Clubhouse says reviewing data protection practices after report points to flaws

SHANGHAI, Feb 13 (Reuters) - U.S. audio app Clubhouse saidit is reviewing its data protection practices, after a report bythe Stanford Internet Observatory said it contained securityflaws that left users' data vulnerable to access by the Chinesegovernment.

The app said in a response to the study, published by theresearch group at Stanford University, that while it had optednot to make the app available in China, some people had found aworkaround to download the app which meant the conversationsthey were a part of could be transmitted via Chinese servers.

"With the help of researchers at the Stanford InternetObservatory, we have identified a few areas where we can furtherstrengthen our data protection," the company said in a statementpublished https://cyber.fsi.stanford.edu/io/news/clubhouse-chinaby the research group on Friday.

"Over the next 72 hours, we are rolling out changes to addadditional encryption and blocks to prevent Clubhouse clientsfrom ever transmitting pings to Chinese servers. We also plan toengage an external data security firm to review and validatethese changes."

Clubhouse did not immediately respond to a request fromReuters for further comment on Saturday.

Launched in early 2020, the app saw global user numbers soarearlier this month after Tesla CEO Elon Musk andRobinhood CEO Vlad Tenev held a surprise discussion on theplatform.

Masses of new users joined from mainland China, taking partin discussions on topics that included sensitive issues such asXinjiang detention camps and Hong Kong's National Security Law.But their access to the app was blocked last week, triggeringfrustration and fears of government surveillance.

The Stanford Internet Observatory said that it had confirmedthat Chinese tech firm Agora Inc supplied back-endinfrastructure to Clubhouse, and that Agora would likely haveaccess to users' raw audio, potentially providing access to theChinese government.

It also said it observed room metadata relayed to servers itbelieved were hosted in China and audio to servers managed byChinese entities. It added, however, that it believed theChinese government would not be able to access the data if theaudio was stored in the United States.

Agora did not immediately respond to a Reuters request forcomment while the Cyberspace Administration of China, whichregulates the country's internet, did not respond to calls forcomment made during China's Lunar New Year holiday.

"SIO chose to disclose these security issues because theyare both relatively easy to uncover and because they poseimmediate security risks to Clubhouse's millions of users,particularly those in China," the report said.

Data analytics firm Sensor Tower said the app, which is onlyavailable on Apple's iPhone, had about 3.6 million usersworldwide as of Feb.2, with 1.1 million registered in the priorsix days.(Reporting by Brenda GohEditing by Clelia Oziel)