Clubhouse Security Risk Follow-up: China Is Listening

Last time I highlighted the privacy and security concerns of Elon’s latest favorite — Clubhouse Drop-in Audio social media app.

Clubhouse And Its Privacy & Security Risk

The Need To Know Before Downloading Clubhouse

medium.com

The Shanghai-based infrastructure supplier of Clubhouse called Agora Inc. raised security concerns that it may provide information to the Chinese government to identify and monitor users, especially for politically exposed personnel. According to the articles on Bloomberg on 11th Feb:
… the potential for surveillance that worries international users. Chinese law requires its companies to hand over information on request and even gather data on behalf of Beijing, if it’s deemed in the interests of national security. That, along with accusations from U.S. lawmakers that Chinese firms can build backdoors into devices and software for the Communist Party can exploit, is at the heart of a growing hostility toward China’s largest tech providers.
This suspicion is confirmed by the latest research from the Standford Internet Observatory (SIO). They had determined that the user’s unique Clubhouse ID and chatroom ID are transferred in plaintext. Also, Agora would plausibly have access to users’ raw audio, which conceivably gives access to the Chinese government.

What Is Agora?

Agora is a Shanghai-based start-up with offices worldwide and is dual-headquartered in Santa Clara, CA, USA, and Shanghai, China. According to their website:
Agora is a leading video, voice and live interactive streaming platform, helping developers deliver rich in-app experiences — including embedded voice and video chat, real-time recording, interactive live streaming, and real-time messaging.
As in the Clubhouse case, Agora helps build the app's foundation where team Clubhouse can focus on interface design and user experience.

Agora with Clubhouse

To illustrate the connection of Agora with Clubhouse, recently, a German software engineer Andreas Lehr tweeted about the traffic analysis experiment of the Clubhouse app. What he found out is that there are several calls out to Agora-owned domains (“agora.io” and “agoraio.cn”).
Clubhouse Security Risk Follow-up: China Is Listening | by Zen Chan | Medium
SIO further confirmed the analysis, highlighting that Clubhouse outgoing web traffic is directed to Agora servers. The packets captured each user's unique Clubhouse ID who joined the chatroom and room ID for the chatroom, which is in plaintext format (unencrypted).
Clubhouse Security Risk Follow-up: China Is Listening | by Zen Chan | Mediumscreenshot of DNS lookup by the author
And with a little dig in, I found that in the official document by Agora, it is required to make a whitelist of the domain “ap.agoraio.cn,” which is linked to Mainland China, hosted by Alicloud (China Cloud Service Provider). Moreover, the same official guide pointed out that Agora would likely have access to Clubhouse’s raw audio traffic.

Agora provides the raw data function for you to process the audio data according to your scenarios. This function enables you to pre-process the captured audio signal before sending it to the encoder, or to post-process the decoded audio signal.

The Metadata

It is because Agora Inc, as highlighted in the previous paragraph, is based in the U.S. and China. As you may already know, all companies in China are subjected to the PRC’s cybersecurity law, which gives the government nearly every access to the data operated in the country.Agora claims not to store user audio or metadata, except to monitor network quality and bill its clients. Assume this is true; the Chinese government could not request data from them as nothing is stored.However, as all metadata is relayed through Agora in an unencrypted format, according to Agora’s documentation, everyone with the publicly available packet capture software, like the most common one — Wireshark can eavesdrop on the content.
Clubhouse Security Risk Follow-up: China Is Listening | by Zen Chan | Mediumscreenshot of Wireshark with metadata highlighted | edited by the author
As a result, given that all unencrypted data hosted in PRC could be accessed by the government and Clubhouse evidently transmitting the mentioned metadata to domains hosted in China, it is believed that the Chinese government can collect the metadata without accessing Agora’s infrastructure.

Usage of Metadata

With only the metadata collected may not immediately raise privacy risk. But with more information are available publicly on social media and other websites, it is not difficult for targets to be identified via data mapping and searching.

One of the instant usages could be assisting the Chinese government in identifying their targets. Let say someone discussed openly Tienanmen protests and Xinjiang camps using Clubhouse. According to the national security law, it is already a crime.
The Chinese government then can request the metadata, or they were already tapping the data on its own, to correlate with personal identifiers like phone number and WeChat ID of the Clubhouse guests. This could become a real hazard for users in China.

Another way to use the data is by profiling, where the user IDs are used to illustrate the created parties with the targets. For example, if one of the guests in the chatroom was identified by the government, other members could be exposed if they joined the same chatroom with that person repeatedly.

The Audio Data

The in-app audio chats are believably deleted once everyone has left the room. But the Alpha Exploration’s privacy policy says the conversations are only deleted automatically if nobody reported a “Trust and Safety violation” throughout the chat.

In other words, if there is an incident, Clubhouse retains the audio until “the investigation is complete.” Although they added that the temporary audio recordings are encrypted, they reserve the right to share them with law enforcement if necessary. Thereis no clear definition of how long it is “temporary” in the policy — it could be minutes or years.

With the discovery of Agora's relationship to Clubhouse, even though the app provides encryption for data-at-rest, there is no guarantee that Agora does not have access to the raw audio data.

The only way to prevent a 3rd party from accessing the raw audio is by deploying End-to-End Encryption (E2EE) between the host and the guests, similar to the popular messenger apps like Signal, Telegram WhatsApp. For now, I cannot see E2EE is in place in the Clubhouse app. In other words, the encryption key is still in the hand of the infrastructure provider — Agora.Luckily, there is no evidence to suggest that the parent company of Clubhouse — Alpha Exploration Co., has a partner or data sub-processor based in China, and the raw audio data are stored in the U.S. The raw audio data is not directly accessible by the Chinese Government.

Final Words

Thanks to the SIO report, the suspicion is confirmed. Regarding security and privacy concerns, the Clubhouse app has room for improvement relating to metadata and raw audio data.

As the backbone of the Clubhouse app, Agora Inc, evidently collecting metadata of users and storing them in China, raises the problem of being eavesdropping and government surveillance. The user’s initial anonymity could be at risk as no encryption is being used to establish the chatroom.

The raw audio data, although with encryption, is still accessible by the encryption provider (Agora). Without the implementation of EE2E in the future release, this concern is still valid. It is also worth mentioning that Alpha Exploration’s privacy policy does not clearly define the duration of “temporary recording.”Whether the Chinese government is listening to the Clubhouse, it is not secure as it repeatedly claimed as “deeply committed to data protection and user privacy.” Some areas should be taking more seriously, as the GDPR requirement and encryption.

In the meantime, if you want to take back control of your personal data, start with the few steps that I described in the previous article.

How To Be Anonymous Online

It’s Time To Protect Yourself, Even You Have Nothing To Hide

medium.com

Similar Articles:

Clubhouse says it will improve security after researchers raise China spying concerns

Clubhouse says it will improve security after researchers raise China spying concerns

The Same FBI That Wants To Destroy Encryption Is Still Illegally Snooping on Americans

The Same FBI That Wants To Destroy Encryption Is Still Illegally Snooping on Americans

The real risk of downloading Chinese apps on to your phone

The real risk of downloading Chinese apps on to your phone

China’s electric cars are government spies

China’s electric cars are government spies