A group of researchers at the Stanford Internet Observatory has determined that Clubhouse’s data protection practices allowed the Chinese government to access its users ’data, possibly their raw audio.
In a new one report, SIO researchers reveal that Clubhouse uses Chinese company Agora, which provides a real-time voice and video participation platform, to supply its background infrastructure. This means that Clubhouse uses the Agora platform for its application’s “screw” infrastructure.
This is where it starts to get alarming: SIO researchers found that when users join a Clubhouse channel, a packet containing metadata about each user is sent to Agora’s back-end infrastructure. Metadata includes the unique identifier of the user clubhouse and the room identifier to which they are attached. It is not encrypted, “which means that any third party with access to a user’s network traffic can access it.”
“This way, a listener can know if two users are talking to each other, for example, by detecting whether those users are joining the same channel,” the researchers wrote.
G / O Media may receive a commission
In addition, investigators found that Agora would likely have access to Clubhouse’s raw audio traffic. This means that if the audio is not encrypted from end to end (something the SIO says is “extremely unlikely”), Agora could intercept, transcribe, and store the audio.
Some of you may be wondering why it matters if Clubhouse has a Chinese vendor, which also has offices in Silicon Valley. This is extremely important because it means Agora must comply with China’s cybersecurity law. The investigators noted that Agora himself admitted that he would be obliged to provide China with assistance and support on issues related to national security and criminal investigations. In other words:
“If the Chinese government determined that an audio message endangered national security, Agora would be legally obliged to help the government locate and store it,” they wrote.
According to the report, Agora claims that it does not store user audio or metadata except to control the quality of the network and bill its customers. However, researchers point out that it is still theoretically possible for Chinese governments to take advantage of Agora networks and record user data.
It is now called Reuters on Saturday I had no comment on any relationship with the Clubhouse. A spokesman said he has no access to or stores personal data and does not route voice and video traffic generated outside of China, including U.S. user traffic, through China.
Gizmodo contacted Agora to comment on the researchers’ findings. We will update this blog if we find out again.
The SIO highlighted the potential risk faced by Chinese Clubhouse users on the peninsula if the government could identify users of the app, especially given the recent activity on the app in the country. Before the government blocked it earlier this week, Chinese users of the app openly discussed the Xinjiang Uyghur concentration camps and Tiananmen Square are protesting, among other things, over restricted issues in China.
This identification of users by the government can lead to retaliation and punishment, or even hidden threats.
“Talks about the Tiananmen protests, the Xinjiang camps and the Hong Kong protests could be described as criminal activity. They have qualified before, ”said the researchers.
The researchers decided to reveal these security issues because the defects were easy to find. In addition, they said the problems pose immediate security risks for millions of Clubhouse users, especially those in China. The SIO team also discovered other security flaws that they communicated to Clubhouse privately and said it would disclose them when they were fixed or after a certain period of time.
Clubhouse responded to the SIO report and said it was “deeply committed to data protection and user privacy.” The app claimed that while it did not launch Clubhouse in China, some had found an alternative solution to download it and that “the conversations they were part of could be streamed via Chinese servers.”
In response, which the researchers published in full, Clubhouse said the researchers had helped them identify areas where they could strengthen their data protection.
“For example, for a small percentage of our traffic, network pings containing the user ID are sent to servers around the world (which may include servers in China) to determine the fastest route to the customer, ”Clubhouse said. “Over the next 72 hours, we will implement changes to add encryption and additional blocks to prevent Clubhouse customers from transmitting pings to Chinese servers.”
Gizmodo contacted Clubhouse to comment on the SIO report. We will make sure to update this blog if we receive news.