Clubhouse audio, metadata could be accessible to Chinese government
The app boasts famous users, velvet rope exclusivity and a billion-dollar valuation, but a ‘creepy’ flaw is prompting concerns.
Online
Don't miss out on the headlines from Online. Followed categories will be added to My News.
Viral start-up Clubhouse is the hottest new thing in social media, boasting millions of users and millions more who want to join.
The exclusive, invite-only app has been a sensation in Silicon Valley, attracting the “unicorn” $US1 billion ($A1.27 billion) valuation from venture capitalists and counting the world’s richest man Elon Musk and the Prime Minister of South Korea Chung Sye-kyun among its users.
Already, as many expected would happen, it has been barred by China’s “Great Firewall”, after discussions focusing on taboo topics like the Tiananmen Square massacre and Xinjiang “re-education camps”.
RELATED: Controversial Parler site back online
But China is actually a key player in the success of Clubhouse; the company that makes the app possible is Shanghai-based.
That’s stoking fears that the app could be used as a tool for mass surveillance, as examples of those feared tools begin to crop up online.
A recent report from the Stanford Internet Observatory’s Cyber Policy Centre revealed a Shanghai-based start up selling “real-time voice and video management” software is providing the infrastructure that makes Clubhouse’s audio-only “rooms” possible.
The company, Agora, also has a headquarters in Silicon Valley, and according to Stanford, users might have no idea that they’re even using the company’s technology when they log into an app built on it.
RELATED: Why Aussies won’t accept Facebook ban
RELATED: Viral app to stay in Beijing
The Centre’s analysts looked at publicly available web traffic data and observed Clubhouse traffic going through Agora servers, including unencrypted metadata about users, such as their unique ID number as well as the ID of the “room” they’re joining.
“Any third-party with access to a user’s network traffic can access it,” Stanford warns.
This could make it possible to see which users were in what room and when.
Combine it with the actual audio of what’s being said, as some scary new tools aim to collect, and Clubhouse could be used to track down people saying things governments of certain countries don’t like.
Researcher Jane Manchun Wong reported the vulnerability on Twitter earlier this month.
“It’s possible to automatically record any accessible Clubhouse room,” Ms Wong said, adding that she was not going to turn it into an app because “it’s f***ing creepy and can be turned into mass surveillance”.
She said she’d been concerned about the capability for quite some time, but shared it publicly after noticing products exploiting it popping up online.
There are indeed a number of the tools circulating, including one that’s already been shut down by Clubhouse.
RELATED: Twitter accuses India of breaking its own laws
RELATED: Tiny thing Instagram wants hidden
The creator of that tool claims they were just trying to bring Clubhouse to other devices, enabling the iPhone-only app to be used on Android and PC, as well as provide a way for people to skip the invite queue.
“While the account is blocked and the website is over, the open source will live forever,” the author wrote, linking to a code repository on the software development site GitHub.
But the tools might not even be necessary for some seeking to listen in on Clubhouse.
Stanford analysts said it was “exceedingly unlikely” that Clubhouse had implemented end-to-end encryption on the platform, and without that encryption “audio could be intercepted, transcribed, and otherwise stored by Agora,” the Shanghai-based start-up.
Agora has previously and publicly acknowledged that China’s cybersecurity law poses a risk for the company, as it can “require network operators, which may include us … to provide assistance and support in accordance with the law for public security and national security authorities to protect national security or assist with criminal investigations,” the company said in a filing with the US Securities and Exchange Commission.
A similar concern arose about TikTok as it began to rise to prominence last year – the fear is that China can compel companies based there to hand over data, or access it without even asking them first.
Stanford said the Chinese government can “probably not” access any data stored outside of China, but if the Clubhouse developer Alpha Exploration Co had a partner or subsidiary in the country with access to data, the Chinese government could access it under its own laws.
Clubhouse claims user audio is “temporarily recorded” for trust and safety investigations (like if someone was making terrorist threats or grooming minors), but if no such report is filed the data is deleted after an unspecified amount of time.
“Depending on just how ‘temporary’ Clubhouse’s storage is, Clubhouse might not have data to hand over through legal processes in any event. However, if the Chinese government could obtain audio directly from Clubhouse’s back-end infrastructure on Agora, it might not resort to using international legal channels to seek the data,” Stanford warns.
Discussions on Clubhouse, including the Tiananmen and Xinjiang talks prior to the ban, could violate China’s laws and the metadata said to be collected by Agora could be used to identify those speaking out against the government.
Other countries, while not banning Clubhouse, have given their citizens warnings about speaking out on the app, especially against the government.
According to Reuters, Thailand’s Ministry of Digital Economy and Society recently warned Clubhouse users that authorities were monitoring the platform.
That came after Japan-based Thai monarchy critic Pavin Chachavalpongpun hosted a discussion on the monarchy in a Clubhouse room that “a large number of Thai users joined”.
Thailand has previously used its cybercrime laws to prosecute critics on the grounds of “national security”, including on Facebook, Twitter and YouTube.
Originally published as Clubhouse audio, metadata could be accessible to Chinese government