On Tuesday, Taiwan’s executive branch issued the advisory, which is also directed to “specific non-government agencies.” In response, Taiwan’s education ministry has banned local schools from using Zoom.
The advisory doesn’t spell out the security and privacy concerns it has with Zoom. But in the US, the product has faced a wave of hijacking attempts from pranksters, online trolls, and racists out to infiltrate people’s video sessions. At the same time, security researchers have been uncovering vulnerabilities in the product, which could be abused to hack a user.
Last Friday, watchdog group Citizen Lab also published a report that says Zoom will sometimes store the encryption keys to video sessions in servers based in China, which is trying to reunify with Taiwan. Ideally, the encryption keys should be stored on your smartphone or laptop, which can prevent the provider or law enforcement from decrypting your messages. But in Zoom’s case, the company is not only holding on to the keys, but also exposing them to potential control from the Chinese government, which has the power to seize the servers in Beijing.
In Zoom’s defense, the San Jose-based company says it mistakenly sent the encryption keys for North American users to the Beijing servers. The recent flood of user traffic due to the coronavirus pandemic prompted Zoom to add more network capacity, starting in China.
“In that process, we failed to fully implement our usual geo-fencing best practices,” Zoom CEO Eric Yuan said last Friday. “As a result, it is possible certain meetings were allowed to connect to systems in China, where they should not have been able to connect. We have since corrected this.”
Whether Taiwanese users are getting their encryption keys sent to China remains unclear. Zoom did not immediately respond to a request for comment. But it’s certainly possible, given the island’s proximity to the mainland.
Taiwan’s government is clearly concerned. In 2019, the island implemented new rules on data security to protect its critical communications infrastructure.
“The act stipulates that all organizations introducing information and communication systems should not utilize goods or services that raise data security concerns,” Taiwan’s executive branch said in today’s advisory. “In addition, procurement priority should focus on domestically produced goods and services, or those from government-contracted suppliers.”
If government agencies must settle on a foreign product for video conferencing, Taiwan’s executive branch is recommending they consider services from Google and Microsoft and evaluate them for any security risks. Taiwan’s education ministry is also telling educators to consider using Microsoft Teams, Google Hangouts, or Cisco Webex to hold meetings during the ongoing pandemic.