After Researchers Raise Spying Concerns, Clubhouse Promises Blocks on Transmitting to Chinese Servers

"The developers of audio chat room app Clubhouse plan to add additional encryption to prevent it from transmitting pings to servers in China," reports The Verge, "after Stanford researchers said they found vulnerabilities in its infrastructure." In a new report, the Stanford Internet Observatory (SIO) said it confirmed that Shanghai-based company Agora Inc., which makes real-time engagement software, "supplies back-end infrastructure to the Clubhouse App." The SIO further discovered that users' unique Clubhouse ID numbers — not usernames — and chatroom IDs are transmitted in plaintext, which would likely give Agora access to raw Clubhouse audio. So anyone observing internet traffic could match the IDs on shared chatrooms to see who's talking to each other, the SIO tweeted, noting "For mainland Chinese users, this is troubling."

The SIO researchers said they found metadata from a Clubhouse room "being relayed to servers we believe to be hosted in" the People's Republic of China, and found that audio was being sent to "to servers managed by Chinese entities and distributed around the world." Since Agora is a Chinese company, it would be legally required to assist the Chinese government locate and store audio messages if authorities there said the messages posed a national security threat, the researchers surmised...

The company told SIO that it was going to roll out changes "to add additional encryption and blocks to prevent Clubhouse clients from ever transmitting pings to Chinese servers" and said it would hire an external security firm to review and validate the updates.

Re: Anyone think the poor encryption is unintentio

[dwater]

So, you hate the CPC?

communism and socialism

[Geoffrey.landis]

Not millennials, they love the ideas of communism and socialism.

The word means different things to millennials than it does to old farts. For fifty years or more, libertarians had been criticizing just about every action by the government as "socialism". As a result, millennials have learned "socialist" as a word that means "any action the government takes that benefits the people".

I detest that redefinition of the word, but it's far too late to do anything about it.

As for the word "communism"-- no. Millennials don't "love the idea of communism"-- to millennials, "c

Re:

[WindBourne]

worse yet, we have so many trolls/shills/etc here claiming that CHina is NOT communist, that young idiots actually buy off on this crap. It is only when you see what is REALLY going on, that you come to realize that CHina, Russia, N. Korea, Iran, etc are far far more messed up than the west is.,

Not communism [Re:communism and socialism]

[Geoffrey.landis]

worse yet, we have so many trolls/shills/etc here claiming that CHina is NOT communist,

China is definitely authoritarian, but it's not clear to me that it's actually communist. In fact, their system of private corporations which are in the service of a central government looks a lot more like a different economic system, fascism.

Fascism is a word that is even more mis-defined than socialism-- it tends to be used to mean 'any strong government we don't like'-- and it's not really even studied as an economic theory any more. But this is the communist economic model, not communism.

"Where social

Re:

[Shaitan]

All that. And no it has nothing to do with healthcare and feeding children and everything to do with authoritarian powers (including corporate).

what does it mean?

[Geoffrey.landis]

All that. And no it has nothing to do with healthcare and feeding children

That's the problem right there. To millennials (and younger), the word "socialism" does mean "healthcare and feeding children".

and everything to do with authoritarian powers (including corporate).

... and to people who studied classical economics, it means "worker ownership and control of the means of production" (which later mutated to "government ownership of the means of production", where the "government" purported to be operating on behalf of the worker.)

Musk invites Putin

[spinitch]

Chinese servers ? Does Russia have an equivalent, like open windows? Pick your poison? Accidents happen? Plausible denial?

Re:

[Geoffrey.landis]

The Russians and the Chinese seem to have different approaches to spying.

The Russians surreptitiously insert malware into servers.

The Chinese say "here's a cool app, why don't you load it? Oh, by the way, it spies on you, that's no prob, right?"

US Company?

[vlad30]

Why would a US company route data through Chinese servers?

Re:

[NateFromMich]

Why would a US company route data through Chinese servers?

Where did you see a US company mentioned? It says "Shanghai-based company Agora Inc" in the article.

Agora told the SIO it does not store user audio or metadata other than to monitor network quality and bill its clients, and as long as audio is stored on servers in the US, the Chinese government would not be able to access the data.

Oh, that's reassuring. The servers in the US would magically be totally inaccessible to the Chinese government even though the Shanghai-based company operates them.

Re:

[NateFromMich]

Nevermind, I get it now. Clubhouse is supposedly a US company, but their entire backend is written by Agora.
That means nothing. The entirety of the code could have been written by the Chinese company for all we know.

An Attempt at Constructive Feedback

[ytene]

AC, This post, one one very similar to it, is being posted to slashdot by an anonymous user on a pretty regular basis. Every time I see it, I note that it has been modded down to -1, which renders it invisible to pretty much all but moderators and the insatiably curious.

The fact that you keep coming back and keep posting more-or-less the same thing suggests that either you’re trolling slashdot or you care enough about this to try and make your point.

I’ll gladly give you the benefit of the

Re:

[NateFromMich]

I've been occasionally responding to this guy for at least a year now. It's pointless. He won't answer you.
Probably a script that just posts these on every new article.

Re:

[ytene]

I suspected as much.

But if that is the case, then it is long past time for the Slashdot Admins to amend the software that "publishes" these posts.

I don't advocate the outright ban of "AC" posting... but the publishing subroutine needs to have some form of basic pattern-matching logic that identifies and catches this crap.

The admins are getting an awful lot of support from moderators "for free", but they're not holding up their end of this bargain. It's bad enough that the process they are using to

Re:

[NateFromMich]

I suspected as much. But if that is the case, then it is long past time for the Slashdot Admins to amend the software that "publishes" these posts. I don't advocate the outright ban of "AC" posting... but the publishing subroutine needs to have some form of basic pattern-matching logic that identifies and catches this crap. The admins are getting an awful lot of support from moderators "for free", but they're not holding up their end of this bargain. It's bad enough that the process they are using to select articles for publication appears to be circling the drain, but crap like this and Naxi [sic, replace a z] symbols should be caught at source. Before slashdot was sold, it really felt like the owners cared about the quality of articles posted and the overall discourse. These days it feels like the current owners will shovel any old sh1t through the system as long as it generates advertising space and revenue. At which point those of us wanting actual intelligent conversation may be tempted to go elsewhere. Which would be shame, but it feels like it is getting increasingly likely.

Yeah the soylent news site is honestly pretty good. I visit both.

Re:

[k2r]

Please elaborate how mastodon not listing your server on their site is tyranny.

Also: You have issues.

Promises are meaningless.

[Gravis Zero]

One thing you should know about corporations is that promises mean nothing if they are not backed by a legal requirement under threat of jailtime. If they can "sorry we lied" their way out of it, they will do that. If there is a legal requirement but the penalty is a fine, they will hide it and when discovered pay the fine as a cost of doing business.

The only situation where a corporation will ever tell the truth is when the executives are personally under threat of being imprisoned.

What requirements for (anywhere) based services?

[BardBollocks]

We all know that NSA siphons off ALL internet traffic in North America, and similarly the other 5 eyes members do so and share that data (plus a few other affiliated nations).

Is this Chinese requirement less bulk interception and more service supplied data?

Is this really about WHO gets to spy on us, rather than us being spied on?