Stop Using Zoom, Second Warning
By: Denise Simon | Founders Code
The first warning came last March.
March: As remote work surges amid the coronavirus pandemic, the FBI issued a public bulletin Monday warning Zoom and other video teleconferencing services may not be as private, or as secure, as users may assume.
Use of Zoom and similar services has exploded in recent weeks as companies, schools, governments, and individuals increasingly turn to its teleconferencing as ways to keep businesses and classrooms afloat while sheltering in pace or working from home. However, the shift also represents an opportunity for attackers, as white supremacists, hackers and other trolls barge into digital meetings, a phenomenon known as “Zoombombing.”
In Massachusetts, there have been several incidents, including an unintended participant joining a high school’s virtual classroom only to yell profanities and reveal personal information about the teacher, according to the FBI. Another unwelcome participant with swastika tattoos joined a separate Massachusetts school’s Zoom meeting, the FBI reports.
“The FBI has received multiple reports of conferences being disrupted by pornographic and/or hate images and threatening language,” the FBI cautioned. “As individuals continue the transition to online lessons and meetings, the FBI recommends exercising due diligence and caution in your cybersecurity efforts.”
It’s not just private businesses and children whose meetings could be Zoombombed. Privacy and security issues in conferencing software may also pose risks to national security, as world leaders convene Zoom meetings. In some cases, world leaders such as U.K. Prime Minister Boris Johnson have shared screenshots of their teleconferencing publicly only to reveal Zoom meeting IDs, raising concerns that sensitive information could be compromised. More here.
Stupidly, government officials at all levels are using Zoom including the Biden presidential team. How dangerous is that? Those officials are not reading the warnings or the news? Yeesh.
For more proof, again this month…
Justice Department/December 2020: China-Based Executive at U.S. Telecommunications Company Charged with Disrupting Video Meetings
It is not only the U.S. that is sounding the warnings. The Telegraph reports warnings that “opportunistic criminals” (a formulation that’s practically redundant), can be expected to use bogus invitations to sessions in their social engineering efforts.
A security executive with the video-tech giant Zoom worked with the Chinese government to terminate Americans’ accounts and disrupt video calls about the 1989 massacre of pro-democracy activists in Tiananmen Square, Justice Department prosecutors said Friday.
The case is a stunning blow for Zoom, one of the most popular new titans of American tech, which during the pandemic became one of the main ways people work, socialize and share ideas around the world. The California-based company is now worth more than $100 billion.
But the executive’s work with the Chinese government, as alleged by FBI agents in a criminal complaint unsealed Friday in a Brooklyn federal court, highlights the often-hidden threats of censorship on a forum promoted as a platform for free speech. It also raises questions about how Zoom is protecting users’ data from governments that seek to surveil and suppress people inside their borders and abroad.
Prosecutors said the China-based executive, Xinjiang Jin, worked as Zoom’s primary liaison with Chinese law enforcement and intelligence services, sharing user information and terminating video calls at the Chinese government’s request.
Jin monitored Zoom’s video system for discussions of political and religious topics deemed unacceptable by China’s ruling Communist Party, the complaint states, and he gave government officials the names, email addresses, and other sensitive information of users, even those outside China.
Jin worked also to end at least four video meetings in May and June, including video memorial calls with U.S.-based dissidents who’d survived the crackdown by Chinese military forces that killed thousands of students and protesters. The Chinese government works to censor any acknowledgment of the massacre, including on social media outside China.
A Zoom spokesperson said in a statement Friday that the company has cooperated with the case and launched its own internal investigation. Jin, the company said, shared “a limited amount of individual user data with Chinese authorities,” as well as data on no more than 10 users based outside China. Jin was fired for violating company policies, the statement said, and other employees have been placed on administrative leave until the investigation is complete.
In an updated statement on Zoom’s website, the company said it “fell short” by terminating the meetings instead of only blocking access to participants in China, to abide by Chinese law. The company said it has reinstated the victims’ accounts and will no longer allow requests from the Chinese government to affect users outside mainland China.
“As the DOJ makes clear, every American company, including Zoom and our industry peers, faces challenges when doing business in China,” the company said in its statement. “We will continue to act aggressively to anticipate and combat ever-evolving data security challenges.”
Jin could not be reached for comment. Though Jin lives in China and is not in U.S. custody, officials said he could be transferred to the United States to face prosecution if he travels to a country that has an extradition treaty with the U.S.
A spokesperson for the Chinese embassy in Washington did not respond to requests for comment.
Human-rights activists this summer said their Zoom accounts had been abruptly terminated shortly before or after they’d hosted video calls commemorating the 31st anniversary of the Tiananmen Square protests, a bloody crackdown captured in the iconic photo of a man standing in front of a Chinese tank.
Zoom said in a statement then that the company “must comply with laws in the countries where we operate.” While the company said it regretted “that a few recent meetings with participants both inside and outside of China were negatively impacted,” the statement said it was not in the company’s power “to change the laws of governments opposed to free speech.”
Zhou Fengsuo, a student leader during the Tiananmen Square protests who had his paid Zoom account terminated this summer, told The Washington Post on Friday that he had worked with the FBI on the case and saw the charges as “tremendous news.”
