The coronavirus pandemic of 2020 has seen an unprecedented switch to remote working and online working and video apps have seen a massive boom — most of all for Zoom Video Communications Inc., which has surged to the top of app charts. But over the weekend, even more concerns with security and privacy surfaced for the company.

The latest security drama involving Zoom is a report from The Citizen Lab that the company was routing videoconferencing calls through mainland China. That by itself may not be a major concern except that the encryption keys used to protect the calls were also issued by servers in mainland China.

“The AES-128 keys, which we verified are sufficient to decrypt Zoom packets intercepted in Internet traffic, appear to be generated by Zoom servers and in some cases, are delivered to participants in a Zoom meeting through servers in China, even when all meeting participants and the Zoom subscriber’s company, are outside of China,” The Citizen Lab noted.

The link to China is described as Zoom outsourcing much of its software development through three companies that employ at least 700 people. Though ostensibly a stretch and arguably irrelevant since outsourcing isn’t a crime, The Citizen Lab said Zoom does so to “avoid paying U.S. wages while selling to U.S. customers, thus increasing their profit margin.”

The ongoing security concerns with Zoom have also prompted some school districts to ban the use of the company’s service. New York City and Clark County in Nevada have banned or disabled Zoom because of security and privacy worries, while others such as Washington state’s Edmonds School District and Utah’s Alpine School District are rethinking their use, according to Engadget.

Zoom Chief Executive Officer Eric Yuan apologized for the privacy issues April 2, saying in a blog post that the company would freeze future development for 90 days to focus on enhancing security and privacy for users.

Unfortunately for Zoom and its users, security and privacy issues have kept coming, including a report April 1 on several vulnerabilities in Zoom’s desktop apps that could be exploited by hackers.

“Zoom’s daily users have increased almost 2,000% in the past four months,” Chris DeRamus, chief technology officer and co-founder of cybersecurity company DivvyCloud Corp., told SiliconANGLE. “However, this rapid adoption of Zoom has unearthed the discovery of personal Zoom videos left viewable on the open web, discoverable through simple online searches. With personally identifiable data as well as work and intimate conversations exposed, bad actors now have the ability to exploit this information and launch phishing attacks or other scam campaigns against Zoom users.”

Companies with hundreds of millions of global customers must have stringent security measures in place, he added. “Every saved recording must require a unique file name that is not identical to any other recording, especially given that these files can be saved openly on the web in misconfigured public storage buckets,” he said. “Negating necessary security steps will put the personal privacy and sensitive data of Zoom’s users at risk.”

Image: Zoom