Max Schrems, one of the central figures in bringing down the EU-US Privacy Shield, has penned an open-letter slams the Irish Data Protection Commission for not dealing with Facebook appropriately.
With his privacy campaign organisation, noyb.eu (none of your business) taking on the social media giant, Schrems has heavily criticised the regulator for a lack of action, shrouding investigations with mystery and secret meetings with the firm to create a ‘consent bypass’ situation.
“It sounds a lot like those secret ‘tax rulings’ where tax authorities secretly agree with large tech companies on how to bypass the tax laws – just that they now do this with the GDPR too,” noyb.eu Chairman Schrems said.
The ‘consent bypass’ was an agreement between the authorities and Facebook to switch its policy from ‘consent’ to an alleged ‘data use contract’, allowing the company to track, target and conduct research on users.
“It is nothing but lipstick on a pig,” said Schrems.
“Since Roman times, the law prohibits ‘renaming’ something just to bypass the law. What Facebook tried to do is not smart, but laughable. The only thing that is really concerning is that the Irish DPC apparently engaged with Facebook when they were designing this scam and is now supposed to independently review it.”
According to research quoted by the privacy advocates, only 1.6 – 2.5% of users were aware they were actually entering into a ‘data use contract’. Should these figures be anywhere near accurate, this should not be considered anywhere near good enough.
This entire saga is a bit of ‘he said, she said’ with mud being slung across the wall. On one side of the coin, it is not difficult to imagine secret meetings to figure out how rules can be circumnavigated, but it is also within reason to assume Schrems and his privacy cronies are exaggerating and making a mountain out of a molehill.
Schrems has stated his organisation filed complaints about Facebook during the first few hours of GDPR coming into action, however, the subsequent investigations have not been concluded. This is a fair complaint, these investigations do take time, but then again there has to be a limit. The Information Commissioners Office (ICO) in the UK has delivered dozens of rulings in this period while the Irish DPC celebrated completing the first of six steps last week.
Facebook is a very complicated business with operations spanning across almost every European nation, and while the Irish DPC has been designated lead regulatory authority for several high-profile names, it is not proving itself worthy of this responsibility yet.
Again, you have to take Schrems claims with a pinch of salt, but Silicon Valley is escaping without punishment. We find it impossible to believe all of its residents are acting perfectly within the rules. It would be more credible to blame overly complex bureaucratic processes, a lack of funding, steep workloads and people just not taking privacy as serious as they should; Silicon Valley’s residents at the top of the list.
A thriving economy and low levels of unemployment might have been the focal point of President Donald Trump’s re-election campaign, pre-pandemic, but fighting the ‘red under the bed’ might have to do now.
In 2016, Donald Trump won the Presidential election for numerous reasons, but one very important element was his ability to mobilise the vote of elements of society who wouldn’t have had any interest in politics otherwise. One reason was because of who Trump was and is, a celebrity more than a statesman, but perhaps a more critical element was the message.
Trump ignored political correctness, seemingly appealing to racism and xenophobia as the Make America Great Again slogan was born. He proposed the deportation of all illegal immigrants, the construction of a wall on the US-Mexico border and a temporary ban on foreign Muslims entering the US. The forgotten men and women of the US were the focal point of this campaign.
This campaign, focusing on a single message of foreign people are bad for patriotic US citizens, worked. If Trump is to repeat the success of his 2016 Presidential Election in November, there will have to be another message at the core of the campaign to rouse the masses and build a slogan on.
There has been a suspicion that the success of the economy and low levels of unemployment would have been this focal point. Prior to the COVID-19 pandemic, the economy was on the rise. From Trump’s entry to the Oval office on 6 January 2017, to the final days before lockdown in February, the Dow Jones grew from 19,963 to 29,398, a 47% surge. Unemployment was down to 3.5%, slowly eroding through the three-year period.
The message could have been ‘look what four years of Trump has gotten you, wouldn’t you like four more?’. But then coronavirus hit, and the economy went down the toilet.
