- Clubhouse said it would review its data policies after Stanford researchers found security issues.
- Stanford Internet Observatory researchers said user data was sent as plaintext.
- Some users have “found a workaround” to download Clubhouse in China, the company said.
- Visit the Business section of Insider for more stories.
As Chinese-language users flocked to the Clubhouse audio chat app, internet researchers at Stanford warned their information may potentially be accessible to China’s government.
Clubhouse responded on Friday by saying it planned to review its policies and roll out added encryption in the next “72 hours.”
“With the help of researchers at the Stanford Internet Observatory, we have identified a few areas where we can further strengthen our data protection,” Clubhouse said in a statement published as part of a report from the Stanford Internet Observatory (SIO).
SIO researchers said they found some of Clubhouse’s back-end infrastructure had been provided by Agora, a Shanghai-based startup with an office in Silicon Valley.
“This relationship had previously been widely suspected but not publicly confirmed,” according to the report’s authors: Jack Cable, Matt DeButts, Renee DiResta, Riana Pfefferkorn, Alex Stamos, and David Thiel.
The researchers cited an SEC filing in which Agora said it was required to help the Chinese government in national security and criminal investigations.
Clubhouse is available only on Apple devices. The invite-onlyapp has grown quickly. Tesla CEO has popped up on the app, and is reportedly planning an appearance with Kayne West. Facebook is reportedly working on a competitor.
Clubhouse’s developers released their app in every country but China. But some users in China have “found a workaround” to download it, Clubhouse said in its statement. Because those users were in China, the “conversations they were a part of could be transmitted via Chinese servers,” the company said.
Clubhouse said: “For example, for a small percentage of our traffic, network pings containing the user ID are sent to servers around the globe â€” which can include servers in China â€” to determine the fastest route to the client.”
SIO researchers reported that they saw data from Clubhouse users being transmitted without encryption.
The researchers said: “Further, SIO has determined that a user’s unique Clubhouse ID number and chatroom ID are transmitted in plaintext, and Agora would likely have access to users’ raw audio, potentially providing access to the Chinese government.”
SIO researchers said they had seen metadata from one Clubhouse room “being relayed to servers we believe to be hosted” in China. Some Clubhouse IDs could be matched with user profiles, they wrote. Clubhouse asks users to sign up with their real names.
In its statement, Clubhouse said it planned to ask an external data security firm to review its security updates.
Stanford’s researchers said they had published their report on the Clubhouse security issues because “they are both relatively easy to uncover and because they pose immediate security risks to Clubhouse’s millions of users, particularly those in China.”
They said they had discovered additional security issues, too. “SIO has discovered other security flaws that we have privately disclosed to Clubhouse and will publicly disclose when they are fixed or after a set deadline,” the researchers said.
Business Insider Emails & Alerts
Site highlights each day to your inbox.