A group of researchers at the Stanford Internet Observatory determined that Clubhouse’s data protection practices allowed the Chinese government to access its users’ data, possibly including their raw sound.
In a new report, SIO researchers show Clubhouse uses Chinese company Agora, which provides a real-time voice and video platform, to power it’s internal infrastructure. This means Clubhouse is using the Agora platform as the backbone of their application infrastructure.
Here’s where the worry begins: SIO researchers found that when users join a channel in the Clubhouse, a packet containing metadata about each user is sent to Agora’s internal infrastructure. The metadata includes the user’s unique club ID and the ID of the room they are joining. It is not encrypted, “which means that it can be accessed by any third party that has access to the user’s network traffic.”
“Thus, the interceptor can find out if two users are talking to each other, for example, by detecting if these users are joining the same channel,” the researchers write.
The researchers also found that Agora is likely to have access to the raw audio traffic of the Clubhouse. This means that if the sound is not end-to-end encrypted, the SIO says it is “doubtful” – the Agora can intercept, decrypt and store the sound.
Some of you may be wondering why it matters if Clubhouse has a Chinese provider that also has offices in Silicon Valley. This is extremely important because it means Agora must comply with China’s cyber security law. The researchers note that Agora itself has acknowledged that it will be obliged to provide China with assistance and support in matters related to national security and criminal investigations. In other words:
“If the Chinese government determines that the audio message threatens national security, Agora will be legally required to assist the government in locating and storing it,” they wrote.
According to the report, Agora claims it does not store custom audio or metadata, other than to monitor network quality and billing its customers. However, the researchers note that Chinese governments can still theoretically connect to Agora networks and record user data.
The researchers decided to identify these security issues because the flaws were easy to find. Besides, they stated that these issues pose an immediate threat to millions of Clubhouse users’ safety, especially in China. The SIO team also discovered other security flaws privately reported to Clubhouse and said they would find them when they are fixed or after a specific time frame.
Clubhouse reacted to the SIO report and stated that it is “deeply committed to protecting user data and privacy.” The app says that while it did not launch Clubhouse in China, some found a workaround to download the app and that “the conversations they participated in could be streamed through Chinese servers.”
In a response that the researchers published in full, Clubhouse said the researchers helped them identify areas to strengthen data protection.