Zoom security

Zoom has allowed many organisations to continue to function in this unprecedented time. However, the platform has also faced a lot of criticism for its security vulnerabilities. The use of any online technology forces us to weigh up security and privacy concerns versus usability and user experience.

We can address some of the most common concerns that you might have about adopting Zoom in your organisation…

We have concerns over the robustness of Zoom’s Data Policy…

Zoom updated their privacy policy – specifying data is not sold, and meeting content is not observed or monitored.

https://blog.zoom.us/wordpress/2020/03/29/zoom-privacy-policy/

Zoom has employed an ‘attendee tracking feature’ which would allow the meeting host to see if a user has moved away from the Zoom call on their device…

Zoom permanently removed the attendee attention tracker feature on 2nd April 2020.

https://blog.zoom.us/wordpress/2020/04/01/a-message-to-our-users/

We’ve heard about “Zoom Bombing” – Where somebody not invited to a meeting joins and in extreme cases shares inappropriate content…

Zoom has changed its platform-wide settings to ensure all meetings have a password and waiting room as a default. Ensuring only people who have the ID and password (or exact link) can join the meeting – and then they have to be permitted by the host.

https://zoom.us/docs/en-us/privacy-and-security.html

There have been reports of a vulnerability that Macs using Zoom can be taken over…

Zoom has released fixes for all Mac related ‘bugs’ to prevent this from happening and encourages the internet to raise concerns to be fixed.

https://blog.zoom.us/wordpress/2020/04/01/a-message-to-our-users/

Zoom can’t scale both safely AND quickly…

On 7th May 2020, Zoom acquired Keybase – a secure messaging and file-sharing service – allowing them to integrate their technology ASAP, and strengthen their in-house capability.

https://blog.zoom.us/wordpress/2020/05/07/zoom-acquires-keybase-and-announces-goal-of-developing-the-most-broadly-used-enterprise-end-to-end-encryption-offering/

Claims that Zoom is End-to-End encrypted have been challenged…

Zoom offered clarity around encryption. Zoom calls using Zoom Clients are encrypted however if a Zoom call crosses platform, for instance over an ISDN phone line, Zoom can’t control this.

https://blog.zoom.us/wordpress/2020/04/01/facts-around-zoom-encryption-for-meetings-webinars/

Zoom uses Chinese servers. In theory, this would give the Chinese Government ability to request access to content…

Zoom users outside of China are now not routed through servers in China. Users also have the ability within their settings to pick with regional data centres they do/don’t use.

https://support.zoom.us/hc/en-us/articles/204758419-New-Updates-for-Web

Can Zoom can gain access to a user’s social media accounts? In particular Facebook…

The Client on the Zoom platform that allowed this has been removed.

https://blog.zoom.us/wordpress/2020/03/27/zoom-use-of-facebook-sdk-in-ios-client/

Conclusions

Zoom has undergone an unprecedented amount of growth during Covid-19 and is being used for purposes much wider than its original design. It’s fair to say the organisation has struggled to keep up with the sheer surge in demand and variation of usage.

Zoom has taken an extremely proactive approach to dealing with issues that have arisen and have put fixes in place, however, these issues should have, or could have, been considered earlier.

At WLTA we’ve found reassurance in Zoom’s response to concerns raised about its platform and how adaptive it has been to such user growth. Although the naivety of the organisation to not have addressed these issues prior to lockdown, when they were still hosting 10 million calls a day, is a concern that means we will keep monitoring the situation.

Zoom states on its website it is fully compliant with GDPR legislation.

Our Recommendations

Considering the mitigation that Zoom has put in and how it has addressed all major concerns, it is our opinion that the usability and functionality of this platform gives, allows us to continue ‘business as usual’ outweighs the residual privacy risks of the platform. Walsh’s Learning to Achieve recommends that you use the platform with the following restrictions:

  • All meetings use a password
  • All meetings use the waiting room function 
  • Where users have access to “Pro” and “Business” plans, they should be logged in to utilise enhanced security and administration features – rather than using free, “Personal” accounts
  • If a meeting needs to take place with a ‘dial-in user’ all users should be informed that this part of the conversation is not encrypted
  • If any participants are not happy an alternative will be found

*We’ll keep monitoring the situation and as the facts change, so may our recommendations.

 

Contact us to discuss developing, designing and delivering your virtual events