Clubhouse, an exclusive – yet quite popular – audio chat room app launched less than a year ago has been under fire due to security issues discovered by the Stanford University Internet Observatory (SIO).
Unlike Facebook, Twitter, etc., Clubhouse is an invitation-only app popular among Silicon Valley leaders (including Elon Musk) and various celebrities. While it is technically a social networking app, Clubhouse members can join “rooms” hosting various audio-only conversations. The app’s algorithm suggests different rooms for users based on interests. Conversations take place in real-time and are then deleted.
Recent research from Stanford University’s Internet Observatory (SIO) suggests several vulnerabilities in Clubhouse’s infrastructure. A user found a way to stream audio chats from the app to another website. This, of course, is not supposed to happen. The premise of Clubhouse, is unlike other social media platforms, where posted content remains until removed by the users. On Clubhouse, after the audio is recorded it is supposed to disappear.
David Thiel, Chief Technology Officer of the SIO, said the leak shows a vulnerability in the app, but was not necessarily a security breach. He thinks a user violated the app’s terms of service, also known as data spillage. However, he is not letting Clubhouse off the hook. Even if the leak was not malicious, it still shows flaws in the app’s infrastructure.
On February 21, Theil tweeted, “the expectation of privacy on Clubhouse is debatable, but for the moment, given these issues, you should a) consider chats to be semi-public and attributable and b) not use it if you’re someone that might be considered a dissident, particularly by the PRC.” In other words, users should consider their chats public, not private, and those in China should be especially careful.
The Chinese Security Threat
Thiel’s tweets and warnings include many references to the PRC because the SIO also found security concerns regarding Clubhouse’s real-time engagement software, manufactured by the Shanghai-based company, Agora Inc. As a Chinese company, Agora is legally obligated to disclose information to the Chinese government if it determines messages on the app pose a national security threat.
For Chinese users, this can pose a real risk, especially since the platform had been used to discuss topics not allowed for discussion in the country, like the massacre at Tiananmen Square and Uighur concentration camps in Xinjiang. The SIO also confirmed that Clubhouse user ID numbers and chat room IDs are transmitted in plain text, which means Agora can access Clubhouse audio chats and match IDs with user profiles.
When Clubhouse was initially launched, it was not intended for the Chinese market, specifically because of these security concerns. However, some people in China found a way to get around the restrictions and download the app, and it went completely viral. After a brief time, the Chinese government caught wind and blocked it.
While the app is currently blocked in China, it does not solve issues facing worldwide users: If Agora is a Chinese company, is it passing on user audio chats to the government?
Proceed with Caution
Responding to the SIO’s discoveries, Agora said it does not store audio or metadata except for monitoring the network and billing clients. Moreover, its servers are stored in the United States, which means the Chinese government cannot access them.
Thiel tends to agree that the vulnerabilities are not malicious, but recommends proceeding with caution. “The app was apparently running on Azure infra in HK, but also wasn’t doing anything that a motivated state actor couldn’t already do,” he tweeted. “So once again, consider Clubhouse chats to be semi-public, given issues with Agora & the fact we all have microphones.”