Canada’s House of Commons will reconvene today for a virtual meeting on Zoom, a videoconferencing platform described by security researchers as a “privacy disaster.”
Zoom’s popularity has skyrocketed in recent weeks as Canadians took to online platforms to connect with friends and family while practising physical distancing to limit the spread of COVID-19. But the transition hasn’t been problem-free.
Jewish users have seen religious services highjacked by people screaming anti-Semitic abuse. A hacker posted a racial slur hundreds of times on a Zoom video chat hosted by a black National Hockey League player.
The term “Zoom-bombing” has entered the lexicon as virtual classroom sessions on the platform have been interrupted by random people brandishing Nazi imagery, such as swastika tattoos. The U.S. Federal Bureau of Investigation has told teachers to avoid using the platform entirely.
While some of the early concerns about the platform have been addressed in subsequent software updates, a recent report by researchers at the University of Toronto’s Citizen Lab found that while Zoom has “exceptional usability,” it also uses “non-industry-standard cryptographic techniques with identifiable weaknesses” to safeguard its conferences.
Citizen Lab found Zoom does not use “true end-to-end encryption” and the company has the “theoretical ability to decrypt and monitor Zoom calls.”
Moreover, the Zoom encryption keys — a string of random numbers and letters used to scramble and unscramble data — were sometimes routed through servers in China, even when all of the meeting’s participants were outside of China.
The report described the widespread use of Zoom as a “gold rush for cyber spies,” with business negotiations, diplomatic conferences and political strategy meetings moving from in-person encounters to “platforms whose security properties are unknown.”
“Now, some of the most sensitive conversations in the world are taking place on devices and platforms vulnerable to basic forms of eavesdropping and attack techniques,” the report concluded. It recommends that “governments worried about espionage … discourage the use of Zoom.”
Commons using different version of Zoom
To address these concerns, the House of Commons will use a reconfigured version of Zoom that has security features different from those in the free and paid consumer versions, a spokesperson for Speaker Anthony Rota said in a statement.
“This version enables the administration to manage and configure the technology and impose security controls,” Heather Bradley said.
“We are working closely with national and international security partners and leaders in the technology industry. This is to ensure that all appropriate measures are in place, in keeping with existing threat management protocols.”
Bradley said that because most parliamentary proceedings are open to the public, “confidentiality is not a requirement.”
After the Citizen Lab reported on Zoom’s use of some Chinese servers, the CEO of the company said its government cloud was not affected because there is a “separate environment available for our government customers and any others who request the specifications.”
The company said the “dramatic increase of use during the pandemic” forced some non-Chinese calls to go through data centres in China. It has promised to change its server policies.
“We know we have a long way to go to earn back your full trust, but we are committed to throwing ourselves into bolstering our platform’s security,” Eric Yuan said in a post on the company’s website.
Green Party parliamentary leader Elizabeth May has been calling for virtual meetings. She said she fears commercial travel poses a health risk to parliamentarians.
May participated in a dry run of the Commons virtual sitting Monday. She described the rehearsal as “extremely good” and said it produced “nothing untoward.”
“If it wasn’t for a pandemic, no one would think Zoom meetings were a good replacement for the real sittings in the House of Commons. But given we have the technology, this is a very good option and I think it’s working well,” she said in an interview with CBC.
As for the security concerns, May said the Commons’ procedure and house affairs committee will be studying the issue in the days ahead.
“I wouldn’t want the cabinet of Canada to meet using this platform. But these meetings are public meetings, so I’m not concerned about that aspect of it,” she said. “But ideally, I’d like us to be developing the most secure ways of communication.
“It is a subject for concern and for study to look at the security implications, bearing in mind we’re not transiting the work of Parliament to virtual meetings forever.”
PM, cabinet not using Zoom
While MPs and senators are pressing ahead with the new platform, security agencies in this country have warned against using Zoom for secret conversations among top government officials.
The Communications Security Establishment (CSE), the national foreign signals intelligence agency, said the platform has not been reviewed by the Canadian Centre for Cyber Security and so has not been approved for any government discussions that require any level of secrecy.
The Prime Minister’s Office confirmed Monday that the prime minister and cabinet ministers use other secure technology that “fully supports conversations at the appropriate classification level.” For privacy reasons, the PMO would not say which platform Prime Minister Justin Trudeau relies on for his calls.
The Senate also is using Zoom for public committee meetings. The chamber isn’t scheduled to reconvene until June 2 but its internal economy, budget and administration committee (CIBA) has relied on Zoom to conduct its business during the pandemic.
One such meeting was beset by translation issues — a problem that could prompt privilege concerns, since parliamentarians have a right to hear proceedings in their preferred official language. It also experienced technical glitches as microphones malfunctioned and random participants flashed on-screen even when they weren’t speaking.
To avoid Zoom-bombing incidents, the Senate has adopted “additional controls and appropriate mitigation strategies” to ensure the “safety and reliability” of public committee meetings.
Beyond security, one former Commons Speaker said the Zoom calls could devolve into a shouting match given the penchant for some MPs to heckle. With all 338 MPs on hand for a virtual sitting, it could become unwieldy, he said.
“It would be very difficult, I think, for the presiding officer on a television screen show of this kind to manage the disorder,” Peter Milliken said at a recent committee meeting.
“It’s going to be a very complicated process and not one I think is going to be terribly helpful,” he said.