“It’s so eye-opening to me how this U.S. company, having this connection, would report directly to” the Chinese Communist Party and “disrupt our meetings regularly on behalf of the CCP,” he said. “This executive was working for the government and police as an agent of persecution, and Zoom was paying this guy for doing that job.”
Prosecutors charged Jin, also known as Julien Jin, with conspiracy to commit interstate harassment and to transfer a means of identification. Jin, 39, had worked at the company since 2016, most recently as a “Security Technical Leader,” the complaint said.
Quoting from electronic messages between Jin and other Zoom employees, FBI agents outlined a months-long, high-pressure campaign by China’s “Internet Police” to view users’ video calls and suppress unwanted speech. In one April message, Jin said he had been summoned to a meeting with Chinese government officials who demanded that Zoom develop the capability to terminate any “illegal meeting” within one minute. In others, Jin sent meeting passwords and other sensitive internal data directly to Chinese law enforcement.
In the complaint, FBI agents said that Zoom employees in the U.S. had agreed to a Chinese government “rectification” plan that entailed migrating data on roughly 1 million users from the U.S. to China, thereby subjecting it to Chinese law. Zoom also agreed, the complaint states, to provide “special access” to Chinese law enforcement and national security authorities. In one message cited in the complaint, Jin wrote that the authorities had wanted him to share detailed lists of the company’s “daily monitoring” of “Hong Kong demonstrations, illegal religions” and other subjects.
To terminate the Tiananmen Square calls, the complaint alleges, Jin’s co-conspirators fabricated evidence that they were intended to discuss child abuse, racism, terrorism, and violence. Jin’s co-conspirators also entered some calls with fake accounts that used pornographic or terrorist-related profile images, and Jin pointed to those images as evidence to terminate the meetings and suspend the hosts’ accounts.
John Demers, the assistant attorney general for national security, said the firm had, like many others that do business in China, put itself in a difficult position by operating in an authoritarian country whose laws and practices often “run antithetical to our values.”
“The company was focused on complying with Chinese law and the expectations of Chinese law enforcement,” Demers said. “But what happened over time is those expectations increased. So it goes from, ‘Well, respond to our lawful requests,’ to ‘You must take action within a minute to shut down any action on your platforms’ – not just in China, but outside – that hits upon topics of sensitivity to the Chinese government.”
That pressure, he noted, spans many industries: He cited the controversy last year involving the National Basketball Association, in which the general manager of the Houston Rockets tweeted in support of Hong Kong protesters, leading to a backlash in China.
“The case is an illustration of the choices that companies are forced to make when they do business in China . . . [and] how the Chinese government will take advantage of the leverage they have over you to push their agenda,” he said. “You’ve got a consistent pattern of the Chinese government using economic leverage – the opportunity to access markets, foreign investments – in order to further political goals.”
John Scott-Railton, a researcher at the Citizen Lab in Toronto, said the filing showed how authoritarian governments have increasingly looked at major tech companies as top-priority intelligence targets ripe for infiltration and recruitment.
He pointed to another case last year against two former Twitter employees charged with spying on behalf of Saudi Arabia, including by sending the personal information of thousands of people, including Saudi critics and prominent dissidents.
The charges were announced on the same day that the Trump administration added four Chinese companies to the Commerce Department entity list for enabling human rights abuses within China by providing DNA-testing materials or high-technology surveillance equipment to the Chinese government. They were among 59 Chinese companies Commerce add to its export control entity list, including companies that have been accused of stealing trade secrets and using U.S. exports to support the Chinese military.
Zoom has faced questions before about how it guards against the potential misuse of video data by the Chinese government, which censors major news and social media websites beneath what’s known as a “Great Firewall.”
This spring, Scott-Railton and another researcher found the company had routed American users’ data through Chinese servers, potentially opening it to Chinese-government data requests. The company later said it had “mistakenly” sent American video calls to Chinese data centers amid a flood of calls.
Zoom employs more than 2,500 people around the world, including, as of last year, more than 500 in China who develop the software installed in computers around the world.
The company’s billionaire chief executive, Eric Yuan, was born in China but moved to Silicon Valley in the late ’90s, where he worked for the video start-up WebEx before founding Zoom in 2011.
The Federal Trade Commission last month reached a settlement with Zoom, in which the company resolved allegations that it had misled users about their data privacy and encryption measures by agreeing to new security rules.
Questions over business dealings in China have become more commonplace as a new wave of Chinese tech start-ups has gained international popularity and acclaim. TikTok, the wildly popular short-video app owned by the Beijing-based tech company ByteDance, drew suspicions of censorship from users last year because searches on the site related to topics suppressed by the Chinese government, such as the Tiananmen Square massacre or the Hong Kong pro-democracy protests, showed few or no videos.
Internal guidelines for the site also mimicked Chinese-government censorship policies, and former employees for the company told The Post last year that key content-moderation decisions for international users were made in China. TikTok has said it has worked in recent months to distance its U.S. operations from the company’s Chinese headquarters.
Wang Dan, a Chinese dissident whose Zoom call on Tiananmen Square was also disrupted this spring, said the case showed how China could threaten free expression for people in the West.
“Interfering with the freedom of speech of those who have settled and lived in the United States in exile is . . . a serious attack to American sovereignty,” he told The Post on Friday. “The American people should also pay more attention to the [Chinese Communist Party’s] threat of American democracy.”