• Home
  • What We Do
  • Examples
  • About
  • Blog
  • Zoom Running
  • Contact
Your Attention, Please! communications

How to Secure Your Zoom Video Calls

4/4/2020

4 Comments

 
Woman wearing mask while video chatting on phone, illustrating using Zoom videoconferencing during the COVID-19 coronavirus pandemic
We now offer personalized, one-on-one Zoom training. Group training, too. Click for more.

​With so many people around the world avoiding in-person contact, videoconferencing has exploded. The most widely known platform, Zoom, has come under scrutiny for its security practices (or lack of them).
 
Because we have substantial experience working with Zoom, we are being called upon regularly to help people set up Zoom, learn how to use it, and even to run complex Zoom calls for our clients. This includes maintaining security so Zoom calls aren’t invaded, spied upon, or disrupted.
 
I’m still using Zoom myself, and I believe that for most uses, the security is sufficient, if certain precautions are taken. In my judgment, it’s probably as secure as other online communications channels we all use every day — e-mail, Web forms, online calendars, and other tools. I certainly don’t agree with the harshest critics, who say thinks like, “Zoom is malware” (malicious software). It is probably not suitable for highly sensitive communications that bad actors with resources might target — state secrets, for example, or the most private conversations of people like Edward Snowden. But for everyday folks who aren’t being surveilled by major governments or criminal enterprises, Zoom can be secure enough.

Here are some of the issues security experts have raised, along with what users can do about them. (Unless otherwise indicated, the in-app instructions below are for the computer version of Zoom; these controls may not be available, or may be accessed differently, on phone and tablet versions of the Zoom app. Also, some of these controls are applicable to all users, but others are applicable only to meeting hosts. If you simply join meetings but don’t have your own Zoom account, only the in-app controls are relevant to you, not the Web-site controls; it may be worth setting up a free Zoom account so you can access the Web controls, too.)
Caution cone on keyboard
​Zoom Sharing Data with Facebook
 

Zoom made use of the Facebook Software Development Kit (SDK) for certain functions, such as being able to create a Zoom account by logging in with your Facebook credentials. Facebook’s SDK is insidious: It sends user data to Facebook. According to Zoom, “The information collected by the Facebook SDK did not include information and activities related to meetings such as attendees, names, notes, etc., but rather included information about devices such as the mobile OS type and version, the device time zone, device OS, device model and carrier, screen size, processor cores, and disk space.”
Woman's face over computer coding, illustrating Facebook collecting data from Zoom calls
This is written in the past tense because once the issue was brought to Zoom’s attention, the company has removed the Facebook SDK from its software. Users will need to update their Zoom apps to get the new, more-secure version.
 
Solution: Update your Zoom software.  Updates available since mid-afternoon on March 27, 2020 remove this security hole. In fact, there have been several security updates in the past few days. I recommend updating your Zoom software manually now, on all platforms where it is installed — computers, tablets, and phones. To do so:
  • Mac/Windows: Launch Zoom, sign in if not already logged in, click your profile image near upper right, and select Check for Updates.
  • Android: Launch Zoom, then click Settings at bottom right, then About, then Version.
  • iPhone/iPad: Launch App Store, then click Search at lower right, then type Zoom in the search box at top and click Search on the keyboard, then click UPDATE at upper right. If it says OPEN instead of UPDATE, you already have the latest version.
 
I recommend checking for updates periodically, say once a week, at least on the Zoom app you use most frequently.
Keeping Calls Encrypted
 
Zoom offers what it calls end-to-end encryption. As security specialists have noted, that term connotes that Zoom cannot access the call content, but in reality, while Zoom can’t possibly monitor the zillions of sessions taking place every day, if the company has a reason to look in on you in particular, it theoretically can. That means a government agency could issue a secret National Security subpoena and require Zoom to share your calls with the government. If that is a concern for you, don’t use Zoom. (Some Zoom calls may use encryption that is set up by computers in China, according to two researchers, even if nobody on the call is in China, which could mean the Chinese government could gain access to the calls.) 
Ones and zeroes over meridian lines, illustrating Chinese servers involved in Zoom video call security
Additionally, Zoom may have access to chat messages, whiteboards, and files shared through Zoom during calls; and it is possible to share Web links in Zoom chat messages that connect to malicious sites which can then steal the user’s log-in credentials and other data. If you have a large, public meeting and want to prevent this, allow users to chat only with you, the meeting host. (In the desktop app, open the Chat window if not already opened, click the ••• box near the bottom right, and select Participant Can Chat With: Host Only.)