The Dow Jones will recover, as will unemployment, but the Trump campaign would be playing with fire by making this the central point of the campaign. Many believe Trump was too slow to act against the coronavirus after spending months claiming it was little more than the common flu. At its worst point, the Dow Jones fell to 18,591 while unemployment is currently as high as 14%, and likely to go higher.
Using the economy as a reason for re-elections is offering ammunition to the Democrat candidate, the opening round of a slug match where Trump can be undermined and embarrassed.
Without this weapon in his arsenal, Trump will have to find a new focal point to build a campaign around; China and Huawei could fit the bill.
Some wacko in China just released a statement blaming everybody other than China for the Virus which has now killed hundreds of thousands of people. Please explain to this dope that it was the “incompetence of China”, and nothing else, that did this mass Worldwide killing!
Trump needs to redirect attention away from his failings as a leader during the pre-coronavirus weeks. People generally need an enemy when times are hard, and the invisible enemy of today will not do; you can’t get people angry about a virus, not in the way that the Trump campaign will want. If Trump can further vilify the Chinese, he can position himself as the hero, the man to champion US values, whatever they might be.
Huawei has been made the proxy of the Chinese Government in the eyes of the US. If the US is scared about the ‘red under the bed’, the idea of communism creeping into democratic societies secretly, the successful telecoms vendor can be made public enemy number one.
This is clearly not a new campaign of hate from the President, but it is one which had quietened off over the last few months. It is an on-going conflict point between the US and Chinese Governments, and fuel was thrown onto the embers last week.
In a new assault from the US Department of Commerce, further efforts were made to inhibit the ability of Huawei to source semiconductor components for smartphones and base stations. The US is perhaps hoping the globalised nature of the technology industry, which has allowed Huawei to thrive, can be weaponised against it as few (if any) companies could operate without a single trace of the US in its supply chain.
“We have survived and forged ahead despite all the odds,” Huawei Rotating Chairman Guo Ping said at a virtual conference this week. “The US insists on persistently attacking Huawei, but what will that achieve for the world?”
Conflict with the Chinese might not sound good for economic reasons, but for political ones, it is fantastic. Trump needs an enemy so he can be the champion of for the forgotten men and women of the US.
While it is clear there are a lot of US politicians buying into the anti-China campaign of hate, we asked Telecoms.com readers how they feel about the on-going aggression towards Huawei:
Telecoms.com Poll: Do you feel the US Government is justified in its action against Huawei?
Yes, it is effectively a pawn for the Chinese Government
Yes, but Government links are not there
Maybe, but show us the evidence of foul play first
No, Trump shouldn’t punish a company just because it is Chinese
No, international competition should be left to sort itself out
Huawei might have enjoyed a brief breather over the last few months, but the signs are there to suggest there might be greater conflict on the horizon. Speaking at the Munich Security Conference this week, Secretary of State Mike Pompeo and Secretary of Defence Mark Esper both drew battle lines.
“Let’s talk for a second about the other realm, cybersecurity,” Pompeo said during his speech. “Huawei and other state-back tech companies are trojan horses for Chinese intelligence.”
“Under President Xi’s rule, the Chinese Communist Party is heading even faster and further in the wrong direction,” said Esper. “More internal repression, more predatory economic practices, more heavy handedness, and most concerning for me, a more aggressive military posture.”
Further sanctions and more aggressive policies against Huawei specifically, as well as other Chinese companies in the international markets, could be on the horizon. Huawei executives have certainly expressed concern, but there are numerous other companies who should also be sitting uncomfortably.
The US Senate recently passed the Holding Foreign Companies Accountable Act (S.945) which could result in numerous companies who do not pass strict criteria being delisted from US stock exchanges. China is of course a target with this legislation.
“The SEC works hard to protect American investors from being swindled by American companies,” said Senator John Kennedy, one of the politicians to introduce the original bill.
“It’s asinine that we’re giving Chinese companies the opportunity to exploit hardworking Americans – people who put their retirement and college savings in our exchanges – because we don’t insist on examining their books. There are plenty of markets all over the world open to cheaters, but America can’t afford to be one of them.”
