24 December 2020
Zoom, the video conferencing software operated by Zoom Video Communications Inc., has experienced a huge surge in users since the COVID-19 pandemic began.
As a relatively new player in the telecommunications market, Zoom has been hit by a flurry of controversies and allegations in recent months. Although it's undeniably user-friendly and convenient, some are questioning whether Zoom is a secure enough platform for private conversations.
Whether you're using Zoom to hold staff meetings, serve your clients, or chat with your grandma, it's important to be aware of the privacy and security risks of using Zoom and how to mitigate them.
Before we talk about how to securely set up and use Zoom, it's important to establish the nature of some of Zoom's alleged security issues.
One of Zoom's most notorious security issues is so-called "Zoom-bombing."
Zoom-bombing occurs when an uninvited participant intrudes on a Zoom meeting that has not been password protected. It can lead to the video, audio, text, or files shared during the meeting becoming compromised.
Zoom-bombing works when an intruder generates a valid Zoom ID for a private meeting. The Zoom ID is a nine-11 digit number allocated to each Zoom meeting. Cybercriminals and trolls have figured out how to "guess" these numbers by brute force and other methods.
Since the COVID-19 lockdown began, Zoom-bombers have invaded meetings hosted by organizations such as the FBI and the University of Southern California, which complained of "racist and vile" messages being posted during online classes.
Zoom's data-sharing practices have come under scrutiny recently, particularly since Zoom users initiated a class-action lawsuit against the company alleging breaches of the California Consumer Privacy Act (CCPA).
Zoom's data-sharing issues came to light when it was revealed that Zoom's iOS app shared data including browser version, advertising ID, and time zone with Facebook whenever users logged into Zoom, regardless of whether they had a Facebook account.
The class-action against Zoom has yet to be heard, but if successful, it could end up costing Zoom hundreds of millions of dollars in damages.
Zoom has long claimed to protect meeting data using "end-to-end encryption." This data protection technique ensures that data can only be understood by its intended recipient.
However, in March 2020, online publication The Intercept revealed that Zoom does not actually support end-to-end encryption, but instead uses transport encryption. While this form of encryption adequately protects data in transport, it does not prevent Zoom itself from viewing meeting data.
Zoom claims to have been using the term "end-to-end encryption" differently from how it is commonly understood. But this definition has been characterized as misleading by some cryptography experts.
You may ask if these security issues are actually an issue. Perhaps you wouldn't really care even if someone did intercept your Zoom conversations.
After all, Zoom is being used by all manner of major businesses, schools, and public bodies. How bad can the security issues really be?
Whether you think these security issues really matter is a judgment call for your business. Bear in mind, though, that you're legally obliged to protect the personal information of your customers, clients, and employees.
Personal information is any information capable of being identified with a living individual. It includes information such as names, contact details, and even anecdotal information or opinions about others.
Person information is protected by law. Disclosing personal information via Zoom or any other platform is a legally-regulated activity. This includes whether you're disclosing personal information via audio, video, text, or by exchanging files.
Given the nature of your business and your purposes for using Zoom, this software may represent a sufficiently secure platform. If you're willing to take a risk with personal information (however small), you must take steps to minimize that risk, and you must be transparent.
If you do decide that Zoom is the right platform for your business, you can take certain steps to make it as secure as possible.
Enter your email address where you'd like your policy sent, select translation versions and click "Generate."
Relevant privacy laws that would require this disclosure include:
Any business covered by one of the above laws should be explaining how it shares personal information with other businesses, and explaining its reasons for doing so.
Boxcryptor also provides its legal (lawful) basis for processing personal information under the DSGVO, the implementation of the GDPR that applies in the German state of Berlin. This is important for any company with customers, clients, or employees in the EU or the UK.
Here's another example, from marketing company Amy Hall:
Amy Hall provides less detail than Boxcrytor, simply listing Zoom among several of the company's service providers.
Whenever feasible, you should password protect your Zoom meetings to prevent uninvited guests.
You can find this option when scheduling a meeting using Zoom's browser-based web app:
You can use the default password, or choose a longer one that's harder to crack.
Use Zoom's "Waiting Room" feature to ensure your meeting room remains invitation-only.
Since March 2020, the "Enable Waiting Room" setting is enabled by default. It's strongly recommended that you keep it that way.
On the Zoom desktop app, this setting lives under the "Security" tab on the main screen:
When using the Zoom mobile app, you can toggle "Waiting Room" in the "Meeting Settings" menu:
Once all invited participants have entered your Zoom meeting, you should lock the meeting as an additional security measure.
You can do this by selecting "Lock meeting" from the "Security" tab at the bottom of the main Zoom application window:
When using the Zoom mobile app, you can toggle "Lock Meeting" in the Meeting Settings" menu:
The host of a Zoom meeting should have a clear purpose for the meeting in mind. Unless it's necessary to transfer files using the Zoom client itself, you should disable the "File transfer" setting by default.
You'll find the "File transfer" setting in the "In Meeting (Basic)" section of the "My Settings" menu in Zoom's web app:
Disabling this setting prevents the possibility of any user sending unnecessary personal information or malicious files to the meeting participants.
As further protection against the malicious actions of Zoom-bombers, you should prevent participants from sharing their screens unless it's necessary for them to do so.
You'll find the "Screen sharing" settings in the "In Meeting (Basic)" section of the "My Settings" menu in Zoom's web app:
Ensure your Meeting ID and password are only made available to the intended meeting participants. Do not share these details on social media, or allow participants to do so.
Despite a few controversies, Zoom is a relatively secure platform and suitable for most non-sensitive contexts. Also, the company is continually taking steps to ensure it improves its security based on user feedback (and lawsuits!).
Here are some steps you can take to help ensure your Zoom meetings are secure and compliant with privacy law: