Researchers from the Stanford Internet Observatory (SIO) in the United States confirmed that the infrastructure of the voice community platform Clubhouse may have security concerns due to the involvement of Agora technology. To this end, Clubhouse developers responded by planning to update the App to add additional encryption mechanisms to prevent ping from being transmitted to servers in China.
The latest report issued by SIO confirms that Agora Inc., headquartered in Shanghai, provides the back-end infrastructure of the system for Clubhouse. It is further discovered that each user's unique Clubhouse ID and chat room ID will be transmitted in plain text, which may enable Agora to access the original sound signal of the Clubhouse; this way, anyone who observes network traffic can compare ID in the chat room to see who is talking to each other.
SIO researchers even discovered that metadata from Clubhouse chat rooms are relayed to servers hosted in China, and voice signals have been sent to servers that are actually managed by the Chinese company and distributed around the world. Since Agora is a Chinese company, SIO researchers speculate that if the Chinese government believes that certain news may constitute a national security threat, according to the requirements of the laws of the People's Republic of China, it needs to assist the Chinese government to find or save Clubhouse voice messages.
SIO chose to disclose these security issues because they are easy to find and directly pose a security risk to millions of Clubhouse users, especially those who live in China.
However, Agora told SIO that it will not store users' voice messages or metadata other than monitoring network transmission quality or charging customers; and as long as the voice signals are stored on servers in the United States, the Chinese government cannot obtain the data.
An Agora spokesperson declined to comment on the company’s relationship with Clubhouse. However, in a statement to the foreign media, The Verge pointed out that Agora has no right to access, share or store personally identifiable data of users, and that it includes users in the United States. For non-Chinese users in China, their video and audio traffic will never pass through China.
On the other hand, Clubhouse explained to SIO researchers through a statement that given China's past privacy records, the development team decided not to provide this app to Chinese users. A few Chinese users recently found a way to download the app, which also means that the voice conversations that users participated in were transmitted through Chinese servers before the app was banned by the Chinese government on February 8.
The clubhouse also stated to SIO that it will add other encryption mechanisms to prevent Clubhouse users from being forced to transmit pings to servers located in China, and will hire external security companies for review and verification.