A word of caution over online security as you turn to tech for business
Scottish Business Insider May 2020
IN THE DYSTOPIAN DISASTER MOVIE in which we are all currently trapped, many of us are working from home. Offices languish empty and staff do as much as possible from their own computer, collaborating on reports and proposals with their colleagues, logging on remotely to their office systems, and attending meetings via videoconferencing technology.
Until relatively recently, none of this would have been possible. But the last few years have seen the rapid growth of highly effective tools for collaborative working, and improved internet bandwidth has allowed us to routinely join virtual meetings.
The big winner in this changed world is Zoom, a videoconferencing system that is so easy to use that it has been widely adopted by organisations large and small – from family virtual ‘get-togethers’ and company meetings up to, reportedly, sessions of the British Cabinet. It has suddenly become one of the backbones of today’s dysfunctional economy. At a time of universal plunging stock prices, theirs has more than doubled.
Innovation is vital right now - when desperately needed new treatments are urgently required, we all accept that any new medical developments will be thoroughly checked before they can be deployed, a process that involves extensive testing and trials.
But that is not the way that Silicon Valley works. Zoom is driven, like most in the Valley, by the ‘move fast and break things’ approach.
Technical specialists have criticised a variety of Zoom’s security and privacy failures, declaring the company ‘sloppy’ on security. The company’s response has been to fix breaches only when they are exposed by others, but not to explain or apologise.
Until last year, when you loaded Zoom on your computer it installed a tiny web server which lacked even basic security features, opening you to attack from anywhere. Apple actually put this on its ‘malicious software’ list.
Zoom has always claimed ‘end to end’ encryption but have been forced to admit that in many circumstances, such as when one participant is joining from a mobile phone, sessions can be unprotected.
On 30th March, a lawsuit was filed in California contesting Zoom’s undeclared practice of sending key data about its users to Facebook, and on the same day New York’s Attorney General sent a formal letter asking the company to detail the processes by which it manages security risks.
Such security flaws are extremely serious if organisations are relying on them for reliable company corporate secrecy, up to and including the confidential discussions of the British Cabinet.
Zoom is not unusual in these failures. Silicon Valley has a reputation of being slapdash when it comes to security.
As company executives have suddenly left their offices to work from home, they have also often left behind the security features inherent within their corporate IT systems.
It is well known that Chinese and Russian authorities routinely scan the internet seeking to grab any unprotected information.
It is a reasonable assumption that the Chinese are currently having a field day collecting huge amounts of secret corporate and government information now stored on individual’s domestic laptops and tablets.
Gordon Jackson QC was unbelievably indiscrete on the Glasgow-Edinburgh train when he spoke openly about the Alex Salmond case and disclosed the names of two of the claimants, contrary to court direction. If he had just looked around, he should have realised that he could easily be overheard in an open train carriage.
Many of us, in our confidential meetings held via Zoom, will have a much better expectation that our discussions are private.
Those assumptions may not be correct.