Curated from FSI - Freeman Spogli Institute for International Studies — Here’s what matters right now:
Clubhouse in China: Is the data safe? Elena Cryst Thu, 02/11/2021 - 14:24 Authors Renee DiResta Riana Pfefferkorn Alex Stamos David Thiel News Type Blogs Date Fri, 02/12/2021 - 12:00 Paragraphs Last week, the drop-in audio chat app “Clubhouse” enabled rare unfettered Mandarin-language debate for mainland Chinese iPhone users, before being abruptly blocked by the country’s online censors on Monday February 8, 2021. Alongside casual conversations about travel and health, users frankly discussed Uighur concentration camps in Xinjiang, the 1989 Tiananmen Square protests, and personal experiences of being interrogated by police. The Chinese government restricts open discussion of these topics, maintaining a “Great Firewall” to block domestic audiences from accessing many foreign apps and websites. Although last week Clubhouse had not yet been blocked by the Great Firewall, some mainland users worried the government could eavesdrop on the conversation, leading to reprisals. In recent years, the Chinese government under President Xi Jinping has shown an increased willingness to prosecute its citizens for speech critical of the regime, even when that speech is blocked in China. Clubhouse app’s audio messages, unlike Twitter posts, leave no public record after speech occurs, potentially complicating Chinese government monitoring efforts. The Stanford Internet Observatory has confirmed that Agora, a Shanghai-based provider of real-time engagement software, supplies back-end infrastructure to the Clubhouse App (see Appendix). This relationship had previously been widely suspected but not publicly confirmed. Further, SIO has determined that a user’s unique Clubhouse ID number and chatroom ID are transmitted in plaintext, and Agora would likely have access to users’ raw audio, potentially providing access to the Chinese government. In at least one instance, SIO observed room metadata being relayed to servers we believe to be hosted in the PRC, and audio to servers managed by Chinese entities and distributed around the world via Anycast. It is also likely possible to connect Clubhouse IDs with user profiles. SIO chose to disclose these security issues because they are both relatively easy to uncover and because they pose immediate security risks to Clubhouse’s millions of users, particularly those in China. SIO has discovered other security flaws that we have privately disclosed to Clubhouse and will publicly disclose when they are fixed or after a set deadline. In this blog post, we investigate the possibility of Chinese government access to Clubhouse audio, both via Agora and Clubhouse app itself. We also explore why that might matter. We will address these key issues: What is Agora, how do we know it provides back-end support to Clubhouse, and why does that matter? Can the Chinese government access audio stored by Clubhouse? Are mainland Chinese users likely to face reprisals for speech on the app? Why did the Chinese government ban the app? What is Agora,
Next step: Want similar protection in your daily life? Explore our anti-surveillance devices designed to detect and deter threats.
Original reporting: FSI - Freeman Spogli Institute for International Studies