Clubhouse to fix security vulnerability due to China snooping concerns

Clubhouse, the popular audio chat room app, said it is reviewing its data protection practices. This follows a report from Stanford Internet Observatory (SIO) that found security vulnerabilities in Clubhouse’ infrastructure that left its user’s data vulnerable to be accessed by the Chinese government.

The SIO confirmed that Agora, a Shanghai-based startup, provided the back-end infrastructure to Clubhouse. The researchers also determined that both a user’s Clubhouse ID number and chatroom ID are transmitted in plaintext over the internet, making it “trivial to intercept”. This would likely give Agora access to raw Clubhouse audio files. 

Potentially this would allow anyone observing internet traffic to match the IDs shared in the chatrooms and see who is talking to one another. SIO said it chose to disclose the security issues as they posed an immediate security risk to Clubhouse’s millions of users, particularly those residing in China.

Many new users from mainland China joined the Clubhouse app where they engaged in discussions on topics that were considered to be taboo including the Xinjiang province detention camps and Hong Kong’s National Security Law. However, their access to the app was eventually blocked on 8 February.

Clubhouse said in a response to SIO that it opted not to make its app available in China. However, some users in China managed to find a workaround to download the app. This means that the conversations they were a part of could be transmitted via Chinese servers.

Even though Agora is jointly headquartered in both the US and China, the company is still subjected to China’s restrictive cybersecurity laws. This means they may be required to assist the Chinese government in any criminal or national security investigation.

Agora, however, claimed it does not store any audio or metadata other than to monitor its network quality and bill its clients. It added that if an audio file is stored on servers in the US, it is highly unlikely the Chinese government would be able to access the data.

A spokesperson from Agora said, “voice or video traffic from non-China based users — including US users — is never routed through China.”

Clubhouse told SIO that it was going to add additional encryption and blocks to prevent its clients from transmitting pings to Chinese servers. It also plans to hire an external security firm to review and validate its updates. 

The app was launched in early 2020 but it only recently saw its user base soar. This started in early February 2021 when Tesla chief executive officer Elon Musk and Robinhood CEO Vlad Tenev held a discussion on the GameStop stock surge incident that shook Wall Street.

That discussion maxed out the platform’s 5,000 person-per-room limit. According to data analytics firm Sensor Tower, this led to over a million Clubhouse downloads in the subsequent 10 days.

Clubhouse is currently free to use and does not run any ads. The company said it plans to add a subscription model in the future. It is currently only available for iPhone users but an Android version of the app is in development.

[SOURCE, 2]

Related reading