Clubhouse says reviewing data protection practices after report points to flaws (updated)
13/02/2021 17:27
(Adds comment from Agora spokesman)
SHANGHAI, Feb 13 (Reuters) - U.S. audio app Clubhouse said
it is reviewing its data protection practices, after a report by
the Stanford Internet Observatory said it contained security
flaws that left users' data vulnerable to access by the Chinese
government.
The app said in a response to the study, published by the
research group at Stanford University, that while it had opted
not to make the app available in China, some people had found a
workaround to download the app which meant the conversations
they were a part of could be transmitted via Chinese servers.
"With the help of researchers at the Stanford Internet
Observatory, we have identified a few areas where we can further
strengthen our data protection," the company said in a statement
published https://cyber.fsi.stanford.edu/io/news/clubhouse-china
by the research group on Friday.
"Over the next 72 hours, we are rolling out changes to add
additional encryption and blocks to prevent Clubhouse clients
from ever transmitting pings to Chinese servers. We also plan to
engage an external data security firm to review and validate
these changes."
Clubhouse did not immediately respond to a request from
Reuters for further comment on Saturday.
Launched in early 2020, the app saw global user numbers soar
earlier this month after Tesla TSLA.O CEO Elon Musk and
Robinhood CEO Vlad Tenev held a surprise discussion on the
platform.
Masses of new users joined from mainland China, taking part
in discussions on topics that included sensitive issues such as
Xinjiang detention camps and Hong Kong's National Security Law.
But their access to the app was blocked last week, triggering
frustration and fears of government surveillance. urn:newsml:reuters.com:*:nL4N2KF151
The Stanford Internet Observatory said that it had confirmed
that Chinese tech firm Agora Inc API.O supplied back-end
infrastructure to Clubhouse, and that Agora would likely have
access to users' raw audio, potentially providing access to the
Chinese government.
It also said it observed room metadata relayed to servers it
believed were hosted in China and audio to servers managed by
Chinese entities. It added, however, that it believed the
Chinese government would not be able to access the data if the
audio was stored in the United States.
An Agora spokesman said the company had no comment on any
relationship with Clubhouse, but that Agora does not have access
to or store personal data, and does not route through China
voice or video traffic generated from users outside China,
including U.S. users. Agora provides software that allows
customers "to build their security and privacy infrastructure in
a way that is both compliant and relevant to their end-users,"
the spokesman wrote in an e-mail.
The Cyberspace Administration of China, which regulates the
country's internet, did not respond to calls for comment made
during China's Lunar New Year holiday.
"SIO chose to disclose these security issues because they
are both relatively easy to uncover and because they pose
immediate security risks to Clubhouse's millions of users,
particularly those in China," the report said.
Data analytics firm Sensor Tower said the app, which is only
available on Apple's iPhone, had about 3.6 million users
worldwide as of Feb.2, with 1.1 million registered in the prior
six days. urn:newsml:reuters.com:*:nL1N2K837R
(Reporting by Brenda Goh
Editing by Clelia Oziel and Diane Craft)
((brenda.goh@thomsonreuters.com; +86 (0) 21 2083 0088; Reuters
Messaging: brenda.goh.thomsonreuters.com@reuters.net))