Govt raises red flags over video conference app Zoom, calls it unsafe

The ministry’s notification comes at a time when the platform has gained prominence with most industries now working from home in the wake of the covid-19 outbreak, globally. At the same time, with privacy coming into question in the case of Zoom, the Centre has also asked all its ministers and staff to refrain from conducting any meetings on third party applications.

The MHA in its latest advisory through its Cyber Coordination Centre (CyCord) on Thursday has red-flagged the video conferencing facility as “unsafe", days after India’s Computer Emergency Response Team (CERT-IN) had raised concerns over potential cyber attacks through Zoom.

In an order issued earlier on 30 March, CERT-IN said the application was vulnerable to cyber attacks, including leakage of sensitive information.

“Many organizations have allowed their staff to work from home to stop the spread of coronavirus disease. Online communication platforms such as Zoom, Microsoft Teams and Teams for Education, Slack, Cisco WebEx etc are being used for remote meetings and webinars," the advisory said.

“Insecure usage of the platform may allow cyber criminals to access sensitive information such as meeting details and conversations," it added.

In case of Zoom, a Motherboard analysis revealed that its iOS app sends data to social networking website Facebook even if a user doesn’t have an account on it. In fact, a user has filed a suit against the company, alleging that the app “collects information of its users and discloses, without adequate notice or authorisation, this personal information to third parties, including Facebook, invading the privacy of millions of users".

Motherboard found that when a user opens Zoom, the app shares details about its users’ devices—the time zone they are in, device model, the city they are in, the phone carrier they are using and a “unique advertiser identifier" that can be used for targeted advertising.

“Zoom takes user security extremely seriously. A large number of global institutions ranging from the world’s largest financial services companies and telecommunications providers, to non-governmental organisations and government agencies, have done exhaustive security reviews of our user, network and datacenter layers and continue to use Zoom for most or all of their unified communications needs," Zoom said in a statement.

On April 1, however, in a blog post, Zoom founder Eric S Yuan, had said the company is freezing all new features “effective immediately" and will be putting all of its engineering resources to focus on its “biggest trust, safety and privacy issues." The company also said, on 27 March, that it has removed the Facebook SDK in its iOS app and “have reconfigured it to prevent it from collecting unnecessary device information" from users.

Both CERT-IN and the Union home ministry have now suggested, as part of the directive, that users and organisations keep the software up to date and ensure that the password for each meeting is changed and reset.

At the same time, it also suggested the host of the meeting to “end meeting" after the conference was over instead of “leaving" it, adding that “these suggestions are especially important for those meetings in which sensitive details are discussed."

The home ministry also said these safety practices would prevent unauthorised entry into the meeting rooms, as well as thwart “DOS (denial of service) attacks and prevent authorised people to carry out malicious tasks within various conferences."

In the meantime, the government on 13 April also issued an advisory to all central government officers cautioning them against using third-party software and apps.