Concerned about Zoom platform safety issues, the PrivacyLx (Defend our Privacy Association) shares the content of the email sent to the National Center for Cyber Security on the 15th May 2020 given no clarification or reply was given up to the date of publication.
Bellow is an English translation of the orignal email.
Dear Centro Nacional de Cibersegurança,
The unexpected outbreak of COVID-19, which spread in the form of a pandemic and led us to social confinement and teleworking, led us to look for solutions to maintain relations and communications with the outside world, including videoconferencing platforms. This is the scope that brought the growing adoption of the Zoom platform, raising serious concerns around Security and Privacy.
Concerned about security and privacy issues of video conferencing platforms, the PrivacyLx association (Defend our Privacy Association, NIPC 515584550) shows a certain apprehension with the inclusion of Zoom platform in the list of good practices (1) published on the V. website.
We are aware of the good intention of the National Center for Cyber Security, since the universe of users is wide and, being this the reality, they should do it in the safest way. However, we are concerned that the adoption of such measures transmits the feeling of security, even if false, namely:
the poor quality of encryption (2) and misleading advertising concerning the type of security (3);
by alleged development practices similar to malware (4) (5)
include undesirable and vulnerable user features (6);
the existence of zero-days from the last few months that have not been properly reported as CVEs.
In addition, the lack of respect for privacy is evident in the various examples, such as:
the sharing of personal data with third parties without the user’s knowledge (7);
the disproportion of data obtained from the user, such as attention monitoring (8) and click control (9).
We therefore share the concerns that have led several US entities to disapprove of the Zoom platform, such as: the Senate (10), the Department of Defense (11), the FBI (12), New York educational institutions (13) and the shareholders themselves - with accusations of fraud (14) and lawsuits (15); and as such, we believe that citizens should be assertively informed (16).
Concluding, we propose to discourage the Zoom platform and as an alternative the use of jitsi (17), Big Blue Button (open source software) (18) easily integrated with moodle (19) which is already correctly recommended in the list of good practices (1).
(1) «Boas práticas» ~Source: https://www.cncs.gov.pt/recursos/boas-praticas/
(2) «Move Fast and Roll Your Own Crypto» ~Source: https://citizenlab.ca/2020/04/move-fast-roll-your-own-crypto-a-quick-look-at-the-confidentiality-of-zoom-meetings/
(3) «Zoom Meetings Aren’t End-to-End Encrypted, Despite Misleading Marketing» ~Source: https://theintercept.com/2020/03/31/zoom-meeting-encryption/
(4) «‘Zoom is malware’: why experts worry about the video conferencing platform» ~Source: https://www.theguardian.com/technology/2020/apr/02/zoom-technology-security-coronavirus-video-conferencing
(5) «Good Apps Behaving Badly: Dissecting Zoom’s macOS Installer Workaround» ~Source: https://www.vmray.com/cyber-security-blog/zoom-macos-installer-analysis-good-apps-behaving-badly/
(6) «Apple has pushed a silent Mac update to remove hidden Zoom web server» ~Source: https://techcrunch.com/2019/07/10/apple-silent-update-zoom-app/
(7) «Zoom iOS App Sends Data to Facebook Even if You Don’t Have a Facebook Account» ~Source: https://www.vice.com/en_us/article/k7e599/zoom-ios-app-sends-data-to-facebook-even-if-you-dont-have-a-facebook-account
(8) «Using Zoom? Here are the privacy issues you need to be aware of» ~Source: https://protonmail.com/blog/zoom-privacy-issues/
(9) «Zoom is a work-from-home privacy disaster waiting to happen» ~Source: https://mashable.com/article/zoom-conference-call-work-from-home-privacy-concerns/
(10) «US Senate tells members not to use Zoom» ~Source: https://arstechnica.com/tech-policy/2020/04/us-senate-tells-members-not-to-use-zoom/
(11) «Concern over Zoom video conferencing after MoD bans it over security fears» ~Source: https://metro.co.uk/2020/03/25/concern-zoom-video-conferencing-mod-bans-security-fears-12455327/
(12) «FBI Warns of Teleconferencing and Online Classroom Hijacking During COVID-19 Pandemic» ~Source: https://www.fbi.gov/contact-us/field-offices/boston/news/press-releases/fbi-warns-of-teleconferencing-and-online-classroom-hijacking-during-covid-19-pandemic
(13) «NY schools ban Zoom, adopt Microsoft Teams» ~Source: https://www.msn.com/en-in/finance/news/ny-schools-ban-zoom-adopt-microsoft-teams/ar-BB12dGjM
(14) «Zoom shareholder accuses executives of fraud over security practices» ~Source: https://www.cyberscoop.com/zoom-shareholder-accuses-executives-fraud-security-practices/
(15) «Zoom sued for overstating, not disclosing privacy, security flaws» ~Source: https://www.reuters.com/article/us-zoom-video-commn-privacy-lawsuit-idUSKBN21Q10V
(16) «What You Should Know About Online Tools During the COVID-19 Crisis» ~Source: https://www.eff.org/deeplinks/2020/03/what-you-should-know-about-online-tools-during-covid-19-crisis
(17) Lista de instância https://ladatano.partidopirata.com.ar/jitsimeter/
(18) Big Blue Button: https://bigbluebutton.org/
(19) Moodle plugins directory: BigBlueButtonBN: https://moodle.com/certified-integrations/bigbluebutton/