With privacy concerns looming, Zoom app yet to appear on Indian radar

Even though there have been increasing reports of videoconferencing app Zoom being vulnerable to hacking, and a recent investigation revealed the company sends some encryption keys to China, alarm bells are yet to ring in India.

On Friday, Canada-based independent research organisation Citizen Lab found that Chinese servers were being used to distribute encryption and decryption keys for videoconferences on Zoom. “We suspect that keys may be distributed through these (Chinese) servers. A company primarily catering to North American clients that sometimes distributes encryption keys through servers in China is potentially concerning, given that Zoom may be legally obligated to disclose these keys to authorities in China,” the Citizen Lab researchers noted. In addition, it also found that the company’s claims about being end-to-end encrypted were misleading.

Zoom has become extremely popular in the past few weeks, with most parts of the world under lockdown due to the ongoing Covid-19 pandemic, and people working from home. The app even surpassed WhatsApp and TikTok in the number of downloads on Google Play store last week.

In response, Zoom Chief Executive Officer (CEO) Eric Yuan said in a blogpost the same day, that in its haste to support the vast number of users it was adding, the company failed to fully implement its usual geofencing best practices. “However, in February, Zoom rapidly added capacity to our Chinese region to handle a massive increase in demand. In our haste, we mistakenly added our two Chinese data centres to a lengthy whitelist of back-up bridges, potentially enabling non-Chinese clients to — under extremely limited circumstances — connect to them,” he said.

The blogpost also said that the error had no impact on its Zoom for Government Cloud, a separate cloud service for government customers. Several Indian enterprises and even government meetings take place on Zoom.

Coupled with these revelations and earlier privacy concerns, including sharing user data with LinkedIn and Facebook and ‘Zoombombing’, where people can enter Zoom meetings uninvited and share hate speech or pornographic images, the San José-based company has lost clients like Tesla and the New York City Department of Education.

In India, however, as Zoom gains popularity, there hasn’t been any large-scale impact; a large number of businesses and governments continue to use the platform.

The Indian Computer Emergency Response Team (CERT-In) put out an advisory on March 30 about ‘secure usage of Zoom videoconferencing application’, detailing the steps users should take to ensure their data remains protected.

“There is nothing as such that we have done. We checked with Zoom and they assured us that Indian data is not being sent to Chinese servers,” said a government official.

Similarly, companies which use Zoom extensively for meetings have been telling their employees to be more careful with the use of the software. A large firm in the information technology sector has been sending emails to its employees educating them on the proper and safe use of Zoom.

Cybersecurity experts, however, say that for more sensitive meetings, users should consider moving to alternative, more secure applications. “I recommend using other end-to-end encrypted video platforms to ensure privacy. Also, I would not recommend free software for sensitive or private meetings. For example, Cisco’s Webex, Signal, etc ensure the maximum level of security by adjusting the platform’s settings. To avoid being ‘Zoombombed’, users should avoid sharing the link or meeting ID on social media or other public websites,” said Manan Shah, founder and CEO of cybersecurity firm Avalance Global Solutions.

Rajshekhar Rajaharia, an independent cybersecurity researcher, said Zoom passwords for private meetings can also get indexed on Google. He cautioned users that while starting a meeting on Zoom, one should not share an invitation URL that is already having a password. “You can share a meeting ID and password separately because people can misuse the URL or they may be indexed by Google. Previously invitations to WhatsApp group chats were being indexed by Google,” he said.