Partial Solution: Change Settings.
Everyone should turn on maximum encryption in most instances, which may not lock out the Zoom company itself but will protect calls from most third-party hacking. Unless you have a specific reason not to, I recommend logging into your account at the Zoom.us Web site, then under Personal in the left column clicking Settings, then under In Meeting (Basic), turning on Require Encryption for 3rd Party Endpoints (H323/SIP). Do the same under ADMIN → Account Settings → Meeting → In Meeting (Basic). If you are the administrator of this Zoom account, and your account includes other users who can also initiate Zoom calls, this will prevent them from allowing non-secure third-party connections. For most people, this won’t be relevant, but if you host a call that someone is joining from a platform other than Zoom that is compatible with Zoom, they will be required to have encryption turned on.

Zoom version 5.0, released April 27, 2020, uses stronger encryption, and it’s automatically turned on for all calls. Zoom 5.0 will be required after May 30; older versions of Zoom will no longer function, as Zoom won't accept their weaker encryption.

 
You might also want to change the settings for recording a meeting. For example, under PERSONAL → Settings → Recording, you can turn off allowing recording to the Cloud (a recording of your meeting is stored on Zoom’s computers), and turn off local recording (so participants can’t record the meeting). If Local recording and/or Cloud recording is turned on under ADMIN → Account Management → Account Settings → Recording, the host can still record. Review the other settings under Recording (both for PERSONAL and for ADMIN) and set them as strictly as is appropriate for your needs.
 
While you are in Settings, take a look through the other meeting settings and tighten up any that you need to. And before you leave the Settings, see the next section. …
Angry face, illustrating Zoombombing
“Zoombombing”: People Behaving Badly
 
As Zoom has gained in popularity and more organizations are holding meetings open to the public, a phenomenon called “Zoombombing” has been on the rise. This is where malicious individuals join a Zoom call and then display inappropriate material by sharing their screens. White nationalist messages and pornography are among the disturbing images Zoom-bombers have used to disrupt meetings. The FBI has even warned that organized groups are attacking Zoom calls this way.
Solution: Limit Screen Sharing, Control Participation. The easiest solution to the screen-sharing attack is to allow only the meeting host to share screens. In both PERSONAL and ADMIN (again, the latter controlling anyone other users in your Zoom account), go to Settings → Meeting → In Meeting (Basic) and set Screen Sharing to Host Only. During a meeting, you can change this on the fly. In the desktop app, click the upward chevron (^) next to Share Screen in the control bar at the bottom, then Advanced Sharing Options…, then change Who can share? as needed.

In the Web-site settings, under In Meeting (Basic), you’ll also probably want to turn off Allow removed participants to rejoin. This way, if you boot someone out of a call, they can’t come back. Other ways to control access include to turn on the Waiting Room, so new people need to be manually allowed in by a host (and it’s good to have a co-host in this case, so the host can concentrate on the meeting itself); turn off Allow participants to join before host if you don’t want to use the waiting-room feature; and lock a meeting once everyone is present, preventing anyone else from joining. (During the call, select Manage Participants from the control bar at the bottom if the participant list isn’t already showing, then under the list of participants select More v, then Lock Meeting. You can also Unlock Meeting here in case someone leaves who should be allowed back in.) Finally, when setting up a meeting, you may want to use a randomly generated meeting I.D. if your personal meeting I.D. has been made public, so Zoombombers won’t know where to find your Zoom call. Or you can use a password, and make sure nobody has the Zoom call link except authorized participants, since the link will include an encrypted version of the password (unless you turn off that setting). Or, share the link without the password (omit the “?” and everything following it), and circulate the password separately to trusted invitees. These procedures will help keep out people who might be disruptive in other ways than screen-sharing. (Note: On April 4, Zoom enabled Waiting Rooms and passwords by default for individual and K–12 educational accounts. K–12 educational accounts cannot turn off the passwords feature.)
Zoom link with password: https://zoom.us/j/00000000?pwd=MURkQzRMR0ZpN3hjem9qc3BsclUxUT09
Zoom link without password: https://zoom.us/j/00000000
Additionally, the host can mute any participant and turn off that person’s video. Point to that person’s video box, click the ••• that appears at upper right, and choose Mute Audio or Stop Video, or do both. To prevent participants from unmuting themselves, select Manage Participants from the control bar at the bottom if the participant list isn’t already visible, then at the bottom of the participant list choose More v and select Allow Participants to Unmute Themselves to un-check it.
 
