The developers of audio chat room app Clubhouse plan to add additional encryption to prevent it from transmitting pings to servers in China, after Stanford researchers said they found vulnerabilities in its infrastructure.
In a new report, the Stanford Internet Observatory (SIO) said it confirmed that Shanghai-based company Agora Inc., which makes real-time engagement software, “supplies back-end infrastructure to the Clubhouse App.” The SIO further discovered that users’ unique Clubhouse ID numbers —not usernames— and chatroom IDs are transmitted in plaintext, which would likely give Agora access to raw Clubhouse audio. So anyone observing internet traffic could match the IDs on shared chatrooms to see who’s talking to each other, the SIO tweeted, noting “For mainland Chinese users, this is troubling.”
The SIO researchers said they found metadata from a Clubhouse room “being relayed to servers we believe to be hosted in” the People’s Republic of China, and found that audio was being sent to “to servers managed by Chinese entities and distributed around the world.” Since Agora is a Chinese company, it would be legally required to assist the Chinese government locate and store audio messages if authorities there said the messages posed a national security threat, the researchers surmised.
Agora told the SIO it does not store user audio or metadata other than to monitor network quality and bill its clients, and as long as audio is stored on servers in the US, the Chinese government would not be able to access the data.
An Agora spokesperson declined to comment on the company’s relationship with Clubhouse, but said it was very clear about “how we deal with user data,” in a statement emailed to The Verge. The company “does not have access to, share, or store personally identifiable end-user data,” the spokesperson said, adding that “voice or video traffic from non-China based users — including US users — is never routed through China.”
Clubhouse told the SIO researchers in a statement that when the app launched, developers decided not to make it available in China “given China’s track record on privacy.” However, some users in China found a workaround to download the app, the company said, “which meant that—until the app was blocked by China earlier this week— the conversations they were a part of could be transmitted via Chinese servers.”
The company told SIO that it was going to roll out changes “to add additional encryption and blocks to prevent Clubhouse clients from ever transmitting pings to Chinese servers” and said it would hire an external security firm to review and validate the updates. Clubhouse did not immediately reply to a request for comment on Sunday.
Clubhouse is an invite-only, iOS-only live-audio app that has become popular among many in Silicon Valley, including Tesla CEO Elon Musk, whose Clubhouse debut earlier this month drew thousands of concurrent listeners. The company was recently valued at a reported $1 billion.
Update February 14th 1:31PM ET: Adds statement from Agora spokesperson
https://www.theverge.com/2021/2/14/22282772/clubhouse-improve-security-stanford-researchers-china-security