Concerns have been raised about the security of audio data on the popular new social media app Clubhouse, according to reports from the Stanford Internet Observatory and McAfee’s Advanced Threat Research team.
Stanford’s Cyber Policy Center confirmed on Feb. 12 that tools from Shanghai-based company Agora were serving as the backbone of Clubhouse, which has gained thousands of new users in recent months thanks to celebrity speakers like Elon Musk, Oprah, Aston Kutcher and other business leaders.
Additionally, the observatory found that “a user’s unique Clubhouse ID number and chatroom ID are transmitted in plaintext, and Agora would likely have access to users’ raw audio, potentially providing access to the Chinese government.”
SEE: Identity theft protection policy (TechRepublic Premium)
“In at least one instance, SIO observed room metadata being relayed to servers we believe to be hosted in the [People’s Republic of China], and audio to servers managed by Chinese entities and distributed around the world via Anycast,” the report said, adding that the revelations were particularly concerning for users in China who may face consequences from the government for what they say on the app.
Clubhouse did not respond to requests for comment from TechRepublic but previously told the Stanford Internet Observatory that due to concerns about data privacy breaches, the company initially banned the app from Chinese users. But people in China found a workaround and were using the app to discuss issues considered sensitive by the Chinese government like Uighur concentration camps in Xinjiang, the 1989 Tiananmen Square protests as well as protests in Taiwan and Hong Kong.
China officially banned the app on Feb. 8 and Clubhouse said it is making changes to the app that add “additional encryption and blocks to prevent Clubhouse clients from ever transmitting pings to Chinese servers.” They also vowed to do external data security audits.
But before Clubhouse users could settle in, other potential breaches of the app’s data were revealed in subsequent days. McAfee’s Advanced Threat Research team found more vulnerabilities in Agora that the company eventually patched.
Clubhouse spokeswoman Reema Bahnasy acknowledged to Bloomberg News on Feb. 21 that someone found a way to access and stream audio from Clubhouse on another site last weekend, raising further questions about the app’s recent security updates.
The user was banned and Bahnasy said the app made even more security updates, but Alex Stamos, director of the Stanford Internet Observatory, told Bloomberg News that Clubhouse “cannot provide any privacy promises for conversations held anywhere around the world.”
According to the Stanford Internet Observatory report, Agora “provides the nuts-and-bolts infrastructure so that other apps, like Clubhouse, can focus on interface design, specific functionalities, and the overall user experience.” Other apps that use Agora include eHarmony, Plenty of Fish and more.
“An SIO analysis of Agora’s platform documentation also reveals that Agora would likely have access to Clubhouse’s raw audio traffic. Barring end-to-end encryption (E2EE), that audio could be intercepted, transcribed, and otherwise stored by Agora,” the report said.
“If the Chinese government determined that an audio message jeopardized national security, Agora would be legally required to assist the government in locating and storing it. Conversations about the Tiananmen protests, Xinjiang camps, or Hong Kong protests could qualify as criminal activity. They have qualified before.”
But the report said it was possible for the Chinese government to ostensibly tap the network and record any audio themselves, adding that any unencrypted data that makes its way through servers in China “would likely be accessible to the Chinese government.”
“Given that SIO observed room metadata being transmitted to servers we believe to be hosted in the PRC, the Chinese government can likely collect metadata without even accessing Agora’s networks,” the report said.
Steve Povolny, head of advanced threat research at McAfee, said Clubhouse had patched the vulnerability they discovered and added that companies needed to leverage the power of community by embracing researchers and being proactive in encouraging and even acquiring vulnerabilities through responsible disclosure.
“Additionally, they should have a solid end-to-end secure development lifecycle, 3rd party testing and validation, and frequent code audits and internal security reviews,” Povolny said.
Cybersecurity experts disagree on impact of revelations
There were a wide variety of responses from cybersecurity experts when asked about Clubhouse and whether it was safe for users.
Some said the things found by the Stanford Internet Observatory and others were serious and should concern anyone using the app for sensitive conversations.
But others said the reports were filled with hypotheticals and would only represent significant problems for people in China, who can no longer use the app now anyway.
