With so many people around the world avoiding in-person contact, videoconferencing has exploded. The most widely known platform, Zoom, has come under scrutiny for its security practices (or lack of them).
Because we have substantial experience working with Zoom, we are being called upon regularly to help people set up Zoom, learn how to use it, and even to run complex Zoom calls for our clients. This includes maintaining security so Zoom calls aren’t invaded, spied upon, or disrupted.
I’m still using Zoom myself, and I believe that for most uses, the security is sufficient, if certain precautions are taken. In my judgment, it’s probably as secure as other online communications channels we all use every day — e-mail, Web forms, online calendars, and other tools. I certainly don’t agree with the harshest critics, who say thinks like, “Zoom is malware” (malicious software). It is probably not suitable for highly sensitive communications that bad actors with resources might target — state secrets, for example, or the most private conversations of people like Edward Snowden. But for everyday folks who aren’t being surveilled by major governments or criminal enterprises, Zoom can be secure enough.
Here are some of the issues security experts have raised, along with what users can do about them. (Unless otherwise indicated, the in-app instructions below are for the computer version of Zoom; these controls may not be available, or may be accessed differently, on phone and tablet versions of the Zoom app. Also, some of these controls are applicable to all users, but others are applicable only to meeting hosts. If you simply join meetings but don’t have your own Zoom account, only the in-app controls are relevant to you, not the Web-site controls; it may be worth setting up a free Zoom account so you can access the Web controls, too.)
Zoom made use of the Facebook Software Development Kit (SDK) for certain functions, such as being able to create a Zoom account by logging in with your Facebook credentials. Facebook’s SDK is insidious: It sends user data to Facebook. According to Zoom, “The information collected by the Facebook SDK did not include information and activities related to meetings such as attendees, names, notes, etc., but rather included information about devices such as the mobile OS type and version, the device time zone, device OS, device model and carrier, screen size, processor cores, and disk space.”
This is written in the past tense because once the issue was brought to Zoom’s attention, the company has removed the Facebook SDK from its software. Users will need to update their Zoom apps to get the new, more-secure version.
Solution: Update your Zoom software. Updates available since mid-afternoon on March 27, 2020 remove this security hole. In fact, there have been several security updates in the past few days. I recommend updating your Zoom software manually now, on all platforms where it is installed — computers, tablets, and phones. To do so:
- Mac/Windows: Launch Zoom, sign in if not already logged in, click your profile image near upper right, and select Check for Updates.
- Android: Launch Zoom, then click Settings at bottom right, then About, then Version.
- iPhone/iPad: Launch App Store, then click Search at lower right, then type Zoom in the search box at top and click Search on the keyboard, then click UPDATE at upper right. If it says OPEN instead of UPDATE, you already have the latest version.
I recommend checking for updates periodically, say once a week, at least on the Zoom app you use most frequently.
Keeping Calls Encrypted
Zoom offers what it calls end-to-end encryption. As security specialists have noted, that term connotes that Zoom cannot access the call content, but in reality, while Zoom can’t possibly monitor the zillions of sessions taking place every day, if the company has a reason to look in on you in particular, it theoretically can. That means a government agency could issue a secret National Security subpoena and require Zoom to share your calls with the government. If that is a concern for you, don’t use Zoom. (Some Zoom calls may use encryption that is set up by computers in China, according to two researchers, even if nobody on the call is in China, which could mean the Chinese government could gain access to the calls.)
Partial Solution: Change Settings. Everyone should turn on maximum encryption in most instances, which may not lock out the Zoom company itself but will protect calls from most third-party hacking. Unless you have a specific reason not to, I recommend logging into your account at the Zoom.us Web site, then under Personal in the left column clicking Settings, then under In Meeting (Basic), turning on Require Encryption for 3rd Party Endpoints (H323/SIP). Do the same under ADMIN → Account Settings → Meeting → In Meeting (Basic). If you are the administrator of this Zoom account, and your account includes other users who can also initiate Zoom calls, this will prevent them from allowing non-secure third-party connections. For most people, this won’t be relevant, but if you host a call that someone is joining from a platform other than Zoom that is compatible with Zoom, they will be required to have encryption turned on.
