Techrecipe

Clubhouse data being sent to Chinese companies?

As Clubhouse gained popularity, it was reported that the Chinese company Agora’s stock price doubled from last month. In the meantime, in a recent survey by Stanford Internet Observatory (SIO), it was found that packets containing metadata for each user entering the clubhouse were sent to Agora in plain text without end-to-end encryption.

Agora is a video, voice and live interactive delivery platform with offices in Santa Clara, Silicon Valley and Shanghai, China. The API is provided to companies around the world, including the Clubhouse, but the relationship with the Clubhouse has never been officially announced.

At the time of listing on the NASDAQ in June of last year at $20 per share, there was no mention of the clubhouse in an interview with the CEO. It was an IPO at the same time as the clubhouse launch, but given the situation in which the US administration is pursuing the removal of Chinese apps, it may not be desirable to disclose the transaction relationship.

However, it was known relatively early that Agora is in charge of the clubhouse backend. When asked where the clubhouse social voice platform was developed on Twitter next week for the Agora IPO, an angel investor replied that it was developed by a company called Agora in about a week based on the clubhouse.

At this time, the information came out on the Reddit Investment Forum, which caused GameStop stocks to surge on January 25th. It is not well known, but Clubhouse is an app developed a week using Agora API, and the stock code also used the API, and since it is a pay-as-you-go model rather than a subscription, the price will rise as the usage time increases.

Therefore, what Clubhouse has developed is a UI part, and it is Agora located in Shanghai that moves the Clubhouse Voice Platform. It is said that the Agora that hosts voice data is also called the Agora, and the Agora that delivers the Internet.

What is of concern here is the location of the Agora server. Since this is spread across the U.S. and China, there is a cumbersome legal obligation to comply with the request from the Chinese government to deliver conversational data for investigation or security purposes if the clubhouse voice data passes through a Chinese server. This is specified in the IPO F1 guide that Agora filed with the Securities and Exchange Commission SEC.

In China, it is a natural duty, including foreigners, but the clubhouse is said to be able to chat with people all over the world in real time, and voice recording, preservation, and disclosure are prohibited. What is worrisome is that when researching using the Stanford Network Analysis Tool (Wireshark), etc., the data was processed through Agora, and the user’s unique ID and room ID metadata were transmitted in plain text without encryption.

In other words, third parties with access to your network can easily access what you send. If you are in the same channel, you can see what the user is talking about, and you can combine different speaker IDs and profiles. Other security vulnerabilities were discovered, but the university said it needed to be fixed or corrected by contacting the clubhouse directly.

There are reports that if the Chinese government determines that it is a threat to national security, the Agora should support voice verification or storage of the problem. If the server is in the US, there is no need to respond to the Chinese government’s request. Explain that both the clubhouse and the Agora require evidence of threats and lies, so the audio is temporarily saved but deleted when the session ends. Anyway, because it is plain text, not encryption, it is theoretically possible to visit and record it without resorting to any other legal means.

The Clubhouse made it clear that it would take measures to strengthen encryption and prevent information from being transmitted to servers in China with Stanford University cooperation. Related information can be found here .