Video conferencing tech used by UK government, but not cleared for ‘secret’ discussions
ANALYSIS The lockdown prompted in response to the coronavirus pandemic has seen usage of Zoom skyrocket, renewing security and privacy concerns about the video conferencing app.
Zoom has been criticized over aspects of its data collection practices and privacy policy by critics including some in the infosec industry, academics, and consumer rights group Consumer Reports.
But do any of these criticisms hold weight? Is Zoom ready for business use on a global scale? We take a closer look into the hugely popular remote conferencing app.
Zoombombing and privacy pleas
Meetings held over Zoom can take place without passcodes, offering convenience but also allowing pranksters or worse to jump into discussions uninvited – a phenomenon that has even spawned its own term: ‘zoombombing’.
Problems in this area can be managed by checking permissions, a process many new to the technology may be unfamiliar with, but an area in which Zoom itself has been proactive in helping users to navigate.
Less easy to dismiss are long running concerns about Zoom’s privacy policy.
Doc Searls, author and fellow at the Center for Information Technology and Society at UC Santa Barbara, last week said Zoom’s privacy policy left it “creepily chummy with the tracking-based advertising biz (also called adtech)”.
In one example cited by Searls, Motherboard discovered last week that Zoom’s iOS app sent data to Facebook, even for users who had no Facebook account.
Zoom removed the offending code soon after the practice was uncovered.
“Zoom takes its users’ privacy extremely seriously and the company has taken action to address the Facebook SDK [Software Development Kit] issue,” a company spokesperson told The Daily Swig.
Days later, Zoom updated its privacy policy “to be more clear, explicit, and transparent".
“Ensuring the privacy and security of its users and their data is Zoom’s top priority and to address recent concerns about Zoom’s privacy policy, the company announced some clarifying updates to its privacy policy through its blog,” a spokesperson explained.
In a blog post, Searls welcomed the re-write as “far more clear than what it replaced”, while arguing that Zoom ought to go further is distancing itself from the adtech business.
“There will be no need for Zoom to disambiguate services and websites if neither is involved with adtech at all,” he said. “And they’ll be in a much better position to trumpet their commitment to privacy.”
Va va Zoom
A security vulnerability that surfaced last year allowed miscreants to hijack people’s webcams through Zoom. At the time, the app’s developers were criticized for their alleged failure to address the issue promptly.
Zoom seems to have learned from the experience by becoming much more pro-active in addressing recent privacy policy concerns.
However, the organization’s response to challenges to marketing claims that it offers end-to-end (E2E) encrypted sessions to meeting hosts has been far less assured.
What Zoom offers could be more accurately described as ‘end-to-end transport security’, where connections are protected by encryption but Zoom itself is able access data and might therefore by obliged to turn over its cloud-hosted content in response to government subpoenas or other mandated requests.
The cloud-based video conferencing firm has become a fashionable target for white hat hackers, and there’s little doubt that Zoom is going to come under even more intense scrutiny and probing over the coming weeks.
“Zoom is going to need to demonstrate more transparency, including putting a security face to all of these responses,” Alex Stamos, the former chief security officer at Facebook, commented on Twitter.
“A documented 30-day security plan that includes a feature freeze, several professional pen tests and rolling out coordinated disclosure policies would be smart.”
Zooming into Cabinet
Video conferencing from Zoom is reliable, functional and easy to use. That means qualms from some in the infosec community that the app has a bias against introducing security controls that might introduce friction are not cutting through to mainstream business.
The technology’s obvious utility in the midst of an unprecedented global health crisis that has resulted in millions working from home in front and center for a growing number of organizations.
As a result, Zoom is cropping up in all sorts of unexpected places.
Despite reports that the technology was prohibited by the UK’s Ministry of Defence, at least part of a government Cabinet meeting was held on Zoom last week
British Prime Minster Boris Johnson used his official Twitter account to herald the “first ever video conference Cabinet meeting”.
Read more of the latest cloud security news
This week’s UK Cabinet was entirely virtual. Johnson promoted this by posting a screenshot on Twitter that contained the Zoom meeting ID and cabinet member’s usernames.
Even though the meeting was password protected – avoiding the most obvious Zoombombing risk – publicly exposing the meeting ID still smacks of inviting trouble.
Use of cloud-based video conferencing technology in cabinet meeting was, in principle, permissible, a spokesperson for the UK government’s National Cyber Security Centre (NCSC) told The Daily Swig.
“In the current unprecedented circumstances, the need for effective channels of communication are vital. NCSC guidance shows there is no security reason for Zoom not to be used for conversations below a certain classification.”
Asked to clarify what level of classification was allowable on Zoom or comparable technologies a UK government spokesperson explained: “We’re talking about discussions at official level (so not discussions at a higher level of sensitivity).”
The NCSC recently issued guidance to organizations on how to manage the cyber security challenges of increased home working in the midst of the coronavirus pandemic.
The document offers common sense general advice. “We’re updating guidance regularly, so I’ll let you know if/when we have more on videoconferencing,” a NCSC spokesperson told The Daily Swig.
READ MORE Will the coronavirus pandemic impact browser security?