EDITORIAL: Others can Zoom in on you | #corporatesecurity |


Aretha Franklin’s 1985 hit Who’s Zoomin’ Who? came to mind this week amid growing security concerns in Taiwan and around the world over the popular remote videoconferencing software created by Zoom Video Communications.

While Franklin was wondering about who was checking out a potential date more, a man or a woman, the public and government authorities in many places want to know who can or has been checking out what is being said, or seen, in video and audio communications using the San Jose, California-based tech company’s app.

Vice Premier Chen Chi-mai (陳其邁) on Tuesday said that government agencies and state-run companies should not use Zoom’s products or other software that could pose a security risk, as the Executive Yuan sent out a letter reminding them to observe the Information and Communication Security Management Act (資通安全管理法).

The Ministry of Education followed those warnings up by telling schools that Zoom was banned for distance learning, much as the New York City school system had done earlier.

The German Ministry of Foreign Affairs on Wednesday banned its staff using Zoom’s software, saying that its security and data protection shortcomings made it too much of a risk. The US Senate reportedly later told its members to find an alternative platform for remote work, while agencies and companies ranging from NASA to SpaceX and Google have banned the app either partially or completely over security concerns.

The warnings and bans have crimped the tech start-up’s meteoric rise in the wake of lockdowns and travel bans as the COVID-19 outbreak turned into a pandemic that created an exponential need for videoconferencing and digital platforms by non-corporate users — including organizers of international policy meetings and the British Cabinet.

The backlash follows reports by Citizenlab and other researchers that Zoom software transmits and receives encryption and decryption keys from a server in Beijing, even for conversations between parties outside of China, and an increasing number of reports of “zoombombing” — the crashing or hijacking of meetings by strangers or even invited guests, in addition to earlier complaints that it was sharing data with Facebook.

The company’s latest woes appear to be threefold: Zoom’s app uses cryptographic techniques known to have weaknesses; its research and development appears to be done largely by programmers working for it, directly and indirectly, in China; and Zoom uses servers in Beijing to handle meeting keys, which leaves it open to potential legal demands from the Chinese government for access to the keys and transmissions.

Given the proliferation of phishing, ransomware, industrial espionage and cybercrime over the past few years, security needs are certainly paramount for those seeking to use videoconferencing technology, but Zoom’s app took off precisely because it marketed its ease of use, its “just working” mantra, and what now appears to be some deliberate obscuration of its transport and security protocols.

Taiwan has more reason than most to be wary of software and apps that are vulnerable to hacking from within China or legal pressure from Chinese authorities, but the numerous security lapses regarding Zoom’s products should make anyone cautious about using its technology — or others’ — for corporate, medical or government needs, unless security can be ensured.

As Zoom executives scramble to repair the public relations damage to their firm, the complaints raised about its apps are a prime example of why ease of access and convenience are no excuse for ignoring due diligence on privacy and security concerns, whether on an individual, organizational or governmental level.

Comments will be moderated. Keep comments relevant to the article. Remarks containing abusive and obscene language, personal attacks of any kind or promotion will be removed and the user banned. Final decision will be at the discretion of the Taipei Times.


Click her for the original source of this story.

Leave a Reply

Your email address will not be published. Required fields are marked *