The regime in Beijing might have access to raw audio data from mainland Chinese users of the U.S.-based audio app Clubhouse, according to a recent analysis by researchers at the Stanford Internet Observatory.
The Stanford researchers speculated that the regime could potentially punish Clubhouse users in China for their speech on the app, given the regime’s history.
Many inside China began using the invite-only app for uncensored discussions, before Beijing blocked it last week. The app says that it doesn’t record conversations, thus giving users a certain degree of privacy.
Chinese users took to the platform for discussions considered taboo by the Chinese Communist Party (CCP), such as the suppression of Uyghurs in the Xinjiang region and Hong Kong’s freedoms and democracy.
Stanford Internet Observatory is a disinformation research group based at Stanford University. The researchers found that Agora Inc., a Shanghai-based software tool provider with a U.S. headquarters in Silicon Valley, provides back-end infrastructure to Clubhouse. Their analysis showed that the app’s outgoing web traffic was directed to servers operated by the Chinese firm.
That infrastructure is a “real-time voice and video engagement” platform that Agora sells to clients, including Clubhouse.
“If an app operates on Agora’s infrastructure, the end-user might have no idea,” the researchers stated.
After analyzing Agora’s technical documents, the researchers concluded that the firm “would likely have access to Clubhouse’s raw audio traffic,” and that the audio could be “intercepted, transcribed, and otherwise stored by Agora.”
The researchers found that the ID numbers of Clubhouse users and chatrooms were being transmitted in plaintext over the internet, meaning that “any third-party with access to a user’s network traffic can access” them. User IDs aren’t usernames but unique serial numbers.
“Any observer of internet traffic could easily match IDs on shared chatrooms to see who is talking to whom. For mainland Chinese users, this is troubling,” the researchers wrote on Twitter about their findings.
In June 2017, China implemented a new cybersecurity law, sparking concern about data protection and privacy violations. Under the law, network operators and technology companies operating in China must store data within Chinese borders. Also, they must submit their data to Beijing for security checks if called upon.
Agora’s filing to the U.S. Securities and Exchange Commission in 2020 stated that it would be required to “provide assistance and support in accordance” to the Chinese authorities under the cybersecurity law.
“If the Chinese government determined that an audio message jeopardized national security, Agora would be legally required to assist the government in locating and storing,” according to the Stanford researchers.
But Beijing might not need to go through Agora at all. Stanford researchers saw Clubhouse chatroom metadata “being relayed to servers” they believed to be hosted in China. Thus, the Chinese regime could collect data without accessing Agora’s networks, the researchers said. Moreover, audio data were also being relayed to “servers managed by Chinese entities and distributed around the world.”
“Any unencrypted data that is transmitted via servers in the PRC [People’s Republic of China] would likely be accessible to the Chinese government,” the research stated in its analysis.
The report contained a statement from Clubhouse, which acknowledged that conversations by Chinese users “could be transmitted via Chinese servers” prior to the app being blocked by Chinese authorities.
The app said it would make changes to strengthen its data protection. “Over the next 72 hours, we are rolling out changes to add additional encryption and blocks to prevent Clubhouse clients from ever transmitting pings to Chinese servers,” Clubhouse said in the statement.
“We also plan to engage an external data security firm to review and validate these changes.”
In an email to Reuters, an Agora spokesman said the company had no comment on any relationship with Clubhouse. The spokesman added that the company doesn’t have access to or store users’ personal data, and does not route through China voice or video traffic generated from users outside China, including U.S. users.