Social networks or services that are new or that have not been used massively to a certain extent have the problem that, often, security issues arise that the developers did not take into account. During the quarantine, the case of Zoom was notorious, where every few days new vulnerabilities and shortcomings were discovered, along with obvious shortcomings such as the lack of end-to-end encryption.
Now, after an investigation by the Stanford Internet Observatory (SIO), the Clubhouse audio social network is in the spotlight because, according to that institution, it has security problems that have allowed the Chinese government to have access to user data . Specific, Stanford researchers have stated that it is even possible that the raw data from the conversations was accessed, along with metadata that includes the application ID and the meeting or room ID. This data was transmitted without encryption and in plain text.
Clubhouse says it will make changes to prevent data leaks
The Clubhouse case is strange, because at the time the investigation was published, the platform has been blocked in the country to the conversations that were taking place or could take place about controversial elements of the country's present and the past, such as the events in Tiananmen Square in 1989. Officially, although the service was not available there, some users had found a way to use the service there. Thus, before the government blockade, the talks could be intercepted.
The root of the problem lies with the company Agora Inc., which provides infrastructure services to Clubhouse and is based in Shanghai. According to the WIS, any person or group observing traffic could find a relationship between IDs and shared rooms. Even if usernames were not transmitted, they ensure that it would not be difficult to identify people.
"In at least one case, SIO observed that room metadata was transmitted to servers that we believe are hosted in the People's Republic of China and audio to servers managed by Chinese entities and distributed around the world through Anycast. Also clubhouse IDs can be linked to user profiles. "
Agora has told the SIO that they do not store audio files or metadata, and that what they do is monitor the quality of the network, and that, since the servers are located in the United States, the government cannot access the data. Clubhouse's response has been diplomatic but positive towards the investigation, mentioning that they are going to implement changes "to add encryption and locks to prevent Clubhouse customers from transmitting pings to Chinese servers". They also state that they will hire an external security company to review and validate the application updates.
Via | The Verge More information | Stanford Internet Observatory