Software used is said to be made in China; several ministries, including Defence, have been using it since lockdown began

The Ministry of Home Affairs (MHA) has issued an advisory that Zoom video conference is not a safe platform.

Also Read Singapore stops Zoom for online education as hackers strike

The advisory was issued on April 12 and the MHA shared it with journalists on Thursday.

U.S. based Zoom video communication has seen an exponential rise in usage in India as office-goers remain at home owing to the lockdown triggered by the COVID-19 pandemic. The software used in the online platform is said to be made in China and some calls were being routed through servers in China.

The Cyber Coordination Centre of the MHA issued a set of guidelines for its safe usage by private individuals. It was not for use by government offices and officials, the MHA noted.

CERT-In’s 2 advisories

The advisory said the Indian Computer Emergency Response Team (CERT-In) issued two advisories on February 6 and in March, cautioning on the use of Zoom for office meetings.

Also Read Video meet app Zoom sued by investor over security issues

The March 30 note on the CERT-In website said, “Zoom is a popular videoconferencing platform. Insecure usage of the platform may allow cyber criminals to access sensitive information such as meeting details and conversations.”

Another note posted by the CERT-In on April 2 said that multiple vulnerabilities had been reported in the videoconferencing platform “which could allow an attacker to gain elevated privileges or obtain sensitive information.”

The Ministry asked the users to set strong passwords and enable “waiting room” feature so that call managers could have a better control over the participants. It also asked the users to avoid using personal meeting ID to host events and instead use randomly generated meeting IDs for each event and asked to not share links on public platforms.

Use by Ministries

Several Ministries have been using the platform to convene official meetings. On Thursday, Sports Minister Kiren Rijiju and Tribal Affairs Minister Arjun Munda posted pictures of interaction with sports coaches on Zoom.

On Thursday, even after the advisory was issued, the Ministry of External Affairs (MEA) used the platform for a videoconference with around 60 journalists.

An MHA official said that all official video conferences were arranged by National Informatics Centre (NIC) and they were cautious to not use Zoom.

The Union Health Ministry, which is coordinating with the States on COVID-19, has also been using Zoom for videoconferences. A Ministry official said it would discontinue using Zoom.

Ministries of Civil Aviation, Road Transport and Small and Medium Industries also used Zoom since the lockdown began on March 25.

On April 1, Defence Minister Rajnath Singh posted pictures of a virtual meeting with officials where he was seen using Zoom.

BJP chief J.P Nadda has also been conducting meetings through Zoom.

Citizen Lab findings

On April 3, Citizen Lab, based at the University of Toronto, found “significant weakness” in Zoom’s encryption that protects meetings done using the teleconference app. It also identified potential areas of concern in Zoom’s infrastructure, including observing the transmission of meeting encryption keys through China.

The Citizen Lab highlighted that while Zoom was a Silicon Valley-based company, it appeared to own three companies in China through which at least 700 employees were paid to develop Zoom’s software. “This arrangement is ostensibly an effort at labor arbitrage: Zoom can avoid paying US wages while selling to US customers, thus increasing their profit margin. However, this arrangement may make Zoom responsive to pressure from Chinese authorities,” it noted.

According to a blog dated April 1 by Zoom Founder and CEO Eric S Yuan, the usage of Zoom ballooned overnight, including from over 90,000 schools across 20 countries. The maximum number of daily meeting participants of approximately 10 million at the end of December 2019 on Zoom grew to more than 200 million daily meeting participants in March.

“However, we recognize that we have fallen short of the community’s – and our own – privacy and security expectations. For that, I am deeply sorry, and I want to share what we are doing about it,” Mr. Yuan had written.

Some lapses

Mr. Yuan admitted some lapses and committed to addressing two primary topics raised by the Citizen Lab — geo-fencing and meeting encryption.

As per the latest company blog, dated April 15, which follows the second weekly session of a webinar, wherein Mr. Yuan gives updates on Zoom’s ongoing privacy and security efforts, Zoom has added additional features such as placing a new security icon in the meeting controls, changeing Zoom’s default settings and enhancing meeting password complexity, among others.

It has also added that starting April 18, account admins will have the ability to choose whether or not their data is routed through specific data center regions.