This legislation would not impact Huawei, it is a private company after all, but it is further evidence of increasing aggression towards China, and suggestions there could be rising tensions.
And while Huawei might be attracting the most attention from US Senators right now, there are certainly more which could fall into the crosshairs. Tencent owns TikTok which has already come under criticism, Alibaba is hoping to expand its cloud computing venture into international markets, while the likes of OPPO and Xiaomi are proving to be quite successful in gaining interest as challenger smartphone brands. These are all companies which would perhaps fall foul of US opinion.
The first Trump campaign rallies will give more of an indication of what will be the focus of his scorn and hatred over the coming months, and where the pent-up frustrations of US citizens could be directed. We suspect Huawei could be in for a rough few months as Trump further vilifies the Chinese Government and looks for an opponent to bureaucratically challenge during the campaign.
Taking down Huawei could be the feather the Trump campaign is looking for in its quest for re-election to the White House.
A German court has reprimanded the Federal Intelligence Service for mass surveillance which violates Basic Law and the privacy rights of its citizens.
For a country which usually flies the banner of privacy rights, some might be surprised by the German intelligence services, Bundesnachrichtendienst (BND), lurching beyond the line of acceptability. However, once again it appears political rhetoric is a distraction technique as the spooks get their hands caught in the cookie jar.
“Thanks to the chief legal counsel, Gesellschaft für Freiheitsrechte (GFF), this a major victory for global civil liberties, but especially those that live and work in Europe,” the Electronic Frontier Foundation (EFF) said.
“Many will now be protected after lacklustre 2016 surveillance reforms continued to authorize the surveillance on EU states and institutions for the purpose of ‘foreign policy and security’ and permitted the BND to collaborate with the NSA.”
The EFF is of course celebrating this decision, though there are numerous other privacy advocates who have vocalised their pleasure.
The issue which is at the heart of this decision is one of unsupervised and unrestricted collection of data. Thanks to an amended version of certain legislation in 2016, telcos and intelligence agencies would monitor communications traffic running through Germany, collecting and analysing any information using keywords.
According to the complainants, data relating to German nationals or persons within Germany must be separated from the other data and deleted prior to any further analysis. Another complaint was the unrestricted nature of the data collection. Content-related keywords that do not target specific individuals is contrary to what would be deemed acceptable in the international regulatory community.
In the ruling from the German courts, the privacy rights of the German constitution also protects foreigners in other countries as well as German nationals, while the wide-reaching and unencumbered nature of data collection from the intelligence services was well beyond its jurisdiction, especially in foreign countries. No intelligence agency should be given complete freedom to operate, such is the powers which are granted to authorities today.
In a move which is more suited to an authoritarian state, the US Senate has voted to extend the powers of intelligence authorities to search browser history without a court warrant.
Although the amended text still has to be agreed by the House of Representatives before heading to the Oval Office to be approved by President Donald Trump, this is a blow for US citizens who should correctly crave the right to privacy.
With only 59 votes being cast in support of a clause which would remove the ability of intelligence and enforcement agencies to snoop and spy without petitioning court judges for a warrant. Such abilities were introduced during the Patriot Act, following the 9/11 attacks in the US, to fight terrorism but it seems these politicians have forgotten the very principles which they are supposed to be protecting.
Ironically, at the same time it is supposedly fighting dictatorships around the world, the US’ attitude towards remarkably similar to the Chinese Governments.
My amendment to secure browser history from warrantless spying would have passed with a full Senate present. The House should listen to @RepZoeLofgren and @WarrenDavidson. Any renewal of government surveillance powers must have equally strong protections for Americans’ privacy.
The snooping powers were granted as part of the Foreign Intelligence Surveillance Act (FISA) which expired in March. Certain aspects from this Act and Section 215 of the US Patriot Act had been slated to be included in the USA Freedom Reauthorization Act. The USA Freedom Reauthorization Act was an effort to renew numerous elements, including the ability for intelligence agencies to spy with judicial authorisation.
Despite the PR campaign in play to validate the legislation (such as ludicrous Bill names and acronyms), and efforts to increase national security, privacy rights should still be respected. Fear should not be used as a weapon to erode democratic rights.
