Audio chat service Clubhouse is working to bolster its security and ease concerns from critics, after it was determined the Chinese government had the potential to monitor conversations made in the iOS app.
The current popular social media app Clubhouse is an audio-only affair, making it extremely useful for people to communicate with others in a group. However, elements of the service are found to be concerning for security-minded researchers.
The Stanford Internet Observatory determined that the infrastructure of Clubhouse is provided by Agora, a Shanghai-based company that provides “real-time engagement software.” It was also discovered the unique Clubhouse ID number of a user and their chatroom ID were transmitted in plaintext, which potentially makes users traceable.
It was also suggested that Agora was potentially able to access a user’s raw audio. Monitoring of the app uncovered instances where room metadata was relayed to servers seemingly hosted in China, while audio was routed through servers managed by Chinese entities.
SIO disclosed the security issues as they are both “relatively easy to uncover and because they pose immediate security risks to Clubhouse’s millions of users, particularly those in China,” a blog post reads. Other security flaws were privately disclosed to Clubhouse.
To SIO, Agora’s link to China means it has to comply with existing Chinese cybersecurity laws, and so comply with the government’s data requests. While Agora claims not to store audio or data, it is still plausible for the government to tap Agora’s networks and record data from the traffic.
While the app’s developer, Alpha Exploration Co., is relatively isolated from Chinese demands for data, the connection with Agora opens up the possibility for government surveillance based on data passing through.
In response, Clubhouse says it is “deeply committed to data protection and user privacy.” Initially, the app wasn’t available in China “given China’s track record on data privacy,” but some users found workarounds to download the app until it was blocked.
“Over the next 72 hours, we are rolling out changes to add additional encryption and blocks to prevent Clubhouse clients from ever transmitting pings to Chinese servers,” writes Alpha Exploration Co. “We also plan to engage an external data security firm to review and validate these changes.”
China’s attempts to manage the online activities of its citizens has led to many attempts by authorities to censor or curtail access to unauthorized apps it cannot easily control. This has previously including pulling media outlet apps, as well as VPNs that could be used to bypass restrictions.