Zoom’s Security Flaws May Allow China Peek Into Your Meetings

A report by Citizen Lab has spoken at length about Zoom’s poor encryption choice. It spoke of Zoom as an American company, with a Chinese heart. It said the encryption keys generated for meetings were done by servers located in China, even though participants were from outside. Chinese involvement isn’t a problem; however, when it comes to encryption and communications, China’s involvement is a massive problem. The Chinese government reserves the right under the local law to compel companies to provide authorities access to otherwise encrypted sessions. The Citizen Lab report notes, “Zoom may be legally obligated to disclose these keys to authorities in China.” This puts people handling serious data and discussing issues of national security and governance on Zoom at serious risk. China can not only mount surveillance, taking advantage of the global pandemic but also put nefarious designs to practice.

The report elicited a blog from Zoom CEO Eric Yuan in which he said that including Chinese servers for meetings, which didn’t involve participants in China, was due to the company’s efforts to scale up capacity amid the coronavirus crisis massively.

Yuan’s argument for scaling up capacity was based on the premise that the manpower capacity is shrinking fast in Europe and America. Moreover, as the Coronavirus caused outages by way of severe manpower shortage, Zoom fell back on China for manpower to push its services as demand surged.

What can you do?

Avoid Zoom if your profession falls under a sensitive category, and until Zoom’s server changes are verified by independent sources, and more information becomes available about its use of companies in China.

Harvesting user data through LinkedIn

Any person who has signed up for LinkedIn’s Sales Navigator, a tool to find new prospects for marketers, could access every Zoom VC (Video Conferencing) participant’s data who are meeting them. This was made possible as every Zoom participant’s name and email address (if available) was matched against LinkedIn’s database and if they had a profile, connected to it. Any participant who had access to the LinkedIn feature could hover over a participant’s name to see their LinkedIn profile card. The issue was brought to light by the New York Times. The feature was disabled soon afterward.

Hosting a Zoom meet? You better not chat

This is possible in case of enterprise or paid accounts. Zoom allows meeting participants to save a recording of the meeting that includes text transcript of public chat messages sent among participants, and all participants get access to that transcript as well as the video recording. Sounds fair, right? What Zoom also does is include all private messages between the host and any other participant in the transcript. This essentially means the host’s private messages are not private anymore. Not only is this jeopardizing the host but can also open doors to ransom or hatred should anything unpleasant be discovered in the chats. As a host, avoid private messaging other participants while on a Zoom call. Alternatively, if the host has to text, switching to a different application like Hangouts or messenger is advisable.

What has Zoom done to mitigate the risks?

Zoom CEO Eric S Yuan conveyed apologies through a blog post for “falling short” on security issues and promised to address concerns. He admitted that despite “working around the clock” to support the influx of new users, the service had “fallen short of the community’s—and our own—privacy and security expectations.” Yuan outlined a number of measures undertaken by Zoom, including a dedicated K-12 privacy policy and releasing fixes for some recently highlighted Mac issues.

These are some of the measures Zoom has taken, as mentioned in its blog:

The company is freezing all the features for 90 days and committing to enhancing the security of the platform.
It has fixed most of the aforementioned bugs.
It’s enhancing its bug bounty program and conducting a thorough security review via third-party experts.
CEO Eric Yuan is hosting a weekly privacy review call on every Wednesday.

Conclusion

The advantage of using Zoom is that it’s quick to set up and use, plus, it’s available across multiple platforms. That’s why, it’s no wonder, people prefer it for meetings and online classrooms. If you’re going to discuss sensitive information over a video call, it’s better to avoid Zoom for now. Zoom is in choppy waters, but not completely at sea. If it can act swiftly and communicate in a transparent way with stakeholders and users, it can salvage its reputation and become the top choice for remote meetings across the world.