The hugely popular audio chat app Clubhouse, which was recently blocked by the ruling Chinese Communist Party (CCP), could pose a security threat to users, particularly those based in China, according to U.S.-based security researchers.
The app opened a rare window of opportunity for users in China to speak freely in Clubhouse’s moderated audio forums, in Mandarin, and beyond the Great Firewall of government censorship.
Users reported unprecedented conversations on normally banned topics between China-based users, who are fed the CCP’s official narrative on most topics for much of the time, and activists in less censored countries, as well as those in democratic Taiwan, Hong Kong, and Xinjiang, according to user accounts posted to social media.
But according to the Stanford Internet Observatory (SIO), concerns were also raised about how much user data could reach the Chinese authorities.
“The Stanford Internet Observatory has confirmed that Agora, a Shanghai-based provider of real-time engagement software, supplies back-end infrastructure to the Clubhouse App,” the SIO said in a report published on its blog.
“This relationship had previously been widely suspected but not publicly confirmed.”
The report said users’ Clubhouse ID numbers and chatroom ID numbers were transmitted to Agora unencrypted, and that the company could also access raw audio generated by users, “potentially providing access to the Chinese government.”
“It is also likely possible to connect Clubhouse IDs with user profiles,” the report said, adding that the findings suggest “immediate security risks to Clubhouse’s millions of users, particularly those in China.”
SIO said it had discovered other security vulnerabilities that it had informed Clubhouse about privately, choosing to wait to report on them until after they had been patched.
Agora is a Shanghai-based start-up, with U.S. headquarters in Silicon Valley, that sells a “real-time voice and video engagement” platform for other software companies to build upon, the SIO report said.
“It provides the nuts-and-bolts infrastructure so that other apps, like Clubhouse, can focus on interface design, specific functionalities, and the overall user experience,” it said.
However, Agora would be unlikely to have access to audio stored by Clubhouse, as long as it remained in the United States.
Required to cooperate
Chinese companies are required by China’s National Security Law to cooperate with any government requests made in the name of “national security,” an umbrella concept that the CCP already liberally applies to any form of public dissent or rights activism, as well as to targeted criticism of the CCP or political opposition.
Clubhouse states that audio records of conversations are held “temporarily,” without specifying how long they are held for, the SIO said.
It said the Chinese goverment could legally demand audio or other user data stored in China, if the app’s creator had any partner or subsidiary in China with access to that data.
It is possible that the Chinese government can access mainland users’ data by eavesdropping on web traffic, as well as through in-person spying from within chatrooms, the report said.
Clubhouse said in a statement that it is deeply committed to data protection and user privacy.
“Over the next 72 hours, we are rolling out changes to add additional encryption and blocks to prevent Clubhouse clients from ever transmitting pings to Chinese servers,” it said.
“We also plan to engage an external data security firm to review and validate these changes.”
Shen Po-yang, an infosec expert on the democratic island of Tiwan, said more measures may be needed to prevent the authorities from identifying users via voiceprints.
“This voiceprint data is on the Agora platform,” Shen told RFA. “It may not wind up being stored there, but it has to pass through there, so they could intercept it.”
“And if it’s unencrypted, they’ll be able to open it up and take a look.”
Building a database
Lee Kin-kwan, information security and technology commentator for RFA’s Cantonese Service, agreed.
“Now, there is voiceprint technology that can detect differences in people’s vocal cords and in the sounds they make … using computer analysis … that may not be detectable to the ears alone,” Lee said in a recent analysis of the risks of using Clubhouse in China.
“Voiceprints are one of the biometric authentication methods adopted by banks and other institutions,” Lee said. “Customers who pass voiceprint authentication can just call up the customer service hotline without a password or even a bank account number, as soon as they start talking with bank staff.”
“If voiceprints … are used to identify Clubhouse users, that’s pretty scary,” he said, adding that the authorities are able to build a database of voiceprints without phone users knowing that their voices were sampled.
Given that phone service users require real names and ID to register an account, the voiceprints can be easily matched to personal details, Lee said.
Taiwan-based rights activist Lin Hsin-yi said the level of risk was still hard to gauge for people in China, and that she would be watching closely for further updates on Clubhouse’s security vulnerabilities.
‘Drinking tea’
Another Taiwan-based user nicknamed Hsiao Y said he had been in a room hosted by Australia-based political cartoonist Badiucao, titled “Did anyone get invited to drink tea because of Clubhouse?” in a reference to being interviewed by China’s feared state security police.
“A lot of people in China dropped in to talk, and talked a lot about their experiences of being invited to drink tea in the past, but not because of Clubhouse,” Hsiao Y said.
He said most social media had some form of user monitoring in place.
“I believe that Facebook also monitors my voice so as to send targeted advertisements,” he said. “So I think all software carries risks.”
“As for whether my data will be sent to China, I don’t know right now, but I won’t be using [Clubhouse] any more because of this issue,” he said.
Reported by Hsia Hsiao-hwa for RFA’s Mandarin Service, and by Lee Kin-kwan for the Cantonese Service. Translated and edited by Luisetta Mudie.