Clubhouse And Its Privacy & Security Risk
The Need To Know Before Downloading Clubhouse
medium.comThe Shanghai-based infrastructure supplier of Clubhouse called Agora Inc. raised security concerns that it may provide information to the Chinese government to identify and monitor users, especially for politically exposed personnel. According to the articles on Bloomberg on 11th Feb:
… the potential for surveillance that worries international users. Chinese law requires its companies to hand over information on request and even gather data on behalf of Beijing, if it’s deemed in the interests of national security. That, along with accusations from U.S. lawmakers that Chinese firms can build backdoors into devices and software for the Communist Party can exploit, is at the heart of a growing hostility toward China’s largest tech providers.
This suspicion is confirmed by the latest research from the Standford Internet Observatory (SIO). They had determined that the user’s unique Clubhouse ID and chatroom ID are transferred in plaintext. Also, Agora would plausibly have access to users’ raw audio, which conceivably gives access to the Chinese government.
What Is Agora?Agora is a Shanghai-based start-up with offices worldwide and is dual-headquartered in Santa Clara, CA, USA, and Shanghai, China. According to their website:
Agora is a leading video, voice and live interactive streaming platform, helping developers deliver rich in-app experiences — including embedded voice and video chat, real-time recording, interactive live streaming, and real-time messaging.As in the Clubhouse case, Agora helps build the app's foundation where team Clubhouse can focus on interface design and user experience.
Agora with ClubhouseTo illustrate the connection of Agora with Clubhouse, recently, a German software engineer Andreas Lehr tweeted about the traffic analysis experiment of the Clubhouse app. What he found out is that there are several calls out to Agora-owned domains (“agora.io” and “agoraio.cn”).SIO further confirmed the analysis, highlighting that Clubhouse outgoing web traffic is directed to Agora servers. The packets captured each user's unique Clubhouse ID who joined the chatroom and room ID for the chatroom, which is in plaintext format (unencrypted).And with a little dig in, I found that in the official document by Agora, it is required to make a whitelist of the domain “ap.agoraio.cn,” which is linked to Mainland China, hosted by Alicloud (China Cloud Service Provider). Moreover, the same official guide pointed out that Agora would likely have access to Clubhouse’s raw audio traffic.
Agora provides the raw data function for you to process the audio data according to your scenarios. This function enables you to pre-process the captured audio signal before sending it to the encoder, or to post-process the decoded audio signal.
The MetadataIt is because Agora Inc, as highlighted in the previous paragraph, is based in the U.S. and China. As you may already know, all companies in China are subjected to the PRC’s cybersecurity law, which gives the government nearly every access to the data operated in the country.Agora claims not to store user audio or metadata, except to monitor network quality and bill its clients. Assume this is true; the Chinese government could not request data from them as nothing is stored.However, as all metadata is relayed through Agora in an unencrypted format, according to Agora’s documentation, everyone with the publicly available packet capture software, like the most common one — Wireshark can eavesdrop on the content.As a result, given that all unencrypted data hosted in PRC could be accessed by the government and Clubhouse evidently transmitting the mentioned metadata to domains hosted in China, it is believed that the Chinese government can collect the metadata without accessing Agora’s infrastructure.
Usage of Metadata
With only the metadata collected may not immediately raise privacy risk. But with more information are available publicly on social media and other websites, it is not difficult for targets to be identified via data mapping and searching.One of the instant usages could be assisting the Chinese government in identifying their targets. Let say someone discussed openly Tienanmen protests and Xinjiang camps using Clubhouse. According to the national security law, it is already a crime.
The Chinese government then can request the metadata, or they were already tapping the data on its own, to correlate with personal identifiers like phone number and WeChat ID of the Clubhouse guests. This could become a real hazard for users in China.
US Government Continues Encryption War
Another way to use the data is by profiling, where the user IDs are used to illustrate the created parties with the targets. For example, if one of the guests in the chatroom was identified by the government, other members could be exposed if they joined the same chatroom with that person repeatedly.
However, 64% of respondents told Venafi that they don’t believe government access to private data would make society any safer from terrorists.The Venafi poll also revealed that, perhaps unsurprisingly, just 22% of consumers believe social media companies can be trusted to protect their personal and private data.
In other words, if there is an incident, Clubhouse retains the audio until “the investigation is complete.” Although they added that the temporary audio recordings are encrypted, they reserve the right to share them with law enforcement if necessary. Thereis no clear definition of how long it is “temporary” in the policy — it could be minutes or years.
With the discovery of Agora's relationship to Clubhouse, even though the app provides encryption for data-at-rest, there is no guarantee that Agora does not have access to the raw audio data.
The only way to prevent a 3rd party from accessing the raw audio is by deploying End-to-End Encryption (E2EE) between the host and the guests, similar to the popular messenger apps like Signal, Telegram WhatsApp. For now, I cannot see E2EE is in place in the Clubhouse app. In other words, the encryption key is still in the hand of the infrastructure provider — Agora.Luckily, there is no evidence to suggest that the parent company of Clubhouse — Alpha Exploration Co., has a partner or data sub-processor based in China, and the raw audio data are stored in the U.S. The raw audio data is not directly accessible by the Chinese Government.
Thanks to the SIO report, the suspicion is confirmed. Regarding security and privacy concerns, the Clubhouse app has room for improvement relating to metadata and raw audio data.
China Is What Orwell Feared
In the meantime, if you want to take back control of your personal data, start with the few steps that I described in the previous article.
How To Be Anonymous Online
It’s Time To Protect Yourself, Even You Have Nothing To Hide