Organisations around the world are moving to lock down or ban remote workers from using videoconferencing and collaboration application Zoom during the Covid-19 coronavirus pandemic.
This comes as concerns about the fundamental security of the service refuse to go away despite repeated attempts by Zoom to assuage them.
Among the organisations imposing restrictions on Zoom usage is Google, which has banned it from all its employees’ devices, citing security vulnerabilities.
In a statement supplied to Buzzfeed News, which first reported the story, Google spokesperson Jose Castaneda said Google had a longstanding policy of not allowing employees to use unapproved apps for work.
“Our security team informed employees using Zoom Desktop Client that it will no longer run on corporate computers as it does not meet our security standards for apps used by our employees,” said Castaneda.
“Employees who have been using Zoom to stay in touch with family and friends can continue to do so through a web browser or via mobile.”
Other organisations to have cracked down on Zoom include the US Senate and the German government.
According to sources familiar with the US Senate’s policy, the Senate sergeant-at-arms has instructed senators not to use the service because of data security concerns, and to find alternatives. It is understood that other US government bodies are still using Zoom.
Meanwhile, in Germany, the foreign ministry has moved to restrict Zoom usage to fixed connections only, and has told officials not to use it at all for confidential meetings because, by its own admission, Zoom has misrepresented its policy on encryption.
An internal memo cited critical weaknesses and serious problems with security and data protection, although the department stressed this was not an outright ban, largely because Zoom is now in such widespread use.
Charl van der Walt, head of security research at Orange Cyberdefense, said the decisions by government bodies to restrict the use of Zoom were entirely appropriate, not because it was insecure or had poor privacy practices, but because the public sector has highly specific security needs that demand more rigorous assessment and assurance.
“The needs of the US Senate (or the British Cabinet) are not the same as those of the average home user,” he said.
“The careless adoption of a popular platform, not matter how good, without due regard for technical security standards and policy and regulatory compliance is simply not acceptable for sensitive use cases.”
Van der Walt added: “This doesn’t suggest that Zoom is secure enough for other users – that’s an entirely different debate – only that the Senate needs to assess the technology’s suitability against its needs and standards, which will almost certainly be different from those of the average user or business.”
In the past week, Zoom has started to try to make good on some of the promises made by its CEO, Eric Yuan, on 1 April.
Within the past 24 hours, it has issued a new security update, collecting together the platform’s in-meeting security features in one place under a new icon to make management easier for meeting hosts.
It has also removed the meeting ID from the title toolbar, preventing anybody from seeing active meeting IDs should someone – such as UK prime minister Boris Johnson – decide it is a good idea to screenshot the meeting and post a picture in public.
It has also appointed former Facebook chief security officer Alex Stamos, now an adjunct professor at the Freeman-Spogli Institute at Stanford University, as an external adviser.
Stamos was tapped for the unpaid advisory role by Yuan after posting a Twitter thread highlighting Zoom’s challenges, in which he described it as a “spectacularly complicated” platform that had made “sketchy design trade-offs”.
Writing on a personal blog page, Stamos said Zoom’s sudden growth spurt from a little-known enterprise collaboration platform to a mass-market consumer one in a matter of weeks was “literally unprecedented in the history of the internet”.
He added: “Zoom has some important work to do in core application security, cryptographic design and infrastructure security.”