On Tuesday of this week, Boris Johnson tweeted a picture of what he called the UK’s “first ever digital Cabinet”. That picture (copy below) shows that the Cabinet meeting was held using Zoom – the sort of video conferencing software which is currently popular with business users forced to work at home during the Covid19 pandemic.
As can be seen, the conference was run on a Microsoft platform (unsurprisingly) and it also clearly shows the zoom meeting ID in the top left of the picture.
Now Zoom is a US company funded almost entirely by venture capital. Its servers are US based. And whilst the company claims that its conferences are protected by end to end encryption, what it actually means is that the conference streams are protected by TLS between the end clients and the US based servers. Furthermore, what is not actually clear from the picture posted by our dear PM, is where all the end clients used by the 35 participants were located. I’d hazard a guess that not all of them were in what HMG would call “secure” locations.
So here we have a Cabinet meeting run over a completely unapproved video conferencing platform between 35 Ministers and Senior Officials using various clients in a number of locations. Well, at least they didn’t use Skype.
On the twitter feed, Stefan Simanowitz queried “You’ve just published the Cabinet’s Zoom ID number. Isn’t this a security risk?”. With all due respect to Mr Simanowitz, the bigger problem is the use of this platform at all. Someone, somewhere in No 10 or the Cabinet Office should be having an uncomfortable conversation with the Security Service.