Zoom version 5.0, released April 27, 2020, uses stronger encryption, and it’s automatically turned on for all calls. Zoom 5.0 will be required after May 30; older versions of Zoom will no longer function, as Zoom won't accept their weaker encryption.
You might also want to change the settings for recording a meeting. For example, under PERSONAL → Settings → Recording, you can turn off allowing recording to the Cloud (a recording of your meeting is stored on Zoom’s computers), and turn off local recording (so participants can’t record the meeting). If Local recording and/or Cloud recording is turned on under ADMIN → Account Management → Account Settings → Recording, the host can still record. Review the other settings under Recording (both for PERSONAL and for ADMIN) and set them as strictly as is appropriate for your needs.
While you are in Settings, take a look through the other meeting settings and tighten up any that you need to. And before you leave the Settings, see the next section. …
“Zoombombing”: People Behaving Badly
As Zoom has gained in popularity and more organizations are holding meetings open to the public, a phenomenon called “Zoombombing” has been on the rise. This is where malicious individuals join a Zoom call and then display inappropriate material by sharing their screens. White nationalist messages and pornography are among the disturbing images Zoom-bombers have used to disrupt meetings. The FBI has even warned that organized groups are attacking Zoom calls this way.
In the Web-site settings, under In Meeting (Basic), you’ll also probably want to turn off Allow removed participants to rejoin. This way, if you boot someone out of a call, they can’t come back. Other ways to control access include to turn on the Waiting Room, so new people need to be manually allowed in by a host (and it’s good to have a co-host in this case, so the host can concentrate on the meeting itself); turn off Allow participants to join before host if you don’t want to use the waiting-room feature; and lock a meeting once everyone is present, preventing anyone else from joining. (During the call, select Manage Participants from the control bar at the bottom if the participant list isn’t already showing, then under the list of participants select More v, then Lock Meeting. You can also Unlock Meeting here in case someone leaves who should be allowed back in.) Finally, when setting up a meeting, you may want to use a randomly generated meeting I.D. if your personal meeting I.D. has been made public, so Zoombombers won’t know where to find your Zoom call. Or you can use a password, and make sure nobody has the Zoom call link except authorized participants, since the link will include an encrypted version of the password (unless you turn off that setting). Or, share the link without the password (omit the “?” and everything following it), and circulate the password separately to trusted invitees. These procedures will help keep out people who might be disruptive in other ways than screen-sharing. (Note: On April 4, Zoom enabled Waiting Rooms and passwords by default for individual and K–12 educational accounts. K–12 educational accounts cannot turn off the passwords feature.)
Zoom link with password: https://zoom.us/j/00000000?pwd=MURkQzRMR0ZpN3hjem9qc3BsclUxUT09
Zoom link without password: https://zoom.us/j/00000000
Health providers, including mental-health providers, are required to use HIPAA-compliant software for remote client meetings. (HIPAA is a federal law that mandates securely maintaining personal medical information.) Zoom offers that option with its more-expensive paid accounts. While some HIPAA enforcement is being suspended during the pandemic, I recommend providers get compliant anyway, to avoid risking clients’ information or forgetting to upgrade later. The process of becoming HIPAA-compliant with Zoom is beyond the scope of this blog. We have assisted several clients with this issue; contact us if you are interested.
Maintain Social Closeness
Because Zoom has become so crucial for so many during the novel coronavirus pandemic, the platform will continue to attract bad actors bent on causing trouble, so I have no doubt that more security issues will emerge. Zoom has halted all new-feature development and reassigned its engineers to security and safety matters — a prudent and responsible approach. For most of us, there is little choice but to continue using Zoom while keeping an eye on our settings and keeping the software updated; other platforms aren’t used nearly as widely, and may be less secure anyway.
Excerpts from this post have been translated into Japanese and appear on this Japanese blog page.