Clubhouse says it will improve security after researchers raise China spying concerns

Posted by
Check your BMI
In this photo illustration, the Clubhouse logo seen displayed on a smartphone screen in front of the Chinese national flag
Photo Illustration by Rafael Henrique/SOPA Images/LightRocket via Getty Images
toonsbymoonlight

The developers of audio chat room app Clubhouse plan to add additional encryption to prevent it from transmitting pings to servers in China, after Stanford researchers said they found vulnerabilities in its infrastructure.

In a new report, the Stanford Internet Observatory (SIO) said it confirmed that Shanghai-based company Agora Inc., which makes real-time engagement software, “supplies back-end infrastructure to the Clubhouse App.” The SIO further discovered that users’ unique Clubhouse ID numbers —not usernames— and chatroom IDs are transmitted in plaintext, which would likely give Agora access to raw Clubhouse audio. So anyone observing internet traffic could match the IDs on shared chatrooms to see who’s talking to each other, the SIO tweeted, noting “For mainland Chinese users, this is troubling.”

The SIO researchers said they found metadata from a Clubhouse room “being relayed to servers we believe to be hosted in” the People’s Republic of China, and found that audio was being sent to “to servers managed by Chinese entities and distributed around the world.” Since Agora is a Chinese company, it would be legally required to assist the Chinese government locate and store audio messages if authorities there said the messages posed a national security threat, the researchers surmised.

Agora told the SIO it does not store user audio or metadata other than to monitor network quality and bill its clients, and as long as audio is stored on servers in the US, the Chinese government would not be able to access the data.

Agora did not immediately reply to a request for comment on Sunday, but told Bloomberg in a statement that it “does not have access to share or store personally identifiable end-user data. Voice or video traffic from non-China based users — including US users — is never routed through China.” The company declined to comment on its relationship with Clubhouse.

Clubhouse told the researchers in a statement that when the app launched, developers decided not to make it available in China “given China’s track record on privacy.” However, some users in China found a workaround to download the app, the company said, “which meant that—until the app was blocked by China earlier this week— the conversations they were a part of could be transmitted via Chinese servers.”

The company told SIO that it was going to roll out changes “to add additional encryption and blocks to prevent Clubhouse clients from ever transmitting pings to Chinese servers” and said it would hire an external security firm to review and validate the updates. Clubhouse did not immediately reply to a request for comment on Sunday.

Clubhouse is an invite-only, iOS-only live-audio app that has become popular among many in Silicon Valley, including Tesla CEO Elon Musk, whose Clubhouse debut earlier this month drew thousands of concurrent listeners. The company was recently valued at a reported $1 billion.