The incredibly quick uptake of online video conferencing app Zoom since the coronavirus crisis began seemed to take everyone by surprise – including, perhaps, the company’s founders.
Issues with Zoom’s privacy and treatment of data have become relatively common knowledge in recent weeks, but Lokman Tsui, an assistant professor at the Chinese University of Hong Kong, told THE that Zoom’s security issues predated the coronavirus outbreak.
“Zoom has a history of not being super careful with security, because they want to be easy to use and to scale well,” he said, adding that the company did act quickly to fix problems as they arose.
A study by the Citizen Lab at the University of Toronto earlier this month detailed a potential lack of confidentiality in Zoom meetings, just as many new users started using the online meeting tool as a result of campus closures caused by the Covid-19 pandemic.
The report cites, as a security concern, the “transmission of meeting encryption keys through China” even when the participants were not in China. It also says that, while Zoom is a US-based company, it owns Chinese companies that hire hundreds of Chinese workers to develop its software. “This arrangement could also open up Zoom to pressure from Chinese authorities,” the report authors write. They followed up with a second report on the “vulnerability” of Zoom’s waiting room feature.
Regarding the routeing of encryption keys through Chinese servers, Professor Tsui said that, in theory, that practice could give the authorities the right to ask for access to conversations.
“So if Zoom – or a government that asks Zoom – wants to know what users are talking about, Zoom theoretically could tell them what was said,” he explained.
However, Professor Tsui stressed that this was only a theoretical example. “There’s no evidence that the Chinese government has used Zoom for surveillance yet,” he said.
To Zoom’s credit, its CEO Eric Yuan responded to the University of Toronto report the same day it was released. Writing in a blog post, he said that the routeing through Chinese servers was a “misstep” and the company “immediately” removed the Chinese data centres for users outside China. Zoom also quickly fixed the waiting room feature mentioned in the second report.
A Zoom spokesperson told Times Higher Education that “Zoom takes user privacy, security and trust extremely seriously...During the Covid-19 pandemic, we are working around the clock to ensure that universities, schools and other organisations across the world can stay connected and operational.”
The spokesperson explained that Zoom was originally developed for “enterprise use”, meaning use by organisations and institutions. Then came the sudden rise in individual teachers and students logging into Zoom from personal devices at home.
“As more and new kinds of users start using Zoom during this time, Zoom has been proactively engaging to make sure they understand Zoom’s relevant policies, as well as the best ways to use the platform and protect their meetings.”
Professor Tsui – who was speaking via Zoom himself – said that educators should take a balanced but cautious approach to online communications. “There’s no perfect alternative,” he said. For example, while Zoom has been criticised for not offering true end-to-end encryption, other common tools such as Gmail did not either.
“So many people rely on Zoom. If you’re just teaching, it’s probably OK,” he said. “But there are caveats. Maybe you won’t want to share confidential materials.”
Since the University of Toronto report was released, some jurisdictions have taken a more cautious route for now.
On 5 April, the New York City Department of Education advised principals to use alternatives to Zoom, according to an internal email obtained by CNBC. On 7 April, Taiwan advised governmental and some non-governmental bodies to do the same because of “security or privacy concerns”.