The Wuhan virus pandemic has reduced the entire planet to the confines of their households. In such trying times, the work, studies and everything in between has taken a hit. But a video conferencing app by the name Zoom has seen a huge spike in popularity amidst the pandemic. The Zoom app is now being used by millions for work and social gatherings since quarantines were imposed. Governments across the world are also using the app to conduct several high-profile meetings. Zoom has now been involved in a major controversy around privacy and security issues.
Zoom was started in 2011 by Chinese software engineer Eric Yuan and the company is based in California’s Silicon Valley. Despite being based in the US, the company has admitted that it routed ‘some’ of the calls through China, that is, user data was allowed to flow through two Chinese data centers. This puts at grave risk politicians, government officials and CEOs across the world including in India.
It traveled via China, especially the video calls by non-Chinese users and calls that took place since February. Zoom admitted it was a mistake. They were reportedly trying to cope with increased traffic as lockdowns began and traffic increased.
The AES-128 keys, which are sufficient to decrypt Zoom packets intercepted in Internet traffic, appear to be generated by Zoom servers, and in some cases, are delivered to participants in a Zoom meeting through servers in Beijing, even when all meeting participants, and the Zoom subscriber’s company, are outside of China.
In a blog released by the company, it has also admitted to not using true end-to-end encryption. Typically, the term “end-to-end encrypted” means that only the parties to the communication can access it (and not any middlemen that relay the communication). But a mere look at the blog will make you understand that Zoom’s definition of end-to-end encryption is starkly different from the conventional.
While Zoom is headquartered in the United States, and listed on the NASDAQ, the mainline Zoom app appears to be developed by three companies in China. A research group from the University of Toronto’s Citizen Lab highlighted that Zoom has several hundred employees in mainland China. The Chinese authorities might try to coax its way into the app to use it for surveillance and securing sensitive data—given it isn’t already doing so. The US-based company employs at least 700 employees in China (through its affiliates) that work in “research and development.”
This is not the first time that Zoom has been found in a pickle. It has a troubled history since its inception. Zoom has had security flaws in the past, including a vulnerability that allowed an attacker to remove attendees from meetings, spoof messages from users and hijack shared screens. Another saw Mac users forced into calls without their knowledge.
As a panic countermeasure to mitigate any possible loss, Zoom quickly rewrote its policy and asserted that it does not sell personal data but concerns remain as hackers can steal windows passwords and inject malware. The biggest issue of all is with the encrypting and securing of calls.
As a result, Zoom has already been banned in Taiwan by the government amidst rising concerns over the apps security features. The lapses have also driven away customers that include the likes of Elon Musk, who has banned the use of Zoom for SpaceX and Tesla due to privacy concerns. New York City has directed its schools — a system with more than 1.1 million students — to move away from using Zoom as soon as possible.
The app has glaring holes in its operations and therefore the users need to be wary of it. Particularly, the government officials—a picture is doing the round where India’s Defence minister Rajnath Singh could be seen using the Zoom app to address a meeting with Chief of Defence Staff Bipin Rawat.
Zoom claims it offers end-to-end encryption. But a probe finds that Zoom meetings are potentially compromised when keys for encrypting and decrypting are transmitted to servers in China: https://t.co/HiJyr0Q9fG. The last thing the Indian defense minister should be doing is this! pic.twitter.com/zQ9VErzxxy
— Brahma Chellaney (@Chellaney) April 6, 2020
The app is not safe for use by any means whatsoever and in the day and age when privacy is the most prized commodity, using Zoom is a sure shot way to compromise it. Unless the company really gets its act together and fixes the obvious and glaring chinks in the armor, the users should steer away from using it.