In most democratic nations, authorities have to seek permission from the courts to workaround privacy rules, but this is not the case here. Such rules contradict the claim that Governments are working for the people and can be held accountable by the people; the process of checks and balances has been compromised.
Senator Ron Wyden of Oregon has been championing the fight against government overreach, but it seems he fell one vote short. Had 60 votes been cast in favour of the clause, privacy of the US citizens would be protected, however, his cause fell one vote short. It is not fair to blame the failure of this pro-democracy movement on a single person, but it is interesting to see who didn’t turn up to cast a vote.
There were four individuals not to show up:
Absentee votes for Amendment Number: 1583
The Republican Senators were expected to vote against the Amendment (though many defied party orders) therefore the absence of Alexander and Sasse is not a material loss. Murray, the Democratic representative of Washington was not in the capital during the vote, and neither was the anti-establishment figure of Bernie Sanders.
It does appear both Murray and Sanders have been distracted in recent weeks, enough so that inaction has sent US legislation down a worrying path.
It was of course never going to admit it has been spying on customers, so Xiaomi has hit back at a Forbes article which suggests the smartphone manufacturer is eavesdropping.
The report, which was written in conjunction with security researcher Gabi Cirlig, suggests Xiaomi is collecting data on internet browsing and smartphone usage, even when incognito mode is selected, or privacy-focused browsers such as DuckDuckGo are used. The data could be traced back to servers located in Russia and Singapore, though the domain names have been registered in China.
Although Xiaomi and other smartphone manufacturers collect data on how smartphones are being used to improve performance and inform future design decisions, the report suggests the firm goes way beyond what would be deemed acceptable.
All data should be anonymised and aggregated, to protect user privacy, while explicit consent should be sought from the user before any data is collected. It is claimed Xiaomi has not held up its own end of the bargain, though collecting data from incognito mode or privacy-focused browsers breaks numerous privacy principles and rules.
The security claims paint a gloomy picture of deception, a story which sounds very familiar; US politicians have continuously stated Chinese firms should not be trusted.
Xiaomi’s response to the allegations is as what many would expect.
“At Xiaomi, our users’ privacy and security are of top priority,” a statement reads. “We strictly follow and are fully compliant with user privacy protection laws and regulations in the countries and regions we operate in.”
The firm has stated it only collects data when permissions have been granted and it complies with all local data protection and privacy laws. It has released several updates to close any loopholes or oversights which might compromise security or privacy.
In short, Xiaomi contests all allegations which have been made in the article.
It is hardly unusual for Chinese companies to be at the centre of a privacy scandal, but Xiaomi has managed to avoid attention from US authorities to date, something it will surely like to continue.
Marcio Avillez, CUJO AI’s SVP of Business Development, chatted to Telecoms.com about a range of topics on privacy, from third-party trackers to consumers’ concerns about social media and many things in between.
What kind of problems do third-party trackers and covert tracking present in general? In your view, what are the most pressing privacy issues online?
Internet users around the world, billions of them, are exposed to a technology that they do not fully understand, have little or no benefit from it, haven’t asked for it whatsoever, and due to which, they have to be concerned about how their data is used. On top of this, there is a cost to users down to the consumption of their device’s resources in relation to tracking workflows.
Third-party trackers represent the problem. When someone visits a website or uses an app, they have no intention to provide anything to any third parties. They have no other business in mind, except their primary purpose, for example, to buy shoes online. Instead, by visiting a single website, they’re invisibly connected to dozens of third-fourth-fifth party entities to a degree where no one can answer who has access to what aspects of your data.
I’d say that the most pressing issue with privacy today is the lack of policy – it’s not clear who holds responsibility for preventing users from unwanted tracking or where should people turn when they think that their privacy has been compromised. Now we all understand that adverts form part of the Internet economy and targeted ads draw higher revenues and pay for better content. But when it comes to 3rd party tracking, we have to ask one key question – Is the end user making an informed consent?
You are developing privacy protection solutions on the service provider level instead of end user solutions like ad blockers. Is there a danger in shifting responsibility to users in terms of their data?
