Researchers have discovered a vulnerability inside Clubhouse, an audio-only social media platform that has recently surged in popularity, which can make it possible for China to gain access to user data.
The Stanford Internet Observatory (SIO) in the United States investigated the data protection practices of the Clubhouse social network and identified a potential risk to mainland Chinese users. Experts suspect that the Chinese authorities can use this vulnerability to gain access to user data.
Clubhouse is an app released in April 2020. It is currently only available for iOS users. Clubhouse is an audio social network: users can participate in chat rooms and listen to what is being discussed in other chats, but one can only join Clubhouse by invitation.
As of January 2021, Clubhouse had over two million active users. Users began to actively pay attention to the new app after Elon Musk joined it to participate in one of the chat rooms to talk about his Neuralink startup.
Since the content of Clubhouse audio conversations is not stored anywhere, it became the go-to app for uncensored conversations on sensitive topics banned on other platforms in some countries. It got to the point that Clubhouse was banned in China altogether due to talks about Taiwan and Hong Kong.
The SIO says that a Shanghai-based startup Agora Inc. provides the back-end infrastructure for Clubhouse. At the same time, user and chat IDs are transmitted in the form of plaintext via the Internet, which simplifies their interception by intruders:
"Any observer of internet traffic could easily match IDs on shared chatrooms to see who is talking to whom. For mainland Chinese users, this is troubling," the SIO says.
Most likely, Agora has access to users' raw audio files, the researchers said. In case servers are stored in China, this poses the potential danger of giving Chinese authorities access to data. According to the country's cybersecurity laws, the company will be obliged to help the government detect audio messages that threaten national security.
But Agora has assured the SIO that user audio and metadata are only used to "monitor network quality and bill its customers," and therefore do not contain any user information useful to Beijing. The company also said the audio is stored in the US, making it unlikely that the Chinese government will be able to access it.
Meanwhile, Clubhouse has promised to add "additional encryption" and improve security within 72 hours to prevent pings and users' audio from being sent to Chinese servers. Besides, Clubhouse will also hire an external security firm to validate and review the updates.