Government and parliament were told by the intelligence agencies last week not to use the newly popular conference service Zoom for confidential business, amid fears it could be vulnerable to Chinese surveillance.
The quiet warnings to limit the technology came after the cabinet had used Zoom to hold a well-publicised meeting at the end of March, a decision that was defended at the time as necessary in “unprecedented circumstances”.
Parliament was advised last week by the National Cyber Security Centre, part of intelligence agency GCHQ, that Zoom should only be used for public business, in recent discussions about creating a virtual set up.
A parliamentary source said those involved were advised Zoom ought not be used for classified business and there was an explicit warning from NCSC “not use it to talk about things detrimental to the interests of China”.
But the warning was only shown to people directly engaged in the negotiations, and not shared more widely with MPs, including members of the foreign or other select committees who may want to conduct inquiries into China related matters.
Senior parliamentary figures were also told that Zoom is safe to use for public business, and the technology was this week used as part of the proceedings in the House of Commons, including at prime minister’s questions.
Zoom has exploded in popularity during the coronavirus lockdown as a tool for communication for both social and business purposes, and is now used globally by an estimated 300 million people a day.
Digital experts, The Citizen Lab in Toronto, Canada, warned about potential security risks in early April. Security keys, which are supposed to encrypt conversations “in some cases, are delivered to participants in a Zoom meeting through servers in China” it said in a special report published earlier this month.
Zoom said that the traffic was mistakenly routed through China. However, the government of Taiwan – a country not recognised by China – announced early this month that it would ban the use of products “such as Zoom” where there were security concerns.
The Citizen Lab said the popularity of the technology made it of “high priority interest to multiple governments” and would make “Zoom a high priority target for signals intelligence gathering and targeted intrusion operations”.
Zoom is based in California’s Silicon Valley, but it owns three companies in China that develop its software. The Citizen Lab said the structure allowed the company to lower its development costs, but added “this arrangement may make Zoom responsive to pressure from Chinese authorities.”
In response, Zoom has sought to beef up its security, releasing the new version 5 of its app with greater encryption and privacy controls, improving its encryption security and introducing controls to prevent “Zoombombing” where people have hacked into meetings – such as Alcoholics Anonymous sessions – to disrupt them.
A Whitehall source said that an alert about Zoom was circulated to government departments who were asked to pass it on to quangos, because of the concerns about whether China might be able to listen in.
But they complained that the warning was not always being taken sufficiently seriously in parts of Whitehall, although the video conferencing tool is currently permitted for meetings where no confidential matters are being discussed.
A government spokesperson said that “Zoom is being used for unclassified communications in government under unprecedented circumstance” but added: “Other services are in place for more sensitive communications.”
The availability of these more secure services was being increased to meet the demand of more civil servants having to work remotely, the spokesperson added.
Zoom was approached for comment but did not respond ahead of publication. At Thursday’s launch of the version 5 app, Eric Yuan, the company’s chief executive officer, said: “We will earn our customers’ trust and deliver them happiness with our unwavering focus on providing the most secure platform.”