Feb 15, 2021 11:36:00

Clubhouse security concerns, could be overseen by Chinese government

The voice-based SNS '

Clubhouse ', which has become a hot topic in Japan, allows people gathered in the 'room' opened by the user to enjoy closed conversations. However, according to a report reported by researchers at the Stanford Internet Observatory (SIO) , a Chinese company is providing the Clubhouse's back-end infrastructure and the conversation is being monitored by the Chinese government. It is possible that there is.

FSI | Cyber | Internet Observatory --Clubhouse in China: Is the data safe?
https://cyber.fsi.stanford.edu/io/news/clubhouse-china

Clubhouse says it will improve security after researchers raise China spying concerns --The Verge
https://www.theverge.com/2021/2/14/22282772/clubhouse-improve-security-stanford-researchers-china-security

Although the iOS-only app 'Clubhouse' was not available on the Chinese App Store from the beginning, it was possible for Chinese users to obtain it by circumventing restrictions on countries and regions. For this reason, it became popular as an 'app that is not censored by the Chinese government' and became a valuable place for politically delicate topics to be exchanged . However, on February 9, 2021, it was reported that access to the Clubhouse from China began to be blocked.

China cuts connection to Clubhouse-GIGAZINE

Voice technology services are provided to Clubhouse by a company called Agora , a cloud service provider based in China and the United States. As a result, concerns have been raised for some time that 'Agora may be storing Clubhouse user data.'

So, when SIO researchers investigated Clubhouse's web traffic, it turned out that traffic was being sent from Clubhouse to servers such as 'qos-america.agoralab.co.' Operated by Agora. The packet sent to Agora's server contained a unique Clubhouse ID and chat room ID that could identify the user, and it seems that these metadata were sent in plain text unencrypted. ..

If you have access to metadata, you can see who a particular user is talking to. As a result, users in mainland China could be at risk if the Chinese government could access metadata through Agora's network traffic and servers, SIO points out.

While it has been pointed out that the Chinese government may be able to access the metadata, accessing the raw audio data is difficult as long as the audio data is stored on the US server. Clubhouse stipulates that user voices will be temporarily stored for reliability and safety investigation purposes, but Agora and its affiliates in China will not store the data.

The Chinese government can legally request the transfer of data based on the US-China Mutual Legal Assistance Agreement (MLAA) , but regarding requests for freedom of speech and political discussions that may violate human rights. Can be legally refused by the US government.

'Given our track record of data privacy in China, we have made the difficult decision to make Clubhouse available in all countries except China,' Clubhouse told SIO researchers. However, as Chinese users obtained the app using a method that bypasses the App Store restrictions, it is possible that conversations between mainland Chinese users went through Chinese servers until the Chinese government blocked it. I admit that.

In the future, Clubhouse will hire an external security company to modify the app to prevent metadata from being sent to Chinese servers and to encrypt the data.