China has access to user data on the by-invitation-only social networking app Clubhouse and may be able to snoop on American users’ private conversations, according to Stanford Internet Observatory researchers.
Clubhouse is an audio-based app where users gather in chat rooms and may listen or talk similar to a conference call. Many of the discussions facilitated on the platform give users access to personalities unavailable elsewhere. For example, billionaire Elon Musk tweeted on Saturday an invitation for Russian President Vladimir Putin to talk with him on Clubhouse.
The Kremlin replied Monday that it was interested in Mr. Musk’s invitation but the two men haven’t met up in Clubhouse yet, according to reports.
Russia isn’t the only one with an interest in Clubhouse conversations.
The Stanford Internet Observatory published a report saying that Clubhouse uses Agora, a China-based software provider, and Agora has access to unencrypted Clubhouse user identification numbers and chat room IDs.
Such information could be used by the Chinese Communist Party to monitor users. The Stanford researchers also noted that an Agora filing with the U.S. Securities and Exchange Commission in 2020 said that it was required to provide data to Beijing for investigations.
“In at least one instance, SIO observed room metadata being relayed to servers we believe to be hosted in the PRC, and audio to servers managed by Chinese entities and distributed around the world via Anycast,” wrote the Stanford researchers in the report published Friday.
“It is also likely possible to connect Clubhouse IDs with user profiles. SIO chose to disclose these security issues because they are both relatively easy to uncover and because they pose immediate security risks to Clubhouse’s millions of users, particularly those in China,” they wrote.
The Stanford researchers said they made other private disclosures to Clubhouse, which the researchers intend to make public after the problems are resolved or at a later date.
Clubhouse did not immediately respond to a request for comment on the claims of security vulnerabilities on its platform. In a statement shared by the Stanford Internet Observatory, Clubhouse said it was working on additional encryption and blocks to prevent Clubhouse clients from pinging Chinese servers.
The data privacy concerns on Clubhouse are part of a larger threat some cybersecurity experts see from China’s scouring Americans’ social media accounts and gathering information on private citizens.
Australian cybersecurity firm Internet 2.0 and American researcher Christopher Balding told The Washington Times last year that the Shenzhen Zhenhua Data Technology company’s Overseas Key Information Database has collected data on more than 100,000 American residents via social-media surveillance.
While Mr. Balding and Internet 2.0 have said the Chinese technology company supported the Chinese regime, the Chinese government disputes having anything to do with Shenzhen Zhenhua.
Clubhouse is also far from the only social networking or tech platform with data privacy concerns relating to Chinese surveillance. The Trump administration pursued a ban of the China-owned social media app TikTok over fears that the Chinese may collect Americans’ data via the app, though court filings suggest that the new administration of President Biden is reconsidering that.
Other companies, such as Alibaba and Tencent, have helped the government hunt suspected criminals and dissidents, according to reports.
Chinese requests to the U.S. government for access to such audio would fail, the Stanford researchers assessed. But the researchers noted that the Chinese would not need to ask the U.S. if it can get to the audio directly through the digital infrastructure of Agora.
Agora functions like an old phone network operator with the Clubhouse app serving as a user’s telephone, according to the Stanford researchers’ technical analysis.