The following is my personal take on the recent revelations of security issues with the Zoom platform. It is not an endorsement or legal opinion by NETA. You should work closely with your own IT and data security team when evaluating the business use of any software platform.
Given the huge explosion in the use of the Zoom platform in recent weeks, it’s perhaps not entirely surprising that it is now receiving additional scrutiny. Indeed, both through increased academic analysis of the software and through unfortunate malicious attacks, a number of security issues have been raised. It’s not possible to generalize them, as the security issues have varied greatly. The company has responded and has made a number of changes, in policy, in code, in marketing and in their guidance to their user base. I encourage you to read their statements on these changes as you evaluate whether to use the platform going forward.
Briefly, some of the issues involve corporate data sharing and personal privacy. Zoom had data-sharing agreements with others, like Facebook and LinkedIn, that were either not disclosed, not obvious, or not sufficiently understood. I tend to agree with the criticisms here, and I’m pleased they have discontinued these practices.
Additionally, software bugs were identified that could have been exploited to gather user information. These were addressed in a client software update that was pushed a few days ago.
There were several reports of Zoom meeting recordings being “exposed” online. Zoom allows for cloud recording of meetings, so the obvious concern for many of us was that these were not secure. It appears, in fact, that the recordings in question had been moved by users and placed on other servers. The issue was that Zoom used a default filename for these recordings that allowed keyword searches of public servers to easily identify these files. It appears Zoom is changing their default naming practice(not confirmed), but good advice to users would also be to be careful what you do with sensitive meeting recordings.
The final and most publicly covered category of security issues these past few weeks involved unwanted people joining Zoom conferences to attack organizations, spew hate speech, disrupting classes, and generally causing mayhem. The term of the week was “Zoombombing.” The criticism of Zoom I’ve heard says that they haven’t properly prioritized security and have instead focused too much on ease of use.
I have some strong opinions on this one, given that my admiration for the platform has long been largely based on a very good user experience, one that results in less friction for users, particularly users who don’t use video-conferencing every day. Some of that “friction” they removed that other platforms experience did, in fact, lead to making the platform more susceptible to these kinds of targeted attacks.
The bottom line, as I see it, is it comes down to your particular use case. The security precautions necessary to protect a small staff meeting, family happy hour, or personal Zoom call are different than the ones you should employ for a public meeting, a school classroom, or even a live television production. One big lesson may be simply that your users need not be experts in the platform, but some expertise is required for the hosts, IT staff, and moderators of these activities. Kind of obvious, in retrospect.
My primary reason for writing this today is not that I’m losing sleep over NETA’s exposure to these kinds of hacks. I’m pretty pleased with the corporate response to the criticisms and their steps so far to address them. My primary reason for writing is that I am concerned about a number of station use cases that warrant attention.
- If you are publicly promoting Zoom meetings, you need to take the following advice seriously.
- If you are reusing meeting IDs (i.e., recurring meetings), you need to take the following advice seriously.
- If you are using Zoom on-air, first of all, congratulations on being innovative in a crisis, and second, take the following advice seriously.
- If you are supporting or facilitating educational use of the platform, please take the following advice seriously.
There are some steps you can take to secure the Zoom platform and make it difficult for others to “Zoombomb” your meetings. I’ve tried to gather them from various sources. Most involve getting to know the platform more than you likely have. You’ll need to log in to the Zoom website, either your corporate one or the Zoom site itself for individual accounts. From there, you’ll need to familiarize yourself with the Meeting Settings page.
Here are some tips to consider. They do not all apply to each use case, and I encourage you to consider your particular situation and seek outside guidance when you can. It’s not a checklist; you do need to use different tools for different circumstances.
Settings choices that make your meeting tougher to bomb:
- Disable “Join Before Host.” (Allows meetings to happen without you. It might be good. Might not.)
- Disable “Chat.” (Chat can be very useful. Think about the nature of the situation and if you need it.)
- Disable “File Transfer.” (Odds are you don’t need it, and it can be used to share viruses.)
- Enable “Co-Host.” (You can assign others to help you moderate a large meeting.)
- Set screen sharing to “Host Only.” (Makes it trickier to pass the sharing baton, but also shuts down a major bombing opportunity.)
- Turn on “Waiting Rooms.” (This requires the host to approve everyone joining. Might work fine and adds security.)
Practices that can make your meetings more secure:
- Use meeting passwords.
- Don’t reuse publicly shared meeting IDs. (When you publicize a meeting, use a unique ID. If you use recurring meeting IDs, don’t publicize them.)
- Remember, you can “Lock” the meeting once everyone has joined, restricting access to others. (If you’re going live on-air, this one is a must.)
- During a public meeting, designate a co-host or two to help moderate. (They can remove users if necessary and keep things on the rails.)
Each comes at a cost, mostly in ease of use and functionality, so consider your use case and the options that best fit the situation.
Again, this is just one guy’s opinion, but my belief is that Zoom remains a good choice for many of us for lots of meetings. I’ll be watching the company closely in the weeks ahead to see if their response continues to give me confidence. Their first steps and tone have been a good start. The corporation needs to remain open and transparent about their efforts to address some very real problems, but we, as users, also bear some responsibility.
This is why we can’t have nice things.