Zoom is Bending Over Backwards to Meet Security Targets, But Winning Back User Trust is Easier Said Than Done

Zoom is my lifeline now,” says Navi Mumbai-based yoga coach Pooja Cariappa narrating the story of her adaptation to the world of social distancing and lockdown thanks to the Covid-19 outbreak. She’s not alone. The video-conferencing platform she recently adopted has grown globally to 300 million users from 10 million in the first 12 weeks of lockdowns being announced in various parts of the world. The Delhi-born Cariappa who lives in the Palm Beach Road neighbourhood near the Seawood station was at her wits’ end when the coronavirus epidemic began, forcing her to discontinue her classes for some 50-odd people on March 13th. “My work came to a sudden standstill,” she recalls. For days following the March 24th lockdown, she and her husband brainstormed to finally settle on online teaching. “Everyone was talking about Zoom,” says Cariappa, who encouraged her students to join her online.

Although only half of them did so, what surprised Cariappa was the speed at which she gained new students worldwide through word-of-mouth. Currently, she spends fewer hours and teaches more people online, and although she has slashed her fees and offers free trial classes, she finds that not a single person has left after having tried the free sessions. “All this is new to me and it seems to be the new normal,” she avers, having mastered the conferencing app through trial and error.

Zoom Video Communications, Inc was founded in 2011 by former Cisco veteran Eric Yuan and listed on Nasdaq in 2019. It remained a communication platform for big enterprises until the Covid-19 pandemic forced individuals and even small and medium companies to work remotely. The massive rise in its user base offered the San Jose, California-based company enormous opportunities, which are set to rise with the global video conferencing market size seen surpassing $50 billion by 2026, according to a new report by Global Market Insights.

Challenges abound, too, especially with competitors looking for a larger slice of the market captured by Zoom. India, which put in place a lockdown only in late March, alone accounts for 18 per cent of its total participants in the 12 or so weeks since coronavirus-induced lockdowns began around the world, and the US, 14 per cent, according to latest data. Zoom doesn’t offer daily updates on the number of participants. Its competitors include Skype Meet Now, Cisco Webex (where Zoom founder Yuan once worked as an engineer), Google Meet, Microsoft Teams and Slack.

300 million global users of Zoom video from 10 million until 12 weeks ago. 18% of total participants from India

Zoom, meanwhile, has been engulfed in controversies as it grew miraculously to become a household name in many parts of the world, especially India, where initially only official meetings were held on its app. The company was mired in controversy after the Union Ministry of Home Affairs issued an advisory to Indian users in April raising concerns about the prospects of cyber criminals using it as an avenue to steal confidential information besides claiming that the software used in the online platform was made in China and that some calls were being routed through servers there.

The advisory by the Cyber Coordination Centre (CyCord), under the home ministry, had said on April 16th, ‘This advisory states that the platform is not for use by Government officers/officials for official purposes. The document makes reference to earlier advisories of the Indian Computer Emergency Response Team (Cert-In) and states that Zoom is not a safe platform. The guidelines have been issued to safeguard private individuals who would still like to use the platform for private purposes. The broad objective of this advisory is to prevent any unauthorized entry into a Zoom Conference Room and prevent the unauthorized participant to carry out malicious attacks on the terminals of other users in the conference.’

Zooming Out

Following this notification, Zoom reached out to the home and IT ministries to brief officials about the measures it had taken to enhance the security of its platform and to Zoom-bombing, which refers to attacks by uninvited attendees in Zoom conferences. According to Lawfare, a blog published by the Lawfare Institute in cooperation with the Brookings Institution, ‘Zoom-bombing, or video-teleconference hijacking, refers to the uninvited entry into and disruption of a videoconference call, often by means of obscene, hateful, or threatening language or images.’ In Singapore, the ‘hijack’ of a Zoom meeting in early April involved two men joining a geography class comprising some 40-odd students and making raunchy remarks on female students. In India, too, a prestigious Delhi school decided to end online Zoom classes after mischievous students disrupted meetings with pornographic images. Instead, they decided to upload all classes to YouTube during the lockdown, according to educationist Neera Kohli, a former school headteacher who now works as a resource person for CBSE and several educational institutions. She adds, however, that the online classes of many government schools around the country and even teacher-training workshops are still being held using Zoom, notwithstanding its 40-minute cutoff time for free meetings. “Both parents and teachers have adapted to the medium and have learnt to work around limitations, such as non-speakers turning off video and muting sound to reduce bandwidth issues,” she says, adding, “There are pros and cons of every such app, but Zoom is definitely the most commonly used so far.”

