National Post (National Edition)
Parliament should distance itself from this software
ZOOM, HOWEVER, HAS COME UNDER INCREASED SCRUTINY. — KLINE
In this era of social distancing, many have turned to videoconferencing as a means of staying in touch with friends, family and colleagues. And although it dragged its feet for quite some time, the House of Commons has now gone virtual, as well. But why is Parliament relying on a foreign company that’s selling a piece of software with a raft of known security issues, instead of finding a made-in-Canada solution that would allow us to protect our data and save taxpayer money?
On Tuesday, the full House convened for the first time over Zoom, the videoconferencing software that has become a household name during this pandemic, with its user base exploding from 10 million daily users in December, to 300 million today. Zoom, however, has come under increased scrutiny about its substandard security and lax privacy controls.
The company outright lied about using end-to-end encryption. We learned that it has access to decryption keys, meaning it can potentially snoop on conversations. A team from the University of Toronto found that the software was sometimes sending encryption keys through servers located in communist China, even if none of the participants in the call were from that country. And the term “Zoombombing” has entered the lexicon, with many meetings being spied on or actively disrupted by people spouting racism and displaying Nazi imagery.
A parliamentary spokesperson told CBC that the version of the software being used by the House has added security features and that most parliamentary proceedings are open to the public anyway, so privacy is less of an issue (cabinet meeting are being held using something else entirely).
Fair enough. But given that the FBI has warned teachers not to use Zoom and many companies — such as Daimler, Ericsson, SpaceX and Postmedia — and governments — including Germany, Taiwan and Singapore — have banned its use outright, it seems like Parliament should have had some reservations about it.
Much has been made in recent weeks about future-proofing Canada to withstand future crises by producing more supplies here at home. As I’ve written previously, this is problematic because protectionism doesn’t ensure we have adequate supplies of a given product and it’s impossible to predict exactly what we will need to meet the next emergency.
When it comes to software, however, it’s a different matter entirely, because there is a huge variety of free and open-source software packages available that are already powering much of the world’s critical infrastructure and can easily be adapted to Canada’s needs.
For the uninitiated, open source refers to software that is developed in the open and given away for free. It is often written by teams that can include many people, from unpaid volunteers, to employees of some of the world’s largest tech firms. Even if you’ve never heard of open source, chances are that you are running it, or using technology that is based on it.
A majority of websites run on open source. The open source Linux operating system is the basis for Google’s Android and Chrome OS systems, and powers a plethora of Internet of Things devices, from routers, to smart TVs, to home automation systems.
Another videoconferencing platform that’s seen a sharp increase in popularity is Jitsi. While it’s run by a company called 8x8, which offers free and paid plans, it’s also open source, meaning anyone can run a Jitsi server and anyone with enough knowledge can audit its source code to figure out exactly how it works and whether there are any potential security vulnerabilities.
The advantage of the government selecting open systems, like Jitsi, instead of proprietary ones, like Zoom, is that it would allow government to run all its systems in-house, instead of relying on foreign companies to transmit and store data.
It would also give government the ability to conduct security audits of its systems, which is much easier to do when you can see the code that a software package was built with, rather than trying to figure out how a black box works without being able to open it up.
And while there would be an initial cost to purchasing the necessary hardware and ensuring the government has the proper expertise to implement and maintain it, there would be significant savings for taxpayers in the long run, as the government would be able to stop paying for costly software licences.
Jitsi is already being used by such companies as WeSchool, an Italian firm that runs online classroom software that is being used by 500,000 educators and students during this crisis. And in February, the South Korean government began switching its desktops from Windows 7 to Linux, which it expects will save it significant sums of money in the future.
Security researchers have warned the government that Zoom is a “privacy disaster” waiting to happen. In order to protect our critical information technology infrastructure — especially that which is tasked with running our democratic institutions — from foreign interference and espionage, we need to seriously look at running these systems in Canada, with software we can trust.
Finding open-source solutions is the best way to go about doing that.