“An analysis of the Stanford article indicates a lot of ‘ifs’ need to exist for a perfect storm of data security and privacy issues to occur. The interesting part of the story is really at the bottom. Clubhouse’s official statement is that they chose, because of privacy issues, not to make Clubhouse available in China, but users found a workaround,” said Karen Walsh, CEO at Allegro Solutions.
“In a lot of ways, this is similar to how users will ‘jailbreak’ a smartphone to get full access to the root of the operating system and access additional capabilities. This process, while it gives the user additional functionalities, also compromises the device’s security controls. This desire for people to ‘jailbreak’ the app, or find a way around the company’s app distribution controls, shows how end-users can impact their own security and privacy. Whether these users realized it or not, they actually ended up undermining the controls intended to prevent the Chinese government from eavesdropping.”
While the issues specific to Clubhouse seem to have been dealt with, other security experts questioned this would be a larger problem going forward as battles between countries increasingly move to the internet.
The potential risk of the service provider being forced to give up access to its customers’ data, is a real one, according to Sotero CEO Purandar Das.
Whether the pressure to do so is from a government or another party, this is a real risk associated with service providers and platform operators, Das added, comparing the Clubhouse/China situation to the one faced by the European Union with the GDPR.
The EU was forced to suspend the privacy shield agreement with the U.S. due to concerns that U.S. providers could be forced to turn over EU consumer data to the U.S. government.
“From a service provider’s perspective, very often, the opportunity to monetize the data is what enables them to provide a free service. Ignoring the commercial use of such data, violation of a consumer’s privacy is a serious issue,” Das said.
“A dual approach of service providers not being able to use or view the data without the consumer’s explicit approval, coupled with regulation, that enables the ownership of the collected data to be retained by the consumer is a way forward. I believe that most service providers would eventually agree that an enabled process, where they can still commercialize the data but not be in a situation of compromising their customers’ trust is a good one.”
It was alarming that platforms like Clubhouse are built on leveraging coarse data transfer practices that users accept when they install these apps, according to Burak Agca, an engineer at cybersecurity company Lookout.
Agca drew parallels to the controversy that surrounded TikTok last year when former President Donald Trump threatened to ban the app because its parent company, ByteDance, is based in China.
Like Clubhouse, ByteDance denied ever sharing any information with the Chinese government but some experts question permission or notification would even be needed if government officials wanted data from the platforms based on how China’s internet is set up.
“In the case of both TikTok and Clubhouse, we all know that if the Chinese government really wants something, they’ll get it. In this case, the developers have disabled App Transport Security by default for this app, which means unsecured traffic and weak encryption standards may be used. The network diagram of the analysis of the app clearly shows hardcoded communication with Chinese servers,” Agca said.
“This falls far outside of data best practices when user data is then being sent to biometric, voice and data analytics companies based in China. IT and security teams need a way to understand the data handling and transfer practices of any app on an employee device. Some app permissions that seem innocuous to the individual end-user may be malicious in the corporate sense and violate compliance policies.”
Too much, too soon
Clubhouse’s repeated stumbles when it comes to protecting user information are a common occurrence among apps that gain significant traction and large user bases quickly.
The audio chat app was created in May 2020 and by January had reached a valuation of more than $1 billion. It has become one of the most downloaded apps in Apple’s App Store but is already drawing scrutiny from regulators in Germany over data collection practices and certain features, including requirements that users upload their address books.
Jeremy Turner, head of threat intelligence at Coalition, said Clubhouse quickly gained funding and popularity over the past several months but in that short time has also proved that it lacks data security and transparency with consumers. He added that developers are too often focused on the benefits of the technology and not potential holes.
“When a technology’s value is so significant and adoption so swift, the risks come as an afterthought. Startups should be cautious of moving faster than they can keep up with security and privacy considerations,” Turner said.
“When developers push new technology into the hands of early adopters, the risks are easy to ignore or think of as a problem for tomorrow, when in reality they should develop data security measures as thoroughly as you develop new user experiences. Early-stage development risks always seem to be over the horizon, until they’re not.”