The audio chat room app Clubhouse recently amplified the security for its app following concerns of China spying on its users.
On February 12, the Stanford Internet Observatory (SIO) released a blog post, determining that the app’s infrastructure was vulnerable to access by the Chinese government. Because of this, the app’s developers announced that they would work on backend changes to boost the service’s encryption and prevent user ID pings from routing through servers in China.
“With the help of researchers at the Stanford Internet Observatory, we have identified a few areas where we can further strengthen our data protection,” said Clubhouse in a statement. “We also plan to engage an external data security firm to review and validate these changes.”
What Did The SIO Find Exactly?
The SIO found that Clubhouse receives back-end infrastructure from a Shanghai-based company known as Agora, which provides “real-time engagement software” for other companies to then build upon. They observed the app’s web traffic with technologies such as Wireshark, and saw that servers operated by Agora helped direct its outgoing web traffic.
For instance, if Clubhouse users join a room, their unique Clubhouse ID number and the room’s ID is sent in plaintext, or without encryption, so any third-party has the ability to access that data.
The SIO also conducted an additional analysis, showing that Agora could likely access Clubhouse’s raw audio traffic; because the app likely does not have end-to-end encryption, Agora could intercept, transcribe or store any audio.
Andreas Grant, a network security engineer and founder of Networks Hardware, said that while Clubhouse does encrypt its voice chats now, it is still necessary to have that end-to-end encryption because with it, “it becomes impossible for Agora, or any government for that matter, to access the data.”
“The problem that Stanford Internet Observatory found with this is that Clubhouse needs to distribute public keys to all users,” he said. “That doesn’t exist yet. Similar things can theoretically happen to any app that doesn’t use end-to-end encryption and have any type of connection to CCP.”
In a statement to Reuters, a spokesperson from Agora explained that the company does not have access to or store personal data, and does not route through China voice or video traffic generated from users outside China.
The Clubhouse Ban In China
Days before the SIO released their report, the Chinese government banned Clubhouse from use throughout the country. Chinese users found that they had the freedom to talk about otherwise banned topics in China, like the persecution of Uighurs and Tiananmen Square Massacre for example.
The SIO said that if the government was to pursue punishment of those users, officials would have to want to do so, and would need to know which users participated in the chatrooms. They added that the government could access that information manually or via the back-end through Agora by legally demanding that data.
As for why the Chinese government only banned Clubhouse now, the SIO showed that it is all about timing.
Clubhouse went viral in China during a weekend where censors were not in office, and that week was also the start of Lunar New Year. Furthermore, the group said that the government may have worked on gathering the information it needed on citizens using the app, or simply that the ban required time to go through.