While Clubhouse has resolved some security issues, others remain.
On Feb. 12, the Stanford Internet Observatory said it had determined that Clubhouse was transmitting user IDs and channel IDs in plain text to Agora, a Shanghai-based software service company, allowing eavesdroppers to see which users were talking to one another. In its latest update, Clubhouse issued a fix that halted that practice.
Brian Pak, CEO of the cybersecurity R&D startup Theori, reviewed the code changes and noticed a few other tweaks, too. Clubhouse had turned on geofencing to limit users to servers in specific regions—excluding mainland China, for example. It also took steps to enable encryption that would limit Agora’s access to raw audio data, though the platform will need to take an additional step (assigning encryption keys for each channel) for this to happen.
Those are welcome developments, Pak says. They’re also services offered by Agora all along.
“It seems that Clubhouse did not thoroughly review the Agora documentation, since neither encryption nor geofencing were configured by Clubhouse,” says Pak. While that isn’t necessarily malicious, it does show that security was not a top priority, he adds.
Jack Cable, a researcher at Stanford Internet Observatory, reviewed the network connections and says that while Clubhouse no longer appears to be routing traffic through servers in mainland China, it was still pinging Hong Kong as of Feb. 19.
For the moment, the encryption stops the data from being transmitted in plain text between Clubhouse and Agora servers, and geofencing likely keeps it from passing through networks in mainland China.
“We don’t operate in China and no data is transmitted or stored in China,” the Clubhouse spokesperson said.
But Agora currently still has access to metadata, raw audio data, and the encryption keys.
“For everyday users who are having intentionally public conversations on Clubhouse, it’s not necessarily a huge concern,” says Cable. That said, he doesn’t recommend using Clubhouse for sensitive conversations, particularly if you’re concerned about information landing in the hands of the Chinese government, which has the power to compel Agora to intercept live communications or release data.