![Do you still use this?CLUBHOUSE's suspicious security / privacy problem: CLUBHOUSE issues [Part 1]](https://website-google-hk.oss-cn-hongkong.aliyuncs.com/drawing/article_results_9/2022/3/9/757382c689dd2cef4e2b7e7bdf3fce95_0.jpeg)
CLUBHOUSE has gained popularity in China.At one point, it was operated outside the "Great Firewall", so users were able to freely discuss the topics of China's crackdown on Uyghur Autonomous Region, Hong Kong's democratization movement, and independence of Taiwan.However, the Chinese authorities know, and the use is prohibited in China.
In addition to flaws that can publish audio data (now modified), Clubhouse has many problems that confuse security observers.
When you create an account with Clubhouse, the user agrees to upload the address book on the terminal.In other words, when an acquaintance registers in Clubhouse, CLUBHOUSE is obtained by Clubhouse without his own consent via the acquaintance's address book.And there is a risk that Clubhouse will be promoted or prompted to be more connected or registered.
For this reason, it has been reported that many users, including drug traffickers, therapists, and previous partners who have been abused and harassed, are exposed.
Even more concerns are the location of CLUBHOUSE's back -end infrastructure.
Back -end infrastructure is owned by a company called AGORA.The reason is that this is a survey conducted by Stanford University's Internet Obserbatley (SIO) in early February 2021, but in Shanghai, in Shanghai, while publishing a Silicon Valley address on the website.It was found that it was a startup company that was founded and is likely to be able to access the raw audio of Clubhouse users.
Connection with China
SIO has confirmed at least once that the metadata of the room has been sent to a server that is considered hosted in China, and the audio data has been transferred to a server managed by Chinese organizations.The user's CLUBHOUSE ID number and chat room ID are sent in plain text, so it is possible to connect the clubhouse ID and user profile.
In other words, if there is no encryption at the end -to -end (SIO is questioning the implementation by Clubhouse), voice data may be intercepted, copied, and saved by Agora.Considering the location of Agora, the authorities will be able to access them if they are subject to Chinese surveillance and as part of national security and crime investigation.Huawei was also banned by the law in Britain.
Agora claims that it does not store user audio or metadata, except for network monitoring and billing purposes.If this is the case, Agora does not have Clubhouse user data, and it is impossible to request a legal data by authorities.
That said, the possibility that the Agora report is false is excluded.There is also a possibility that Chinese intelligence agencies will access the network on their own.According to investigators, if metadata is truly transmitted to China, the Chinese government will probably be able to collect metadata without accessing the Agora network.
According to the team, it is almost impossible for China to access the data directly from Clubhouse (except hacking to the system), so the average risk of Clubhouse users is higher than Twitter.Say.
According to the CLUBHOUSE statement issued after the SIO's announcement, the client has rolled out a change in encryption and additional blocks to prevent pinging from Chinese servers.He also receives cyber security support from outside to confirm and verify this policy.
A weak point that becomes clear
CLUBHOUSE found a safe place between business people who wrote self -development on Linkedin, such as early morning jogging and skin care.Therefore, CLUBHOUSE is likely to exist on many corporate terminals and networks.
And in a month, multiple cyber security and privacy issues emerged.For many observers, Clubhouse seems to be similar to the "ZOOM" in the early days of Corona.In both cases, the explosive spread has revealed some security defects in design and development.
COALITION, a US cyber insurance and risk -professional company, is one of the experts who views this.He speaks as follows."CLUBHOUSE's security infringement indicates a common problem with technical startups. It is a technical merit that developers and users mainly focuses on it, but it is often the factor of motivation.It's myopic. "
"Risk considers will be postponed. Start -up companies should move at a speed that can consider security and privacy concerns."
"The risk is easy to ignore the risk at the time of passing the new technology to the early recruiters. However, security measures need to be thoroughly thoughtful as the new user experience. The initial stage seems to be far away from development.I always feel the existence of my existence when the risk becomes reality. "
Proprivacy's Ray Walsh (digital privacy expert) also supplements:"CLUBHOUSE seems to have serious problems with privacy and security protection functions. It is essential for all CLUBHOUSE users to recognize the possibility of a conversation."
"CLUBHOUSE has a responsibility to fully solve this threat by giving security on the app. Clubhouse is a public communication forum that is completely published until the app developer can prove safety.It's best to think that you can. "
In the second part, I will introduce some problems in Clubhouse.
