Is the Clubhouse app safe? Apparently, not

SIO's report says Clubhouse uses a Chinese platform called Agora as its backbone. Agora provides real-time voice and video engagement.

When users join a channel on Clubhouse, researchers claim that a packet of metadata is sent to Agora's back-end systems. The unencrypted packet includes the user's unique Clubhouse ID and the ID of the room they are joining on the app.

The cause for concern is that any third party can intercept the metadata being transmitted if they have access to a user's network traffic.

These data packets can allow the interceptor to determine if two users are communicating on the platform by sniffing the metadata for channel information.

As Agora is a Chinese provider, it must comply with the country's cybersecurity laws.

Agora would be bound to comply with the Chinese authorities if the latter determines an audio message on the platform jeopardizes national security.

Agora claims it doesn't store user audio and metadata, except to monitor network quality and bill its clients. However, data is still transmitted unencrypted and the problem remains unresolved.

Agora told Reuters it had no comment on any relations with Clubhouse.

China took steps to block the Clubhouse app after Chinese users openly discussed topics deemed criminal in the authoritarian country, such as Uighur concentration camps and the Tiananmen Square protests.

The SIO report explains that the Chinese government could leverage the unencrypted metadata packets to identify and punish Clubhouse users in the country without ever requesting the developers to comply.

SIO also informed Clubhouse of other security flaws which will be made public after they are resolved or after a deadline.

Responding to the SIO report, Clubhouse said it is "deeply committed" to user privacy and data protection.

The app will roll out changes including additional encryption over the next 72 hours. It will also prevent metadata packets from pinging Chinese servers.