Zoom, the video-conferencing app that has seen a huge rise in downloads since quarantines were imposed around the world, is now being used by millions for work and social gatherings.
This week Prime Minister Boris Johnson tweeted a picture of himself chairing a Cabinet meeting via the app.
This led to questions about how secure it was for government meetings.
Zoom has angrily defended its security record, saying it would answer any questions the government had.
What was the row about?
First came a tweet from the prime minister:
It was closely followed by reports that the Ministry of Defence (MoD) was suspending use of the app, something it strenuously denied.
The MoD told the BBC that Zoom had never been used for high-security meetings, but continued to be a tool for cross-government chats.
Later, a Cabinet Office spokesperson moved to clarify the government’s position: “In the current unprecedented circumstances the need for effective channels of communication is vital. National Cyber Security Centre guidance shows there is no security reason for Zoom not to be used for conversations below a certain classification.”
But Zoom was clearly angered by suggestions that it was not entirely secure.
“Zoom takes user security extremely seriously,” it told the BBC.
“Globally, 2,000 institutions ranging from the world’s largest financial services companies to leading telecommunications providers, government agencies, universities, healthcare and telemedicine practices have done exhaustive security reviews of our user, network and data centre layers confidently selecting Zoom for complete deployment.”
“We are in close communication with the UK Ministry of Defence and National Cyber Security Centre and are focused on providing the documentation they need,” it said in a statement to the BBC.
Exactly what this documentation is, neither Zoom, the National Cyber Security Centre nor the MoD were able to say.
So is it safe?
Zoom has had security flaws in the past, including a vulnerability which allowed an attacker to remove attendees from meetings, spoof messages from users and hijack shared screens. Another saw Mac users forced into calls without their knowledge.
All these were patched but some experts still think that the firm has a rather blase attitude to security.
“Zoom has had a chequered history, security-wise, with a number of instances where one has had to question whether it really gets it when it comes to users’ privacy and security,” said cyber-consultant Graham Cluley.
“Right now, lots of people are using Zoom for the first time and may not be au fait with the safest settings to keep unwanted people out of their chats.
“They also probably haven’t read the terms and conditions, but just clicked ‘Yes’ to everything to get online. Zoom and other video messaging apps provide a valuable service right now but folks should be careful in their choices as they rush to connect online.”
Prof Alan Woodward, a computer scientist at Surrey University thinks the government needs to be careful: “In some ways for a public broadcast it doesn’t matter if anyone can listen in as was the case for the No 10 briefing.”
“However, where I have taken part in government briefings where it is for the participants’ ears only we have used Microsoft Teams.”
“There is no evidence that Zoom has any problems in its latest versions but in these crazy times it seems sensible only to use systems that are tried and tested. It does reinforce the message that whatever you use you should use the latest version,” he added.
Where did Zoom come from?
Zoom may only have become a household name since the globe became housebound but in fact its popularity has been growing for several years. When it debuted on the stock market last year, it was already valued at $15bn (£12bn) and that has now risen to $38.5bn.
Started in 2011 by Chinese software engineer Eric Yuan, who emigrated from China to Silicon Valley at the age of 27, Zoom has quietly overtaken rivals such as Skype and Microsoft Teams, in part because of some pretty simple features including adaptive backgrounds.
It is free for anyone to use but its basic package has a 40-minute meeting limit for more than three participants, something it has just lifted for schools in the UK, Canada and Germany to allow teachers to make use of longer sessions as they home-school their pupils.
It has been downloaded more than 50 million times on the Google app store alone as a global lockdown sends people in desperate search of digital ways to stay in touch with work colleagues, friends and family.
Are there privacy concerns?
Zoom collects large amounts of data in order to analyse its service and to provide businesses with useful tools.
The Electronic Frontier Foundation has compiled a list of its privacy issues:
- the host of a Zoom call has the capacity to monitor the activities of attendees while screen-sharing. They can see whether Zoom windows are active or not
- it also allows administrators to see detailed dashboards of users’ activity, including a ranking system of users based on total number of meeting minutes
- if a user records any calls via Zoom, administrators can access the contents
- during any meeting that has occurred or is in progress, administrators can see the operating system, IP address, location data and device information of each participant
Despite these warnings, people generally seem happy to share more and more aspects of their life on the app, including some who have given away rather more than they intended.
A widely shared video on social media shows a woman in a business conference forgetting that her colleagues can see her and going to the toilet mid-meeting while the rest of her team look on in bewildered embarrassment.
Other breaches of etiquette include “zoombombing”, a word surely set to take its place alongside self-isolation in post-virus dictionaries.
It is a form of trolling that sees uninvited guests screen-sharing pornography or other disturbing imagery. The problem happens if details of a meeting are shared publicly and the host fails to set screen-sharing to ”host only”.
Meeting hosts should also disable “file transfer” to prevent any malware being shared, said experts.