To be responsible for something means first being able to make an impact and affect the outcome. We don’t expect a regular person to perform their own surgeries, install their plumbing or take care of legal processes. Internet users are the recipients of a service, and the attributes of that service – in this case, user privacy – remain in the field of service providers, not the consumers.
We’ve carried out survey on Privacy and Online Tracking Perceptions this spring where we asked US respondents who, in their opinion, should be responsible for protecting them from tracking. The majority – 65.1% – think that it’s the Internet service providers.
We also asked several questions about privacy threats and known countermeasures. The responses clearly show one thing – privacy protection requires a systematic approach. A lot of users are neither motivated nor qualified to ensure it for themselves. There is a lack of knowledge regarding tracking and awareness is still relatively low.
I think it’s a great risk for businesses to provide a service knowing that it has a potential to be maliciously used against their customers, and not take all possible measures in order to help avoid those threats.
How exactly does Incognito ensure privacy protection? Is it able to address end user concerns and expectations towards privacy?
CUJO AI Incognito protects consumers’ privacy by blocking the third-party tracking software that powers advertising sites. Because it operates on the network level, it works across all devices, browsers and apps while they’re used on that network. This way Incognito frees the consumer from installing and maintaining software on their myriad of devices.
Incognito is able to address end user expectations by empowering the Internet service providers to ensure their clients don’t have to undergo the hassle of trying to protect themselves with available means that only work on browsers (so apps keep tracking them), or installing and updating the blocking software on each of their devices.
Do you sense a change coming in terms of how the public views ‘free’ social networking and entertainment sites?
Only a minority (7.6%) of our survey respondents said they think that tracking might be beneficial to them, for example, for allowing a more personalized browsing or app experience, like prefilling repetitive forms, saving choices, etc.
What is flawed in this idea is that these convenient features are available because of functional, or essential, website trackers – it’s a part of the website functionality and user experience, but third-party trackers have nothing to do with that. Their sole purpose is to gather user behaviour data for profiling them and using those profiles to target and monetize advertisements.
But those who tend to see tracking in a not-entirely-negative light are just a small part of Internet users. The majority thinks that tracking is never beneficial, and I would say they’re right.
However, social networking and entertainment sites users have no alternatives to choose from, it’s either use and be tracked, or don’t use at all. That’s why it’s essential to at least minimize the impact of tracking that they’re exposed to when using the ‘free’ services that have already become a daily habit.
Video conferencing platform Zoom has rushed out a bunch of new security features in response to serious concerns raised following the massive increase in its use.
Zoom 5.0 is all about security and is part of a previously-announced 90-day plan to sort that side of things out. Earlier this month things were looking dire for the company as even politicians were calling for an investigation into its many security and privacy flaws. At lack of any further major scandals in the meantime enabled it to weather that storm in the short term, but security was clearly an issue that needed a permanent fix.
The most significant single tweak is the addition of support for AES 256-bit GCM encryption, which should do a lot to prevent the hacking into calls and leakage of user information that has been extensively reported. Other than that, the various security tools at a user’s disposal have been aggregated into a single, prominent icon on the user interface, and certain bits of security best-practice have been made default settings.
“I am proud to reach this step in our 90-day plan, but this is just the beginning,” said Eric S. Yuan, CEO of Zoom. “We built our business by delivering happiness to our customers. We will earn our customers’ trust and deliver them happiness with our unwavering focus on providing the most secure platform.”
“We take a holistic view of our users’ privacy and our platform’s security,” said Oded Gal, CPO of Zoom. “From our network to our feature set to our user experience, everything is being put through rigorous scrutiny. On the back end, AES 256-bit GCM encryption will raise the bar for securing our users’ data in transit. On the front end, I’m most excited about the Security icon in the meeting menu bar. This takes our security features, existing and new, and puts them front and center for our meeting hosts. With millions of new users, this will make sure they have instant access to important security controls in their meetings.”
