in China. The SIO team also discovered other security flaws they had privately reported to Clubhouse, saying it would reveal when it was corrected or after a certain deadline.
Clubhouse responded to the SIO report, saying it was “deeply committed to data protection and user privacy.” The app said that although it was not launched at Clubhouse in China, some found the solution to download the app, and that ‘the conversations from which they participated could be transmitted via Chinese servers’.
In the response, which the researchers fully published, Clubhouse said the researchers helped them identify areas where it could strengthen data protection.
“For example, for a small percentage of our traffic, network pings with the user ID are sent to servers around the world – which may include servers in China – to determine the fastest route to the client,” Clubhouse said. “Over the next 72 hours, we will implement changes to add additional coding and blocks to prevent Clubhouse customers from ever transferring pings to Chinese servers.”
Gizmodo reached out to Clubhouse for comment on the SIO report. We’ll make sure you update this blog when we hear it.