A group of researchers at the Stanford Internet Observatory has established that the Clubhouse’s data protection practices have allowed the Chinese government to access its users’ data, including raw sound.
In a new one report, SIO researchers reveal that Clubhouse uses the Chinese company Agora, which offers a real-time voice and video engagement platform, to provide its back-end infrastructure. This means that Clubhouse uses the Agora platform for the “screw” infrastructure of its application.
Here’s where it starts to become alarming: SIO researchers have found that when users join a channel on the Clubhouse, a packet containing metadata about each user is sent to Agora’s back-end infrastructure. Metadata includes the unique Clubhouse code of the users and the ID of the room they join. It is not encrypted, “which means that any third party with access to a user’s network traffic can access it.”
“In this way, a listener could find out if two users are talking to each other, for example, by detecting whether those users are joining the same channel,” the researchers wrote.
G / O Media may receive a commission
In addition, the researchers found that Agora would likely have access to the Clubhouse’s raw audio traffic. This means that if the sound is not encrypted from one end to the other – something SIO says is “extremely unlikely” – Agora could intercept, transcribe and store the sound.
Some of you may be wondering why it matters if Clubhouse has a Chinese supplier that also has offices in Silicon Valley. This is extremely important because it means that Agora must comply with China’s cybersecurity law. The researchers pointed out that Agora itself acknowledged that it would be obliged to provide assistance and support to China in matters related to national security and criminal investigations. In other words:
“If the Chinese government established that an audio message endangered national security, Agora would be legally obliged to assist the government in locating and storing it,” they wrote.
According to the report, Agora claims that it does not store user audio or metadata, unless it monitors network quality and bills its customers. However, researchers note that it is still theoretically possible for Chinese governments to reach Agora networks and record user data.
Now said Reuters on Saturday he did not comment on any relationship with Clubhouse. A spokesman said he did not have access to or store personal data and did not direct voice and video traffic generated outside China, including traffic from US users, through China.
Gizmodo contacted Agora for comments on the researchers’ findings. We will update this blog if we hear.
SIO highlighted the potential risk faced by mainland Chinese users of the Clubhouse if the government could identify users of the application, especially given the recent activity of the application in the country. Before the government blocked it earlier this week, Chinese users of the application openly discussed the Uighur concentration camps in Xinjiang and the protests in Tiananmen Square, among others, are subjects that are restricted in China.
This identification of users by the government could lead to retaliation and punishment, or even hidden threats.
“Talks about the Tiananmen protests, the Xinjiang camps or the Hong Kong protests could be described as criminal activity. They qualified before, “said the researchers.
The researchers decided to reveal these security issues because the defects were easy to find. In addition, they said the problems posed immediate security risks for millions of Clubhouse users, especially those in China. The SIO team also discovered other security flaws that Clubhouse privately reported and said it would reveal when they were fixed or after a certain time.
Clubhouse responded to the SIO report and said it was “deeply committed to data protection and user privacy”. The application said that although it did not launch Clubhouse in China, some found a solution to download the application and that “the conversations they were part of could be transmitted via Chinese servers”.
In response, which the researchers published in full, Clubhouse said the researchers helped them identify areas where they could strengthen their data protection.
“For example, for a small percentage of our traffic, network pings containing the user ID are sent to servers around the world – which may include servers in China – to determine the fastest route to the client,” he said. said Clubhouse. “Over the next 72 hours, we’re launching changes to add encryption and additional blocks to prevent Clubhouse customers from ever pinging Chinese servers.”
Gizmodo contacted Clubhouse for a comment on the SIO report. We will make sure we update this blog if we hear back.