It remains to be seen whether this update will be enough to satisfy users scared off by previous reports and experiences. Bloomberg reports that a bunch of big organizations, including Ericsson, have warned against using the services or have even banned use of it entirely. Even the whole country of India seems hostile to Zoom, so the rest of this 90-day plan had better be convincing.
The European Commission has unveiled guidelines for member states creating COVID-19 apps, with perhaps an attempt to prevent mission creep from private industry.
The document, which is available here, suggests the national health authorities take the leadership position in developing the applications, while another recommendation is to store data on devices wherever possible. Minimising data analysis, external storage and the role of private organisations are ways and means to maintain privacy principles but also reduce the risk of data breaches.
“This is the first global crisis where we can deploy the full power of technology to offer efficient solutions and support the exit strategies from the pandemic,” said Vice-President for Values and Transparency, Věra Jourová.
“Trust of Europeans will be key to success of the tracing mobile apps. Respecting the EU data protection rules will help ensure that our privacy and fundamental rights will be upheld and that the European approach will be transparent and proportional.”
Although the guidelines are relatively simple, such a tick-box exercise is critical to ensure the largest possible adoption rates. The apps will assist individuals irrelevant as to how many people install, however for the contact tracing features to be the most effective in slowing the spread of COVID-19, downloads would have to meet critical mass. Oxford University researchers suggest this would be at least 60% of the population.
If any of the apps being discussed are to reach 60% penetration, privacy and security fears would have to be addressed, while legislation would have to be introduced to ensure such tracking activities do not become the new normality and data is not retained after the crisis.
In brief, the guidelines are as follows:
Downloading the app should be voluntary not compulsory
National health services should own the project and be responsible as the Data Controller
Data minimisation principles should be applied
GDPR principles of right to deletion should be adhered to
Data should be stored on user devices wherever possible
Consent should be applied to each element of the application not a catch-all opt-in at the beginning
Rules should be introduced for the deletion of collected raw data and the subsequent insight
There are of course multiple other nuances and elements included in the 14-page document, though should the above guidelines be adhered to and the role of private industry limited, there could be trust installed in the apps. Irrelevant to how elegant and sophisticated the apps are, the most important aspect is user adoption.
This is not the first time the world has faced a pandemic to this degree, but technology and insight are tools which we have never had at our disposal before. The contact tracing apps, to warn individuals of potential infection and educate on how to further prevent the spread, should be adopted by every nation. However, privacy and security concerns should not be ignored.
The technology and telecoms industry has a pretty poor record when it comes to privacy and security. Executives might point to policies and features to improve resilience, however these are almost always reactionary additions not proactive. Considering the sensitive nature of the data which is being discussed in relation to these apps, this is the time to be overly cautious in applying privacy and security principles.
Three months ago, most people would not have been able to tell you what Zoom was, but now at the centre of privacy debacles, the video-conferencing business might be knocking on deaths door.
Over the course of the last week there have been several incidents. Individually, the team might have had a chance of fighting back the critics, but with the company being attacked on so many different fronts, it seems only a matter of time before the video-conferencing tool once again fades into anonymity.
Starting in New York State, Attorney General Letitia James announced a privacy probe following several reports of suspect security. This seemingly inspired the State’s Department of Education to ban its schools from using the tool. Following these two events, the Taiwanese Government enacted its Cyber Security Management Act, banning all Government agencies from using the tool.
These events occurred alongside the UK Government getting suspicious of the privacy and security credentials of Zoom, while the University of Toronto’s Citizen Lab exposed the inadequacies of the encryption software and also questioned why some international calls were being routed through Chinese servers. Who and where the technology was developed is also another dubious avenue, with further links to China being unveiled.
With all this happening at the same time, the last thing which Zoom needs is politicians weighing into the debate.
Senator Michael Bennet has written to Zoom CEO Eric Yuan asking for clarification on what information is collected from users, who is sells it to and how much money it makes from these transactions. Senate House Energy and Commerce Committee Chair Frank Pallone is another calling for an enquiry, as is Consumer Protection Subcommittee Chair, Jan Schakowsky, backing the demands of Senator Richard Blumenthal.