As for security concerns, the Zoom founder is prompt to admit that indeed some calls on its app are routed through China. According to reports, it was researchers at Citizen Lab in Canada who said that some Zoom calls made in North America were routed through China. Following a global hue and cry, especially in India, the US and Europe, over ‘how safe is’ Zoom, the company made meetings password-protected and only the host can avail of the share-screen option after the meeting begins. In India, Zoom began operations last year targeting enterprise businesses and now its app is used for all kinds of remote activities, including education, office meetings, friendly ‘virtual coffees’, and religious and spiritual conferences.

On April 1st, Zoom announced its 90-day security plan and later released Zoom 5.0, its latest version. On April 22nd, shortly after officials around the world began complaining of vulnerabilities in the videoconferencing app that can be exploited by hackers, a statement by the CEO on Zoom’s blog said, ‘By adding support for AES 256-bit GCM [Galois/Counter Mode] encryption, Zoom will provide increased protection for meeting data and resistance against tampering.’ CEO Yuan, the Chinese-American businessman, added, ‘I am proud to reach this step in our 90-day plan, but this is just the beginning. We built our business by delivering happiness to our customers. We will earn our customers’ trust and deliver them happiness with our unwavering focus on providing the most secure platform.’

The attempt by Zoom, which has been battling policy and security-related issues alongside its spectacular growth following its Covid-19 success, was clearly to win back trust of users, but scepticism continues to grow in many parts of the world. According to reports, Zoom was banned in some top-notch companies, including those that had announced mandatory work-from-home policy, public schools, the US Senate and so on.

In India, just when it appeared that half of Zoom’s battles were won, on May 22nd, the Supreme Court issued a notice to the Centre, seeking its opinion on whether the app should be banned over privacy and data security concerns. The apex court was responding to a petition filed on May 20th claiming that the app breaches privacy. According to news agency ANI, the petition, filed by Harsh Chugh, sought a ban on the Zoom app claiming lack of internet safety and contending it posed a threat to privacy of its users and breached cyber security. The petition said the Zoom app was not safe and did not have end-to-end encryption and was violating the Information Technology Act, 2000, and Information Technology (Procedure and Safeguards for Interception, Monitoring and Decryption of Information) Rules, 2009, according to the agency report.

Zooming Out

The controversy-hit videoconferencing platform has asked all its users to update the app even as it faces official and judicial scrutiny. In India, meanwhile, the Government is in the process of encouraging homegrown companies to develop made-in-India videoconferencing platforms just as China has done for itself. According to latest reports, companies such as HCL Technologies, Zoho Corp and PeopleLink have been longlisted by the Centre for the purpose. These companies will get a federal grant. In the next stage, a few of these companies will be chosen to build complete videoconferencing solutions.

Even though many MNCs and public schools have been warned against using Zoom, which has created negative publicity for the Nasdaq-listed company, Ritesh Bhatia, Mumbai-based founder of V4WEB, a company into cybercrime investigations, offers a contrarian view: “For the kind of features Zoom offers, the major advantage is its cost and usability. Zoom is now a household name whereas others are still more of corporate solutions.”

More importantly, he feels that officials are apparently overreacting to the whole issue of security threat. Bhatia asks, “If Zoom was such a threat, then why didn’t the Government ban it instead of issuing an advisory? There are so many apps and software that are more intrusive and are a bigger threat as compared to any video conferencing solutions.”

He goes on, “Today, all smartphones hear us 24/7, know our locations 24/7 and are constantly relaying each and every activity of ours to data aggregators. Should we ban such apps and technology too?”

He argues that the Government’s advisory led to unnecessary panic amongst many users. “Zoom, like any other technology product, has its own challenges related to privacy and security. Yes, initially there were many issues [such as basic level encryption], but within days the company has not only fixed the issues but also provided many security features which, if enabled, give a smooth experience of virtual conferencing.”

He believes there was no need at all for the Supreme Court to have entertained Harsh Chugh’s PIL especially when there is a massive backlog of more important cases that matter. As with Zoom-bombing, he states, “Just because there have been few instances of Zoom-bombing doesn’t mean that a product should be banned. Compared to the massive data breaches of many giants, I find Zoom-bombing to be a very minor issue. It looks like the competition took advantage of this Zoom-bombing incident and made people believe that Zoom is an unsafe product to use. Moreover, it is the user who is not aware of the security features that Zoom offers. Many organisations are yet not aware that very many security features are present in Zoom.”

Incidentally, people are using Zoom for all kinds of purposes, including weddings. On May 27th, a Kerala couple sent out a Zoom ID and password to invitees from across the globe to their wedding: the guests included parents of both who watched the wedding ceremony held at the groom’s house remotely.

Notwithstanding such celebratory moments that Zoom beams across the world to help people stay connected, the company is still unable to completely shake off the perception of being ‘unsafe’. Rebuilding trust is sure to be a challenging task.

First published in Open

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s