Zoom’s Security and Privacy

#CyberPeaceTalks with Vineet Kumar

Zoom’s Security and Privacy

 

Recently Mr. Vineet Kumar, President, Cyber Peace Foundation hosted a webinar #Cyber Peace Talks with Mr. Sameer Raje, General Manager and Head of India, Zoom to discuss various aspects of the new communication standards set up by Zoom Cloud Meetings and various controversies around it.

 

Why has Zoom gained so much popularity as compared to other VC platforms?

The very first thing, which was discussed, was the reasons behind the success of Zoom. Mr. Raje explained that the reason behind such popularity is the fundamental idea behind the creation of Zoom which was to enable a frictionless and easy to use video Conferencing platform that was consumer-centric. He explained the company’s vision and the underlying ethics of humility and being truthful is engraved in the entire organisation across the world.

 

Is Zoom a Chinese App?

In the context of Indian Government Banning 59 Chinese apps, a very crucial part of the discussion proceeded, where Mr Vineet asked that If Zoom was a Chinese Company. Mr Raje answered this question by stating that Zoom is an American Company, it is listed in NASDAQ and a publicly-traded company and has all the shareholding patterns in the USA. He further clarified the apprehensions by stating that Zoom is big Multinational Company and has operations all around the world and one such engineering operations is present in China as well, just like all of their other counterparts and competition, however, most of the control of operations and engineering is done out of USA.

 

What is Zoom doing to spread awareness about security tools?

A Key Takeaway from the Webinar was a discussion on the Security and Privacy Policies for user data that were incorporated Zoom Meetings platform. It was interesting to realise that Zoom doesn’t collect much of the user data in the first place, it only collects the login credentials and meeting credentials. There is no mechanism to store the information from the meetings, while only the basic subscriber information such as the IP address or Processor related information is collected and is stored for a while.

Whereas the issue of intercepting the meetings is concerned, whether it is from a free or a paid version, they are all encrypted. The only difference between a paid user and the free user, is in the functionality, as the paid users will have more of admin controls and much more features. However, the Security features and Privacy Features are more or less the same for all the users, such as the encrypted and password protected meetings.

The issue of data sharing of Indian Users through Servers located in China or with the Chinese Government was also addressed and it was clear that it was nothing to be worried about. The servers of Zoom which are located in China are ‘GeoFenced’ and are only available for Local users i.e. only for the users in China. For valid law enforcement and government requests, Zoom, however, blocks or disables the access of the users if needed to be.

 

What is a 90-day Plan?

Due to an addition to the demographic of users in lockdown where there are no other means of contact and people are meeting their families and friends Zoom and posting about it on Social media where their personal ids and meeting id were visible, there was an increase in the ‘Bombings’ and various other issues as well.

Therefore, in an attempt to deal with these kinds of issues, Zoom has introduced various new security features and have elevated the previous ones, in the ’90 Day plan’, such as hiding the Meeting Id, transparency of Information regarding connection with data centres, 256-bit GCM encryption, Extended meeting passwords etc.

The company also conducted meetings with 36 Chief Security Officers of different companies who were the clients of the platforms and asked for their feedback on the security features of the platform, while also engaging a third evaluator to assess for any bugs or security issues regarding the platform.

There is also a Bug Bounty Program that aims to strengthen the security of the platform.

 

Like all other platforms, Zoom also must have various security features. What are some of the most useful features that can be used to protect calls?

An important aspect which was touched upon was the dissemination of this information about ‘Security Features’ and how Indians who have Zoom installed in their phones but unaware of these security features can know about them.

Mr. Raje acknowledged that educating a large population like India’s about the same is a challenging task, they have started various programs and recorded videos that inform the users about the features, where this webinar was also an attempt to do the same as well. The platform also has special sections on their website for training and facilitating teachers and parents on how to use the platform that is safe for the students. While it is a challenging task but it is their goal to consider it a journey and work towards the same.

 

There were cases where call/webinars were hijacked and classes disrupted. How does something like this happen?

There was also an inclusion of ‘Reporting’ feature which a user can use to report any inappropriate behaviour which goes to the security teams of the platform, where the Zoom id of the user will be disabled if it is found to be a legitimate issue.

Zoom also works closely with Law enforcement agencies in complying with all kind of legitimate requests of information that needs to be provided, where the Contact information and all the details for Emergency requests etc. are given on their blog.

 

 

Audience Questions

Questions put up by the attendees of the session are as follows-

1. Can you highlight about the Government guidelines which talked about Zoom being unsafe to use?

Mr. Raje answered by highlighting that this advisory which was released by the CERT-In i.e. the Computer Emergency Response Team- India, was for a Previous Version, and the security features of the platform have been updated after that in the latest version. The same was acknowledged by CERT as well. However, the Cyber Coordination Centre, MHA which released a statement regarding the security features citing the issues raised by CERT but haven’t updated their stand after the updated statements by CERT. However, the platform has submitted the details about its security features and everything to the MHA and is hopeful for a positive response from MHA as well.

2. Is there a feature where the length of the meeting could be increased from 40 minutes, for students’ classrooms?

It was highlighted that the said feature is not presently available in the free version, but the Enterprise version for Schools are heavily discounted and they can explore that as well. The said versions can be integrated with the Educational Institutions own learning platforms with API’s and everything which as created by the platform

3. Is it safe to share the screens with students when a teacher is taking a class and is it safe to share the recorded video of the session?

The screen which is being shared from the platform is encrypted and nobody can access the content of the shared screen, during the meeting other than the people who are in the meeting at that time. However, Zoom cannot be responsible if a user shares the recording of the meeting on a public platform.