Clubhouse, a new social media app revolving around interest-based audio chats, has been all over the news lately. The number of users is constantly growing, famous CEOs, music producers, and other celebrities keep joining the platform. Despite the overwhelming popularity of the service, there have been some reasons for concern: recently a group of Stanford researchers pointed out certain vulnerabilities in the app.
The issue has to do with the fact, that Clubhouse was built on technical solutions provided by a Chinese company Agora. It is thanks to their servers that so many users can have a comfortable experience during limitless conversations on the platform. The thing is, every Clubhouse user has a unique ID (which is not the same as their username), and Agora, apparently, has access to it. The IDs of users and the chats they participate in are transferred to the company in plaintext, which implies that it can access the actual audio content of any conversation. Considering the fact, that one of the appeals of the app is its semi-private nature, this is not great news.
The discussions are supposed to happen live and then be gone forever, but this might not be the case. According to the researchers of Stanford Internet Observatory, audio from the app is transferred to servers located in China. Hypothetically, the Chinese government could request access to this data, and Agora would have no choice, but to comply. Obviously, this creates a lot of concerns regarding security, and even potential geopolitical repercussions. What if an ID of a Chinese user gets traced back to them, and the government gets ahold of their credentials? What about all the others, who participated in a discussion in that particular room?
According to Agora’s management, the company doesn’t actually store the data, and only uses the ID information to evaluate the quality of the service. However, this is rather difficult to confirm. The developers of Clubhouse decided against making their app available in China, specifically because of the country’s track record, when it comes to surveillance. In the end, however, plenty of Chinese users were able to join using various workarounds, including VPNs. As a result, all the rooms that those users participate in could be vulnerable, since at least part of the data goes through servers located in China. To make things worse, none of this data is encrypted, and can potentially be traced back to the actual usernames.
Thankfully, Clubhouse has already addressed the issue in a public statement. Reportedly, the company is working on improving its encryption methods to prevent the possibility of sensitive information falling into the wrong hands. In addition to that, the management plans on hiring or outsourcing more security professionals to spot potential issues after every update. Millions of people are using the app daily, and their number is only going to grow. It would be a shame if anyone got into trouble with the Chinese government after a particularly free-spirited or open-minded discussion. Hopefully, after the company takes the necessary steps to improve security and minimize potential privacy issues, there will be a lot fewer reasons for concern.