-
Is the Clubhouse app safe? Apparently, not
Last updated on Feb 15, 2021, 07:41 pm
-
Researchers at the Stanford Internet Observatory (SIO) have identified loopholes in Clubhouse's data security protocol, which could potentially allow the Chinese government to access user data.
Clubhouse is an audio-based social media platform exclusive to iOS users. Clubhouse's developers responded to the SIO's findings saying they are working to resolve the highlighted issues. Notably, the app remains unavailable to users in China.
-
In this articleStanford researchers warn against unencrypted user and room ID transmission Intercepted unencrypted data could allow conversations to be tracked Agora will have to comply with Chinese government upon request China could identify users without contacting Clubhouse developers for compliance Clubhouse reiterates commitment to user privacy in response to SIO
-
Major lapse
Stanford researchers warn against unencrypted user and room ID transmission
-
SIO's report says Clubhouse uses a Chinese platform called Agora as its backbone. Agora provides real-time voice and video engagement.
When users join a channel on Clubhouse, researchers claim that a packet of metadata is sent to Agora's back-end systems. The unencrypted packet includes the user's unique Clubhouse ID and the ID of the room they are joining on the app.
-
Bugged rooms
Intercepted unencrypted data could allow conversations to be tracked
-
The cause for concern is that any third party can intercept the metadata being transmitted if they have access to a user's network traffic.
These data packets can allow the interceptor to determine if two users are communicating on the platform by sniffing the metadata for channel information.
As Agora is a Chinese provider, it must comply with the country's cybersecurity laws.
-
Details
Agora will have to comply with Chinese government upon request
-
Agora would be bound to comply with the Chinese authorities if the latter determines an audio message on the platform jeopardizes national security.
Agora claims it doesn't store user audio and metadata, except to monitor network quality and bill its clients. However, data is still transmitted unencrypted and the problem remains unresolved.
Agora told Reuters it had no comment on any relations with Clubhouse.
-
Back door access
China could identify users without contacting Clubhouse developers for compliance
-
China took steps to block the Clubhouse app after Chinese users openly discussed topics deemed criminal in the authoritarian country, such as Uighur concentration camps and the Tiananmen Square protests.
The SIO report explains that the Chinese government could leverage the unencrypted metadata packets to identify and punish Clubhouse users in the country without ever requesting the developers to comply.
-
72 hours
Clubhouse reiterates commitment to user privacy in response to SIO
-
SIO also informed Clubhouse of other security flaws which will be made public after they are resolved or after a deadline.
Responding to the SIO report, Clubhouse said it is "deeply committed" to user privacy and data protection.
The app will roll out changes including additional encryption over the next 72 hours. It will also prevent metadata packets from pinging Chinese servers.