The Stanford researchers speculated that the regime could potentially punish Clubhouse users in China for their speech on the app, given the regime’s history.
Chinese users took to the platform for discussions considered taboo by the Chinese Communist Party (CCP), such as the suppression of Uyghurs in the Xinjiang region and Hong Kong’s freedoms and democracy.
Stanford Internet Observatory is a disinformation research group based at Stanford University. The researchers found that Agora Inc., a Shanghai-based software tool provider with a U.S. headquarters in Silicon Valley, provides back-end infrastructure to Clubhouse. Their analysis showed that the app’s outgoing web traffic was directed to servers operated by the Chinese firm.
That infrastructure is a “real-time voice and video engagement” platform that Agora sells to clients, including Clubhouse.
“If an app operates on Agora’s infrastructure, the end-user might have no idea,” the researchers stated.
After analyzing Agora’s technical documents, the researchers concluded that the firm “would likely have access to Clubhouse’s raw audio traffic,” and that the audio could be “intercepted, transcribed, and otherwise stored by Agora.”
The researchers found that the ID numbers of Clubhouse users and chatrooms were being transmitted in plaintext over the internet, meaning that “any third-party with access to a user’s network traffic can access” them. User IDs aren’t usernames but unique serial numbers.
“If the Chinese government determined that an audio message jeopardized national security, Agora would be legally required to assist the government in locating and storing,” according to the Stanford researchers.
But Beijing might not need to go through Agora at all. Stanford researchers saw Clubhouse chatroom metadata “being relayed to servers” they believed to be hosted in China. Thus, the Chinese regime could collect data without accessing Agora’s networks, the researchers said. Moreover, audio data were also being relayed to “servers managed by Chinese entities and distributed around the world.”
“Any unencrypted data that is transmitted via servers in the PRC [People’s Republic of China] would likely be accessible to the Chinese government,” the research stated in its analysis.
The report contained a statement from Clubhouse, which acknowledged that conversations by Chinese users “could be transmitted via Chinese servers” prior to the app being blocked by Chinese authorities.
The app said it would make changes to strengthen its data protection. “Over the next 72 hours, we are rolling out changes to add additional encryption and blocks to prevent Clubhouse clients from ever transmitting pings to Chinese servers,” Clubhouse said in the statement.
“We also plan to engage an external data security firm to review and validate these changes.”