The information was shared by SIO in a thread of posts on microblogging site Twitter.
SIO also stated that they found the audio from Clubhouse being sent to servers based in China and being distributed worldwide. (Image: Reuters)
Clubhouse: After researchers found vulnerabilities in its infrastructure, invite-only audio chat social media platform Clubhouse is planning to include additional encryptions. Researchers from the Stanford Internet Observatory (SIO) flagged the vulnerabilities, after which the developers of Clubhouse revealed their plans to make their infrastructure more robust so that it does not transmit pings to China-based servers. SIO had said that real-time engagement software company Agora Inc, which is based in Shanghai, provided back-end infrastructure to the audio app. Moreover, the unique Clubhouse IDs of users, along with chat room IDs, were being transmitted in plaintext and this would allow Agora to access raw audio from Clubhouse.
SIO also stated that anyone observing the internet traffic would be able to match the IDs on shared chat rooms and figure out the people who were interacting with each other. The information was shared by SIO in a thread of posts on microblogging site Twitter, and it further stated that this would be an issue for Clubhouse users in mainland China. SIO also stated that they found the audio from Clubhouse being sent to servers based in China and being distributed worldwide.
The matter is grave because Agora being a China-based company would legally have to assist the government in China locate as well as store audio messages, in case the authorities flagged any messages as posing threat to national security.
However, in its defence, Agora informed SIO that as long as the audios were stored in US-based servers, they would not be accessible to authorities in China. Moreover, it stated that no metadata or audio was stored by the company other than to look at audio quality or to bill the clients.
Meanwhile, Clubhouse told SIO that it had not been made available to China-based users by developers when it was initially launched, because of the concerns surrounding China’s history regarding user privacy. However, some people in China found a workaround and downloaded the app, and used it. This meant that before it was banned in China last week, the conversations that Chinese users were a part of could be transmitted via servers in China. But now, it said it would work to include additional encryption to its infrastructure and hire an external security firm to review as well as validate the updates.