Clubhouse, an American social networking App for voice, has become a hit among Chinese users.
Clubhouse has been banned in China, but many overseas Chinese users and domestic Internet users are still talking in chat rooms via VPN. Some experts have warned Chinese Internet users that Clubhouse’s encryption may still lead to data transmission being intercepted by third parties, and that they should be cautious about talking about sensitive topics in chat rooms if they are worried about being “convicted for their words”.
Clubhouse Exposed for Using Chinese Servers, Unencrypted Data
Live voice chats with Internet users around the world on specific topics, with no long-term archiving of audio, have made Clubhouse a hit among Chinese Internet users who want to speak freely. However, a study found that data about the chat room had been sent to a Web server managed by a Chinese company before and after the app was blocked in China on Jan. 8. Cybersecurity experts say Clubhouse is not the right place for users to post sensitive comments if they are concerned about eavesdropping by Chinese authorities.
Alex Stamos, director of the Stanford Internet Observatory and former chief security officer at Facebook, tweeted Tuesday (Feb. 16) that researchers found servers at Chinese tech companies were used to process Clubhouse user voice conversations data, which was not limited to Chinese users but also involved U.S. users.
He said, “At this Time, I would not recommend Clubhouse for individuals who may be disadvantaged by the security services of the People’s Republic of China to have sensitive conversations.”
The Stanford University Network Watch Platform previously released an investigative report that said Shanghai-based real-time audio and video interactive technology company SoundNet (Agora) provides technical support for Clubhouse. Stamos said Soundnet’s services are fundamental to the functioning of Clubhouse.
He said it was difficult to “establish logical and technical control” between the U.S. and Chinese infrastructures.
The Stanford Network Observatory determined that Clubhouse users and chat room IDs were transmitted in clear text using unencrypted means, and that SoundNet likely had access to raw user voice data and could have transferred that access to government agencies.
Christopher Budd, a cybersecurity and privacy expert and senior director of global threat communications for the U.S. division of computer security technology firm Avast, noted that the Clubhouse feature itself was not designed to emphasize the confidentiality of voice data throughout.
Budd told Voice of America, “Clubhouse doesn’t claim to offer end-to-end encryption, so that means in the first place that data can be intercepted in transit, and even though they say they don’t record or save information, until they implement end-to-end encryption, information interception is always is a risk.”
That doesn’t mean Clubhouse’s security is flawed, Bard said. He emphasized that in communication exchanges, “it’s important to do everything with the right tools.” Clubhouse is a social media tool,” he said. They’ve done a good job with security, privacy and safety facilities. But it’s still just a social media tool. So if you’re a dissident or if you’re someone who has legitimate concerns about the activities of a national government, it’s not designed to allow you to defend yourself against that potentially hostile intent.”
Bard advises, “Don’t use a tool like Cluehouse to have a very sensitive conversation. If you’re going to have that kind of conversation, what you need is an end-to-end encryption tool, such as Signal.”
Role of China’s VoiceNet companies under scrutiny
But the Stanford investigation found that metadata from the Clubhouse chat rooms was being transferred to the back-end servers of VoiceNet in mainland China; at the same time, voice files were being transferred to servers managed by Chinese companies and then distributed worldwide via the Anycast data transfer method. The voice files are also transmitted to servers managed by Chinese companies and then distributed worldwide through the Anycast data transmission method.
The Stanford University Network Watch platform said that user IDs and chat room IDs in Clubhouse chat rooms could be transmitted in plain text format and easily intercepted, allowing listeners to easily see who is chatting with whom, which is “disturbing” for users in mainland China.
Hong Kong‘s South China Morning Post previously reported that Tony Wang, co-founder and head of Asia Pacific and emerging markets for Sound.com, said that Sound.com is just a relay for Clubhouse’s data transfer process. “We don’t store end-user data, and our clients typically encrypt their user data,” he said.
He said SoundNet only stores data about network quality, data used to improve algorithms, and data related to customer billing.
However, according to a June 2020 filing provided to the U.S. Securities and Exchange Commission by Sound.com, the company acknowledged that they must comply with Chinese law by providing assistance and support for investigations involving national security and crime.
