There has been a lot of discussion lately about security vulnerabilities and Zoom. Here is hopefully some clarity about those security issues, largely based on an excellent post from the UofT Citizen Lab titled "Move Fast and Roll Your Own Crypto" published on April 3 2020 here, plus some other sources.

The main issues explored here are with respect to the location of Zoom data (China) and the encryption of Zoom conversations (and how much we can trust either). The basic messages are:

• Users need to think clearly about how realistic these security vulnerabilities are for the average user (in most cases these are low), and 

• Users acting as meeting hosts have a responsibility to understand how their choices can weaken the security of their use of Zoom. 

One reason that Zoom has becomes so popular so fast is because "it works". Two central reasons it works so well is because it has invested heavily in development (related to the "China" issue), and because it has cut corners on security to improve performance (largely related to the encryption issue). 

China connections: Zoom appears to own three companies in China through which at least 700 employees develop Zoom’s software. Largely, this is an effort to save money while also doing lots of software development. However, this arrangement may make Zoom possibly responsive to pressure from Chinese authorities. The Chinese National Intelligence Law states that “an organization or citizen shall support, assist in and co-operate in national intelligence work.” This means that Chinese firms could be required to provide the government with access to any data they request. (I’ve written about the this previously with respect to the issue of Huawei and our 5G wireless infrastructure.) In the Citizen Lab investigation, they found that some encryption keys are sometimes delivered to participants in a Zoom meeting through servers in China, even when all meeting participants are outside of China. This is not necessarily nefarious — this is how the Internet works. It is, nonetheless, true that the encryption keys for your Zoom meetings are held on servers in China, and are therefore subject to the national intelligence law.

Update: April 20 2020: Zoom announced on April 13 that paid Zoom customers will be able to select which data centre regions their account uses for its real-time meeting traffic in order to avoid this potential problem. To select which data centre regions to use, log into your profile on the Zoom web interface. Under “Settings” go to “In Meeting (Advanced)” and scroll down to “Select data center regions for meetings/webinars hosted by your account”. Toggle this on and then de-select those locations you do not want to use (you are not be able to opt out of the default region—the region where your account is provisioned—which is locked). Note that removing regions will have implications for your participants joining calls from those regions.

Software Security Vulnerabilities: We've all heard by now of "Zoombombing". But rather than being an inherent security problem, this is the result of a Zoom "feature" that results in a security vulnerability due to user error (a common occurrence in software). Anyone who has ventured into the long list of Zoom settings will quickly see how easy it is to select a setting that isn't what the meeting host had intended. There are a few simple rules to follow to guard against Zoombombing. But the basic rule is that it takes some time to acquaint yourself with these settings if you are going to safely host a Zoom meeting. These vulnerabilities are Zoom's fault in the sense that it has put too much flexibility in the hands of users (conversely, Apple's approach is to reduce its users' vulnerability by reducing their degrees of freedom in controlling their devices). 

In an earlier version, I wrote about a potential security vulnerability with Zoom Waiting Rooms. This problem appears to have been fixed. See this tweet.

Update April 8: Zoom has released a version update (version 4.6.10) that users should install. This update:

• removes the meeting ID from the title bar (this should be called the UK Cabinet Meeting Fix)

• moves the invite button to the Participants panel, and

• adds a "Security" button in the host's meeting toolbar that looks like this:
  
  
  

The Encryption Issue

Zoom's central security weakness discussed in the Citizen lab report relates to the lack of clarity around the encryption of communications, which seem like a deliberate feature designed to increase the speed and stability of video-connections. Zoom claims that the app uses “AES-256” end-to-end encryption for meetings where possible. The bright green padlock icon present on your Zoom screen implies the transmission is encrypted. However, the Citizen Lab investigation found this to be untrue. (The means by which the Citizen Lab examines how Zoom meetings are encrypted takes up the bulk of the blog post). 

Update April 30: on April 27 2020, Zoom announced in a blog post that Zoom 5.0 (which is now available and is recommended for all users) would support AES 256-bit GCM encryption as of May 30 2020. I cannot confirm whether this fully addresses the concerns raised in the April 3 2020 CitizenLab report.

“End-to-end encrypted” to mean that only the parties in the communication can access it. However, the Zoom app uses non-industry-standard cryptographic techniques with identifiable weaknesses. In addition, during multiple test calls in North America, the Citizen Lab investigation observed keys for encrypting and decrypting meetings transmitted to servers in China (again, not necessarily nefarious but nonetheless troubling). 

Zoom has recently clarified that it does not currently implement “end-to-end” encryption as most people understand the term; instead, Zoom uses its own definition which places their servers in the middle of the encryption chain. Because of this alternative definition, Zoom has the theoretical ability to decrypt and monitor Zoom calls - though Zoom denies it does this. It's also important to note that other enterprise video conferencing services take a similar approach to managing encryption keys.

These issues should be concerning for governments dealing with confidential issues (though the ZoomGov software may provide a solution), some businesses, healthcare providers responsible for patient confidentiality (Zoom’s HIPAA/PIPEDA-compliant healthcare plan is an option), and activists, lawyers, and journalists working on sensitive topics. "For those using Zoom to keep in touch with friends, hold social events, or organize courses or lectures that they might otherwise hold in a public or semi-public venue, our findings should not necessarily be concerning." 

For educators, it is our responsibility to be reasonably aware of the risks associated with using Zoom and proceed appropriately.