IT receive a lot of enquiries about the potential use of apps and similar software targeted at the consumer market. This has increased significantly over recent weeks as services come to terms with new ways of working during the present emergency. We take a cautious approach to our practice and advice around the use of this type of software as it is predominantly unregulated, generally insecure and does not comply with data protection legislation that the Council has to abide by. This has served us well in ensuring we maintain our accreditations and avoiding enforcement action from our regulators. Our most recent advice issued around the use of the Zoom video conferencing application has today been backed up the Digital Office for Scottish Local Government.
The Digital Office for Scottish Local Government has today (8th April 2020) issued the following recommendation:
RECOMMENDATION ON BANNING THE USE OF ZOOM ACROSS SCOTTISH LOCAL GOVERNMENT
Two weeks ago, the Digital Office released a brochure describing tools that could be used to assist remote working. One of these recommendations was the video conferencing application Zoom. Since then a number of news stories have circulated describing the privacy and security flaws in Zoom, and now a detailed technical analysis of the tool has shown serious vulnerabilities and poor programming practices (that will enable future vulnerabilities) in the Zoom installation. These include, but are not limited to:
- remote camera hijacking
- privilege escalation
- local web server installation that persists after uninstalling
- the redirection of calls via servers located in China for no identifiable reason.
Many NHS Scotland Boards and the Scottish Government have taken the decision to block Zoom at their firewalls and to ban the use of Zoom across their organisations. We recommend that Councils take the same action. Understanding that Zoom may already form a substantial part of your remote working practices, the following guidelines may be useful until another solution is able to take its place:
- Do not use the standalone Zoom client on corporate devices;
- Where possible, use the Zoom web application rather than installed service;
- Do not use zoom for Commercially Sensitive, Official Sensitive or discussions involving personal data;
- If you are not confident that colleagues can self-regulate the above point then ban completely.
At East Lothian Council, the IT Service issued formal advice on 1st of April and this still stands, the key points being:
- The Council will continue to restrict access to Zoom.
- We cannot vouch for the security of anything that is discussed in a Zoom session.
- Staff who need to participate in an externally-hosted Zoom meeting that is business-critical should discuss with their line manager and get them to raise a request for this via the IT Service Desk (by email if possible email@example.com).
- Staff who need to participate in a Zoom meeting should ask the host to make the meeting available for web browser access as ELC computers do not have the Zoom client installed.
- The Council are not currently investigating procuring Zoom as a platform for staff to host meetings on. We advise that staff wishing to host online conference should do so using Skype for Business.
- Skype for Business can be ordered through the IT Service Desk, there is a cost of £80 per user per annum. We require a valid finance code to charge this to, plus a list of the staff you want set up.
If you require further information please contact the IT Service Desk (firstname.lastname@example.org)