Clubhouse pledges to stop transmitting data to Chinese servers
Bard, an expert on cybersecurity and privacy issues, said Clubhouse can be trusted to store voice data in the United States based on the publicly available information they provided. The Stanford University study said Clubhouse’s user privacy agreement states that users’ audio is “briefly” stored for possible trust and security investigations (e.g., terrorist threats, hate speech, sale of minors’ personal information, etc.). If no trust and security investigation is reported, Clubhouse claims that the audio data will be deleted, but does not specify whether the “temporary” storage will last for a few minutes or a few years.
After receiving the findings of the Stanford University study, Alpha Exploration, the developer of the Clubhouse app, admitted that “a small portion of the traffic” from the program may have been sent to servers in China, including “pings” (data used for network testing) about user IDs. ” (a packet used for network testing).
Clubhouse said that although the developers decided not to open the service to the Apple App Store in China from the beginning, users in mainland China still found a way to download and use Clubhouse, bypassing this restriction, meaning that conversations involving Chinese users could be transmitted through Chinese servers before Clubhouse was officially blocked by authorities.
Clubhouse has promised additional encryption and blocking methods for 72 hours to prevent Clubhouse clients from transmitting pings to servers in China.
Cybersecurity firm Trend Micro told Bloomberg that they noticed Clubhouse was using an outdated version of the SoundNet software library that used a less-than-ideal encryption feature.
Information from the Apple App Store shows that Clubhouse’s most recent update was dated Feb. 16. The security department of the program’s developer did not respond to inquiries from Voice of America regarding improvements to Clubhouse’s data encryption.
Not only one Chinese company behind it
In addition to Sound.com, Stamos, director of Stanford University’s Network Observation Platform, tweeted that his research also revealed that Clubhouse may have used a server called “GUANGZHOU ENJOY_VC COMMUNICATION TECHNOLOGY CO. LTD.”, which points to Guangzhou Longbridge Vision Communications Technology Co.
The company’s official website says that it was founded in 2013 and provides real-time audio and video interactive services based on Web RTC communication technology as its core. The company’s Hong Kong website also says it provides distributed Internet data center (IDC) services globally, with Guangzhou as the core node in China and Hong Kong as the core node outside, and IDC and interconnection lines in Korea, Southeast Asia, Europe and the Americas.
In an email response to the U.S., Longbridge Viision’s Guangzhou headquarters did not confirm or deny the company’s partnership with Clubhouse, stating that it was unable to comment because of its strict confidentiality of customer-related information.
In addition, The Washington Post previously reported that Clubhouse also uses technology services from China-based Zenlayer. The report said that Zenlayer, like Sonic Network, may be forced to provide data to the Chinese government.
Zenlayer Networks USA did not respond to an emailed inquiry from Voice of America.
Chinese censors may have joined Clubhouse chat room
Stanford University researchers say Clubhouse users in mainland China could face trouble if the Chinese government gets access to user data through Sound.com. But they also point out that the Chinese government likely could access data or metadata of mainland users without the help of Clubhouse or Soundnet, and that having potential access to data is not the same as the Chinese government actually having access to it.
Censorship was a concern for many during the conversation in Clubhouse’s Chinese chat room. The New York Times reported that in a Clubhouse chat room on the afternoon of Jan. 8, an employee claiming to be in charge of censorship at a major Chinese social media platform told chat room participants that no one should think they could escape government wiretap surveillance.
On Twitter, a user named “pandakiller” said he witnessed a Clubhouse chat room where Chinese security officials were already practicing how to use Clubhouse.
Nicholas Eftimiades, a former senior U.S. intelligence official and expert on Chinese intelligence affairs, told Voice of America that while it is sometimes difficult to determine the actual links between Chinese technology companies and the Chinese government, the real problem is that no Chinese company can refuse to hand over valuable data if it is wanted by the Chinese government, which in The Cybersecurity Law, which came into effect in 2017, is explicitly stated.
“Especially if they are operating in China, they have no choice. So the actual interrelationship here is what data these companies are collecting and whether that data is useful to the Chinese Communist Party.” Efidimiades said, “We’ve seen this expand to involve many different types of data, from medical data, personnel information, financial information, to interpersonal network connections and personal contacts and so on, and that’s a pretty broad batch of data that the Chinese government wants to collect.”
Recent Comments