Dubbi sulla sicurezza e la privacy di Clubhouse

Clubhouse è il social del momento. Si tratta di un social che basa la totalità delle interazioni grazie all’utilizzo della voce. Secondo lo Stanford Internet Observatory Cyber Policy Center, la piattaforma ha vulnerabilità relative alla sicurezza informatica e soprattutto sulla privacy. Secondo gli esperti di Stanford la maggior parte del flusso di dati generati vengono gestiti da Agora una società cinese con sede a  Shangai e quindi accessibili al governo cinese che la scorsa settimana ha interdetto l’uso di Clubhouse agli utenti del paese.

Alpha Exploration  la società che ha sviluppato Clubhouse ha dichiarato che sta rafforzando le misure di sicurezza, prevedendo blocchi che impediscono all’app di trasmettere ai server cinesi.

Last week, the drop-in audio chat app “Clubhouse” enabled rare unfettered Mandarin-language debate for mainland Chinese iPhone users, before being abruptly blocked by the country’s online censors on Monday February 8, 2021.

Alongside casual conversations about travel and health, users frankly discussed Uighur concentration camps in Xinjiang, the 1989 Tiananmen Square protests, and personal experiences of being interrogated by police. The Chinese government restricts open discussion of these topics, maintaining a “Great Firewall” to block domestic audiences from accessing many foreign apps and websites. Although last week Clubhouse had not yet been blocked by the Great Firewall, some mainland users worried the government could eavesdrop on the conversation, leading to reprisals.

In recent years, the Chinese government under President Xi Jinping has shown an increased willingness to prosecute its citizens for speech critical of the regime, even when that speech is blocked in China. Clubhouse app’s audio messages, unlike Twitter posts, leave no public record after speech occurs, potentially complicating Chinese government monitoring efforts.

The Stanford Internet Observatory has confirmed that Agora, a Shanghai-based provider of real-time engagement software, supplies back-end infrastructure to the Clubhouse App (see Appendix). This relationship had previously been widely suspected but not publicly confirmed. Further, SIO has determined that a user’s unique Clubhouse ID number and chatroom ID are transmitted in plaintext, and Agora would likely have access to users’ raw audio, potentially providing access to the Chinese government. In at least one instance, SIO observed room metadata being relayed to servers we believe to be hosted in the PRC, and audio to servers managed by Chinese entities and distributed around the world via Anycast. It is also likely possible to connect Clubhouse IDs with user profiles.

SIO chose to disclose these security issues because they are both relatively easy to uncover and because they pose immediate security risks to Clubhouse’s millions of users, particularly those in China. SIO has discovered other security flaws that we have privately disclosed to Clubhouse and will publicly disclose when they are fixed or after a set deadline.

Agora is a Shanghai-based start-up, with U.S. headquarters in Silicon Valley, that sells a “real-time voice and video engagement” platform for other software companies to build upon. In other words, it provides the nuts-and-bolts infrastructure so that other apps, like Clubhouse, can focus on interface design, specific functionalities, and the overall user experience. If an app operates on Agora’s infrastructure, the end-user might have no idea.

SIO analysts observed Clubhouse’s web traffic using publicly available network analysis tools, such as Wireshark. Our analysis revealed that outgoing web traffic is directed to servers operated by Agora, including “qos-america.agoralab.co.” Joining a channel, for instance, generates a packet directed to Agora’s back-end infrastructure. That packet contains metadata about each user, including their unique Clubhouse ID number and the room ID they are joining. That metadata is sent over the internet in plaintext (not encrypted), meaning that any third-party with access to a user’s network traffic can access it. In this manner, an eavesdropper might learn whether two users are talking to each other, for instance, by detecting whether those users are joining the same channel.

An SIO analysis of Agora’s platform documentation also reveals that Agora would likely have access to Clubhouse’s raw audio traffic. Barring end-to-end encryption (E2EE), that audio could be intercepted, transcribed, and otherwise stored by Agora. It is exceedingly unlikely that Clubhouse has implemented E2EE encryption.

We expand on the technical details of these findings in the technical analysis appendix at the end of this post.

Because Agora is based jointly in the U.S. and China, it is subject to People’s Republic of China (PRC) cybersecurity law. In a filing to the U.S. Securities and Exchange Commission, the company acknowledged that it would be required to “provide assistance and support in accordance with [PRC] law,” including protecting national security and criminal investigations. If the Chinese government determined that an audio message jeopardized national security, Agora would be legally required to assist the government in locating and storing it.

Conversations about the Tiananmen protests, Xinjiang camps, or Hong Kong protests could qualify as criminal activity. They have qualified before.

Agora claims not to store user audio or metadata, except to monitor network quality and bill its clients. If that is true, the Chinese government wouldn’t be able to legally request user data from Agora — Agora would not have any records of user data. However, the Chinese government could still theoretically tap Agora’s networks and record it themselves. Or Agora could be misrepresenting its data storage practices. (Huawei, a large Chinese software company with close links to the country’s military, also claims not to hand data to the government. Many experts are doubtful.)

Further, any unencrypted data that is transmitted via servers in the PRC would likely be accessible to the Chinese government. Given that SIO observed room metadata being transmitted to servers we believe to be hosted in the PRC, the Chinese government can likely collect metadata without even accessing Agora’s networks.

In summary, if the Chinese government can access user data via Agora, mainland Chinese users of Clubhouse could be at risk. It is important to keep in mind, however, that having the potential to access user data is not the same as actually accessing it. The Chinese government is a large and sometimes unwieldy bureaucracy, just like the U.S. government. It is easy to overstate the Chinese government’s internal unanimity and organizational coherence.

