By Jeff Ferry, CPA Chief Economist
Millions of people stuck at home are now using the Zoom videoconferencing application. Zoom claims 300 million daily users. But how many of those 300 million know that Zoom is a product that is made in China?
Early this month, news emerged that Zoom software, produced by Zoom Video Communications Inc., a young Silicon Valley startup that went public a year ago (NASDAQ:ZM), was subject to a number of flaws, bugs, and security problems. Zoom rushed out a series of apologies and explanations. It seemed like the standard Silicon Valley story of a young company that had suddenly hit the big time and had to tighten up its systems in a hurry.
The bugs included annoying problems like insufficient security for entering a Zoom videoconference call, which allowed strangers to barge into video-classrooms, a practice now known as “Zoombombing.” Other questionable practices included claiming that Zoom videocalls were fully encrypted when they were not. Zoom offered some humble apologies, said it had not been prepared for the huge uptake in usage of the free service caused by the COVID-19 crisis, and said it was putting together a high-powered team to examine its security and fix all the problems.
“US Company with a Chinese heart”
But the real problem with Zoom is more fundamental. Zoom is unusual in that although it is headquartered in San Jose, California, it does the bulk of its research and product development in China. A probing report published earlier this month by CitizenLab, a nonprofit cybersecurity group at the University of Toronto labeled Zoom a “US company with a Chinese heart.”
According to the report, Zoom employs some 700 R&D staff (out of a total of 2,532 employees) in China through three Chinese companies, all with names that are variations of “Ruanshi Software.”. While it is very common for US software companies to have some part of their R&D staff outside the US, it is highly unusual for a US company to do the bulk of its software development in China.
The security flaws in Zoom’s software have received substantial news coverage, as Zoom’s usage exploded with the pandemic. The most interesting security flaws concern the encryption used in the Zoom service. End-to-end encryption is a software technique for making calls confidential by encrypting the data flowing from one user’s computer and keeping it encrypted all the way to the other users’ computers. It can only be decrypted by a randomly generated decryption key, generated for each call.
CitizenLab found that Zoom did not use end-to-end encryption. They wrote: “Because Zoom does not implement true end-to-end encryption, they have the theoretical ability to decrypt and monitor Zoom calls.”
This damning sentence was widely quoted in the technology press. In classic tech industry fashion, Zoom apologized, claiming that it has never tried to decrypt customer video calls and that its erroneous claim to use “end-to-end” encryption was a result of an alleged misunderstanding about what those words mean. Zoom is using the familiar tech industry strategy of seeking forgiveness rather than permission for rushing out a product that looks great but under the covers may be missing a few vital pieces.
CitizenLab and other cybersecurity experts are watching and waiting to see if Zoom cleans up its cybersecurity act. Meanwhile, Zoom is in full damage limitation mode, with the appointment of a former Facebook executive and former Google executive to oversee security and privacy, a crash “90-day security plan” to improve security, and other activities like “Ask Eric Anything” webinars in which CEO Eric Yuan can reassure viewers that he cares about their security. He probably does care about keeping users loyal. Zoom’s astronomically high stock price of about $169 a share values the company at $47 billion, or some 47 times its current revenue, and makes Eric a billionaire six times over.
China Staff: Sitting Ducks for IP Theft
But the more fundamental issue is can we and should we trust a software application that is engineered in China? We know from past experience that China’s Ministry of State Security operates a huge effort aimed at stealing intellectual property from western companies, especially US technology companies. (See our past articles here,here, here, and here.) Since it is well known that important business meetings are held on voice or video conference calls by millions of businesses daily, we can be sure that China’s spies are trying hard to penetrate these conferencing companies, and probably succeeding at times. Even if Zoom ends up fully encrypting every call, planting a spy in a company would be an ideal way to figure out how to identify customers of value and develop a way to decrypt, record and decipher calls. And they do not need to do it in that order. Spies are resourceful.
Some of Zoom’s competitors are enterprise-class technology companies, like Cisco Systems, Microsoft (owner of Skype), and GoToMeeting. Their recruiting and internal security operations work hard to prevent software engineers who are also Chinese spies from joining their tech teams. Even the smaller competitors to Zoom try their best to keep out dubious employees. But how can a company with its entire engineering team in China keep itself free from the prying eyes of Chinese state security?
The backlash has already begun. A growing number of companies are forbidding employees from using Zoom under any circumstances. Mercedes-Benz has banned Zoom, as have a number of US tech companies and overseas governments.
Interestingly, the British government, which used Zoom for at least one Cabinet meeting in March, has yet to ban Zoom. One wonders if Boris Johnson and his colleagues discussed the problem of Huawei 5G wireless systems at that meeting, and if so, whether any Huawei executives listened in. One British cybersecurity jokester helpfully provided the meeting ID number for the Cabinet meeting (albeit after the meeting had ended).
There are plenty of alternatives to Zoom, both free and paid-for. Any business or government user serious about confidentiality should be using a paid conferencing application and should get a written explanation of the security policies from their provider. Some of the applications I like are 8x8, RingCentral, Cisco’s Jabber, and Dialpad. GoToMeeting seems to be getting their act together at last.
Anybody using free videoconferencing applications for social or fun purposes should still avoid Chinese-engineered applications. Free users should consider Jitsi, a conferencing application owned by a first-class Silicon Valley company, 8x8. Jitsi was built by Bulgarian software engineer Emil Ivov who now works for 8x8 at their Texas location. Microsoft’s Skype is of course free and serviceable, although Microsoft’s inability to improve the great little Skype program it purchased in 2011 for $8.5 billion has been a source of wonder to many in the tech industry. Google Hangouts is usable, but perhaps in recognition of its mediocre performance, Google has made the professional version, Google Hangouts Meet, available free during the pandemic.
UK Government used Zoom for March Cabinet meeting. Boris Johnson at upper left.