As invite-only audio chat app Clubhouse becomes popular globally including in India, researchers at Stanford University in the US have warned that the app may be leaking users’ audio data to the Chinese government.
The Stanford Internet Observatory (SIO) has confirmed that Agora, a Shanghai-based provider of real-time engagement software, supplies back-end infrastructure to the Clubhouse app.
“The SIO has determined that a user’s unique Clubhouse ID number and chatroom ID are transmitted in plaintext, and Agora would likely have access to users’ raw audio, potentially providing access to the Chinese government,” the researchers said in a blog post.
The users’ metadata is sent over the internet in plaintext (not encrypted), meaning that any third-party with access to a user’s network traffic can access it.
“In this manner, an eavesdropper might learn whether two users are talking to each other, for instance, by detecting whether those users are joining the same channel,” the researchers warned.
In at least one instance, SIO observed room metadata being relayed to servers we believe to be hosted in the People’s Republic of China (PRC), and audio to servers managed by Chinese entities and distributed around the world via Anycast (a wireless display receiver).
“It is also likely possible to connect Clubhouse IDs with user profiles,” the researchers noted.
In a response to Stanford report, Clubhouse said it is deeply committed to data protection and user privacy.
“Given China’s track record on data privacy, we made the difficult decision when we launched Clubhouse on the (Apple) App Store to make it available in every country around the world, with the exception of China,” the company said.
“Some people in China found a workaround to download the app, which meant that — until the app was blocked by China earlier this week — the conversations they were a part of could be transmitted via Chinese servers,” it added.
Last week, the drop-in audio chat app “Clubhouse” enabled rare unfettered Mandarin-language debate for mainland Chinese iPhone users, before being abruptly blocked by the country’s online censors on February 8.
Alongside casual conversations about travel and health, users frankly discussed Uighur concentration camps in Xinjiang, the 1989 Tiananmen Square protests, and personal experiences of being interrogated by police.
The Chinese government restricts open discussion of these topics, maintaining a “Great Firewall” to block domestic audiences from accessing many foreign apps and websites.
“Although last week Clubhouse had not yet been blocked by the Great Firewall, some mainland users worried the government could eavesdrop on the conversation, leading to reprisals,” the researchers noted.
In recent years, the Chinese government under President Xi Jinping has shown an increased willingness to prosecute its citizens for speech critical of the regime, even when that speech is blocked in China.
“Clubhouse app’s audio messages, unlike Twitter posts, leave no public record after speech occurs, potentially complicating Chinese government monitoring efforts,” the Stanford team emphasized.
Clubhouse said that it was rolling out changes to add additional encryption and blocks to prevent its clients from ever transmitting pings to Chinese servers.
“We also plan to engage an external data security firm to review and validate these changes,” the company said.