Clubhouse’s Privacy Policy states that user audio will be “temporarily” recorded for the purpose of trust and safety investigations (e.g. terrorist threats, hate speech, soliciting personal information from minors, etc.). If no trust and safety report is filed, Clubhouse claims that the stored audio is deleted. The policy does not specify the duration of “temporary” storage. Temporary could mean a few minutes or a few years. The Clubhouse privacy policy does not list Agora or any other Chinese entities as data sub-processors.

If Clubhouse stores that audio in the U.S., the Chinese government could ask the U.S. government to make Clubhouse transfer the data under the U.S.-China Mutual Legal Assistance Agreement (MLAA). That request would likely fail, however, due to the MLAA’s provisions allowing the United States to reject requests that would infringe on users’ free speech or human rights — such as requests involving politically sensitive speech on Clubhouse (Tiananmen, Hong Kong, Xinjiang, etc.). (The Chinese government could not demand audio clips directly from Clubhouse, as U.S. federal law prohibits such disclosures.)

The Chinese government could, however, legally demand audio (or other user data) stored in China if the app’s creator, Alpha Exploration Co., has a partner or subsidiary in China with access to the data. Besides Agora, there is no known evidence to suggest that Alpha Exploration Co. has a Chinese partner or stores user data within China.

In sum: assuming the app maker doesn’t have a Chinese partner or store data in China, then the Chinese government probably could not use legal processes to obtain Clubhouse audio data. Depending on just how “temporary” Clubhouse’s storage is, Clubhouse might not have data to hand over through legal processes in any event. However, if the Chinese government could obtain audio directly from Clubhouse’s backend infrastructure on Agora, it might not resort to using international legal channels to seek the data.

For the Chinese government to punish Clubhouse users who visited or spoke in sensitive chatrooms, at least two conditions would need to be met.

First, the Chinese government would need to know which users were present in which chatrooms. It could gain this information manually, through reporting from other users present in the room, or from the back-end, via Agora, as discussed above.

For manual data gathering, someone in the room would need to manually record other users’ profiles. Their public profiles sometimes display identifying information, such as photos, phone numbers or WeChat accounts. (Phone numbers and WeChat accounts are real-name registered in China. Photos could be identified through facial recognition algorithms.) However, most Clubhouse profiles do not display identifying information. In that case, the government would need to access identifying information through its own surveillance mechanisms, or via Agora.

Chinese domestic surveillance capabilities are opaque, but assumed to be significant. It is possible that the Chinese government can access mainland users’ data or metadata without recourse to either Clubhouse or Agora, similar to how the U.S. government eavesdropped on web traffic, as revealed by Edward Snowden. As detailed above, the Chinese government could easily intercept plaintext metadata, such as room IDs and user IDs, sent from users’ devices. If the government doesn’t have independent access to user data, it would need to request and receive data from either Agora or Clubhouse. As stated above, it is not clear that the government could easily do so. Agora claims not to store user data, and Clubhouse is highly unlikely to provide it.

Second, the Chinese government must want to punish users of the app. Whether they would is unclear. Research has shown that the Chinese government can sometimes be tolerant of public criticism when that criticism doesn’t gain a wide following and doesn’t promote collective action. On these dimensions, Clubhouse is a grey area. Because the app is invite-only and only available on comparatively-expensive iPhones (less than 10% of all Chinese users), the app was probably not widely used beyond China’s urban elite. In addition, each Clubhouse chat room can host a maximum of five thousand users — a large number, but perhaps not threateningly large. All of these factors might mitigate Clubhouse’s severity from a government perspective.

On the other hand, the Chinese government has proven highly sensitive to apps that coordinate action in the real world, like the short-lived humor app Neihan Duanzi. Clubhouse is thus a unique space: it is a “meet-up” of sorts (which the Chinese government doesn’t like) but it is also semi-private and not yet widely distributed (which might lead to greater government toleration). Ultimately, we can only speculate.

If the government did want to punish domestic users of the app, the public might not know about it — nor might the users themselves. In recent years the Chinese government has fostered the growth of surreptitious censorship mechanisms for black-listed citizens, such as escalating users’ sensitivity indices on WeChat, an all-purpose domestic social media app. Black-listed users might send messages to their friends, only to realize that the message appeared on their screen but not their friends’. The government could also engage in threatening but not outright punishing behavior, such as inviting users to “tea.” Even if that happened, we might never know whether activity on Clubhouse triggered the invitation.

Vuoi saperne di più su Massa Critica ? Ecco la nostra presentazione.
Ti  è piaciuto Massa Critica ? Bene! Iscriviti alla nostra newsletter. e al nostro canale Telegram.
Se ti piace il nostro lavoro vai alla nostra pagina su Facebook e clicca su "Like".
Se preferisci puoi anche seguirci via Twitter , via Instagram e via Youtube.

Massa Critica è una piattaforma di informazione, partecipazione e attivazione dei cittadini diversa dalle altre, che non vuole solo fornire contenuti importanti su sostenibilità , tecnologia , innovazione , startup , cibo , social innovation. Massa Critica vuole favorire l'attivazione ei quanti condividono aspirazioni nuove e innovative.

Per sostenerci abbiamo bisogno del vostro contributo, per questo vi chiediamo di supportarci in questo momento straordinario. Grazie per il vostro contributo e per la vostra fiducia!

Donazione con Paypal o carta di credito

Donazione con Satispay