One sentence which Zoom will be dreading to hear is FTC Investigation, but it is becoming a very real danger. And once an agency like the FTC starts investigating privacy and security concerns, as well as links to foreign powers who are on the US naughty list, life can become very difficult.
FTC Chairperson Joseph Simons has previously suggested that when significant privacy concerns are voiced in the press, an investigation is already on-going or is about to begin. Considering the anti-China rhetoric, it would not take much to gather support for such an investigation.
At a time where all Zoom employees need to be focused on creating a product which meets the demands which are being placed on it, the distraction of an FTC investigation is unlikely to be welcomed. These are sticky and messy affairs, which absorb a considerable amount of time. You only have to look at the difficulties Facebook has encountered, but with 20X more employees than Zoom, it was in a much more comfortable position.
“To that end, I am excited to announce two developments: we have officially formed our CISO Council and Advisory Board, including security leaders from across industries; and Alex Stamos has joined Zoom as an outside advisor to assist with the comprehensive security review of our platform,” said Yuan.
Zoom is scrapping and scraping to prove its worth, but each day seems to be one paddle stroke further down sh*t creek. Privacy questions are bad news, especially when there are alternative services on the market. Facebook has managed to shake off the scandals and negative perceptions because there is nothing else out there quite like Facebook; Zoom is certainly not in the same position.
Zoom’s rise to fame might only be match by the fall from grace as security flaws and apparent ties to China are laid bare for all to see.
It was only last week Zoom CEO Eric Yuan had to pen a blog entry to calm fears over the video-conferencing service, but this additional post is to address statements from University of Toronto’s Citizen Lab. Zoom has rolled out its own encryption software to enhance security, though the Toronto researchers suggest there are ‘significant weaknesses’.
“We appreciate the questions we are getting and continue to work actively to address issues as we identify them,” said Yuan. “As video communications become more mainstream, users deserve to better understand how all these services work, including how the industry — Zoom and its peers – manages operations and provides services in China and around the world.”
Firstly, the Toronto researchers have questioned how effective the security features of Zoom actually are. On one hand, the encryption is not end-to-end by industry standards, despite the company claiming so, while the way in which it has been designed and implemented is also questioned.
“The Zoom transport protocol adds Zoom’s own encryption scheme to RTP in an unusual way,” the researchers state.
“By default, all participants’ audio and video in a Zoom meeting appears to be encrypted and decrypted with a single AES-128 key shared amongst the participants. The AES key appears to be generated and distributed to the meeting’s participants by Zoom servers. Zoom’s encryption and decryption use AES in ECB mode, which is well-understood to be a bad idea, because this mode of encryption preserves patterns in the input.”
These encryption keys could also be distributed through Chinese servers, which is a bad idea for anyone as companies can be legally compelled by the Government to hand over these keys. Zoom has said this oversight has been corrected and no international meetings will be routed through Chinese servers, but the damage may well have already been done.
When security and privacy in the digital economy are being discussed, it makes a tarnish on the record which can be very difficult to remove. Zoom has an incredibly long list for a company which continues to trade, but a link to China is one which is almost impossible to shake off. Especially when it comes to operating in the US.
Zoom is a company which is listed in the US on the NASDAQ, but the software appears to be developed by three companies in China, all known as Ruanshi Software, only two of which are owned by Zoom. The ownership of the third company, also known as American Cloud Video Software Technology, is unknown.
As it stands, 700 employees are currently in China, which is not unusual as it can save on salaries in comparison to the US, though it does open up the firm to pressure and influence from the Chinese Government. This is not a position which will make US authorities comfortable.
In New York, the Department of Education has banned all schools from using Zoom for remote learning, stating teachers will have Microsoft Teams functionality available as soon as possible. New York Attorney General Letitia James is also probing the privacy and security credentials of the company, a worrying sign for the business.
Security is a major component of the digital economy and Zoom just does not appear to be up to scratch. For every leak in the hull which is fixed, three more seem to emerge. The long list of security vulnerabilities was always going to catch up with the team, though it remains to be seen whether Eric Yuan can talk his way out of the apparent links to China, a potential death sentence in the US.