Major ISO accreditation bodies and registrars continue to promote the use of Zoom video conferencing software for remote auditing despite growing concerns that the software places users at significant risk for loss of confidential data, and violations of laws.
Brought on by the rapid spread of the coronavirus, ISO bodies have refused commonsense calls to stop auditing until the pandemic subsides, and instead are pressing for “remote audits” conducted through Zoom and other apps. At the same time, however, Zoom has been the center of over a year of privacy and security scandals, which are likely to see the company seeing multiple international lawsuits.
Zoom Risks and Violations
In 2019, the software was found to have a vulnerability that would allow hackers to access a users webcam. The software continued to have multiple security flaws, but nevertheless continued to grow, largely due to its easy user interface, and ability to obscure a users background during calls. Now, however, far more serious concerns have been revealed.
Despite claiming end-to-end encryption in its marketing and an official security white paper, Zoom officials finally admitted the software did not provide encryption at all, all but ensuring the company will be sued for fraud.
Comign on the heels of this damning revelation, Zoom was found to be leaking information on its users, in violation of privacy laws such as the UK’s GDRP. In addition, it is now reported that Zoom was leaking information to Facebook and LinkedIn without the users’ knowledge.
Forbes Magazine has reported that the Zoom software “sometimes” sends its encryption keys to China without the user’s permission.
Finally, the trend of “zoombombing,” where anyone can guess the Zoom web feed of a given client and join the chat without permission, to harass, troll or threaten the attendees, has gone viral. The practice has resulted in the US Federal Bureau of Investigation issued warnings against the use of Zoom.
The company is involved in at least one class action lawsuit, and at least one criminal investigation by an Attorney General in the United States.
Now major companies, including SpaceX, have banned the use of Zoom entirely.
The Guardian newspaper reported an associate computer science professor at Princeton University has branded Zoom as “malware.”
ISO Oversight Bodies Ignore Risks
These facts have not stopped organizations such as UKAS, BSI, Platinum Registrations, and Bureau Veritas from urging clients to use Zoom during remote auditing. Ironically, ISO 9001 audits aim to enforce “risk-based thinking” while the bodies appear to have done no risk analysis on the use of video conferencing software prior to requiring it of clients. By this measure, the organizations would fail their own audit criteria.
In the case of IAF accreditation bodies such as UKAS and ANAB, these organizations have moved their own assessment activities to “100% online,” using Zoom and other insecure apps, in order to protect their auditors and staff. These bodies have refused, however, to allow certification bodies from doing the same, and are still demanding that such auditors conduct a portion of audits on-site.
Oxebridge has previously written that the use of Zoom, as well as nearly every other major video conferencing platform, will nearly always result in felony violations of US export control laws, such as ITAR and EAR. The various bodies have continued to push for remote auditing using these platforms, without concern for exposing their clients to felony arrest for accidental export of US controlled technical data and trade secrets.
Oxebridge has called on the industry to invoke a one-year extension of all ISO certifications and accreditations, and to cease all auditing to allow the pandemic to resolve and for companies to get back into operations. The IAF and industry organizations have refused, opting instead to ignore the safety risks and press for untested remote auditing techniques, in order to continue billing clients.
Both BSI and UKAS have published white papers on remote auditing that endorse the use of Zoom.
Officials from BSI and UKAS did not respond to requests for comment on their positions regarding Zoom.