Health providers, including mental-health providers, are required to use HIPAA-compliant software for remote client meetings. (HIPAA is a federal law that mandates securely maintaining personal medical information.) Zoom offers that option with its more-expensive paid accounts. While some HIPAA enforcement is being suspended during the pandemic, I recommend providers get compliant anyway, to avoid risking clients’ information or forgetting to upgrade later. The process of becoming HIPAA-compliant with Zoom is beyond the scope of this blog. We have assisted several clients with this issue; contact us if you are interested.
Picture
Maintain Social Closeness
 
Because Zoom has become so crucial for so many during the novel coronavirus pandemic, the platform will continue to attract bad actors bent on causing trouble, so I have no doubt that more security issues will emerge. Zoom has halted all new-feature development and reassigned its engineers to security and safety matters — a prudent and responsible approach. For most of us, there is little choice but to continue using Zoom while keeping an eye on our settings and keeping the software updated; other platforms aren’t used nearly as widely, and may be less secure anyway.
Please do not let these concerns increase your isolation at home. If you are really worried about Zoom security but you still want to see the faces of other folks, you can always use Zoom for video viewing and a simultaneous phone call for your audio, with your Zoom disconnected from audio. (Click ^ next to the Mute/Unmute control, then Leave Computer Audio.) Or rotate different calls among Zoom, FaceTime, Skype, and other channels, particularly for two-party calls. Don’t let the Chicken Littles of the Internet-security world suppress your mental health even further by making you afraid to have innocent calls with family and friends. We need each other more than ever right now.

Excerpts from this post have been translated into Japanese and appear on this Japanese blog page.
この投稿の抜粋は日本語に翻訳されており、この日本語ブログページに表示されます。
Photo credits, from top: Masked woman, Anna Shvets via Pexels; caution cone, Fernando Arcos via Pexels; AI woman over data, Gerd Altmann via Pixabay; meridian lines and data, Gerd Altmann via Pixabay; angry face, Gerd Altmann via Pixabay; woman near fence, Andrea Piacquadio via Pexels.
4 Comments
Naoko link
4/5/2020 06:32:38 pm

Greetings from Japan. Thank you for sharing this article. Would it be possible for me to translate this into Japanese and share it on my SNS websites?

Reply
Steve Freedkin link
4/5/2020 10:11:46 pm

こんにちは, Naoko san! Yes, it would be subarashii if you would translate this post into Japanese and share it on your sites. Please credit us and provide a link back to this page <https://www.your-attention-please.com/blog/security-and-zoom-video-calls>. We will be very happy if this information is helpful to our Japanese friends. ありがとうございます!

Reply
Trena Cleland
4/12/2020 05:09:07 pm

Thanks for this, Steve. My brother read a NYT article that cautioned people to be wary of Zoom, so he doesn't want to use it with me. The article said that Google Hangouts or FaceTime might be better because their companies have more solid reputations (?!). But wouldn't that be going from the frying pan into the fire, security/privacy-wise? I prefer your idea that for "everyday folks" who follow your protocols, Zoom is just as safe as the others.

Reply
Steve Freedkin link
4/12/2020 07:32:56 pm

Hi, Trena. Thanks for your question. Many factors go into evaluating how secure a given communication system is, including, first of all, who would be likely to try to listen in to your conversation in the first place.

In my opinion, a key factor is whether the communication is truly encrypted end-to-end -- that is, scrambled from the time it leaves your computer until the time it arrives at the other end. In that regard, Apple claims FaceTime has true end-to-end encryption, such that Apple itself cannot listen in. Antivirus company AVG says to avoid Google Hangouts because it's not secure <https://www.avg.com/en/signal/secure-message-apps>. Hangouts isn't end-to-end encrypted. Zoom is somewhere in-between, as I explain in the blog post above.

Zoom is a reputable company with significant resources -- nowhere near Apple or Google, of course, but those larger firms are also bigger targets for hackers. Zoom even offers a version of its product that is licensed for secure use by medical professionals under federal privacy laws.

If you and your brother are having Edward Snowden-esque conversations, such that you need to protect against snooping by highly resourced parties like big governments, then use the Signal app <https://signal.org>, which is fully encrypted and is built for privacy from the ground up. Otherwise, FaceTime is probably better than Zoom, which is probably better than Hangouts, but I think you're fine with any of them.

Reply

Your comment will be posted after it is approved.


Leave a Reply.

    Whozat?

    Steve Freedkin, proprietor of Your Attention, Please! communications, has a background as a journalist, nonprofit manager, activist, and entrepreneur. He works mostly with people in business for themselves (therapists, artists, consultants, etc.), for whom he provides online promotion (SEO), Web upgrades and updates, and social-media presence (LinkedIn, Twitter, Facebook, Yelp, and the like).

    Archives

    December 2022
    June 2021
    April 2020
    March 2018
    October 2017
    September 2017
    February 2017
    September 2016
    August 2016
    January 2016
    October 2015
    September 2015
    December 2014

    Categories

    All

    RSS Feed

Your Attention, Please! communications
Web sites, Zoom and other online videoconferencing, social media, promotion, technical support, writing, editing, publicity, and more
Mail: 5111 Telegraph Ave. #274  •  Oakland, CA 94609-1925  •  Voicemail: (510) 595-4626  •  info@your-attention-please.com