15 Feb 2021: Is the Clubhouse app safe? Apparently, not
Researchers at the Stanford Internet Observatory (SIO) have identified loopholes in Clubhouse's data security protocol, which could potentially allow the Chinese government to access user data.
Clubhouse is an audio-based social media platform exclusive to iOS users. Clubhouse's developers responded to the SIO's findings saying they are working to resolve the highlighted issues. Notably, the app remains unavailable to users in China.
Major lapse: Stanford researchers warn against unencrypted user and room ID transmission
SIO's report says Clubhouse uses a Chinese platform called Agora as its backbone. Agora provides real-time voice and video engagement.
When users join a channel on Clubhouse, researchers claim that a packet of metadata is sent to Agora's back-end systems. The unencrypted packet includes the user's unique Clubhouse ID and the ID of the room they are joining on the app.
Bugged rooms: Intercepted unencrypted data could allow conversations to be tracked
The cause for concern is that any third party can intercept the metadata being transmitted if they have access to a user's network traffic.
These data packets can allow the interceptor to determine if two users are communicating on the platform by sniffing the metadata for channel information.
As Agora is a Chinese provider, it must comply with the country's cybersecurity laws.
Details: Agora will have to comply with Chinese government upon request
Agora would be bound to comply with the Chinese authorities if the latter determines an audio message on the platform jeopardizes national security.
Agora claims it doesn't store user audio and metadata, except to monitor network quality and bill its clients. However, data is still transmitted unencrypted and the problem remains unresolved.
Agora told Reuters it had no comment on any relations with Clubhouse.
Back door access: China could identify users without contacting Clubhouse developers for compliance
China took steps to block the Clubhouse app after Chinese users openly discussed topics deemed criminal in the authoritarian country, such as Uighur concentration camps and the Tiananmen Square protests.
The SIO report explains that the Chinese government could leverage the unencrypted metadata packets to identify and punish Clubhouse users in the country without ever requesting the developers to comply.
72 hours: Clubhouse reiterates commitment to user privacy in response to SIO
SIO also informed Clubhouse of other security flaws which will be made public after they are resolved or after a deadline.
Responding to the SIO report, Clubhouse said it is "deeply committed" to user privacy and data protection.
The app will roll out changes including additional encryption over the next 72 hours. It will also prevent metadata packets from pinging Chinese servers.