Zoom, Zoombombing, and the Security and Confidentiality of your Communications

Like so many organizations, when COVID-19 started to send employees home earlier this year UOTech.co turned to Zoom to facilitate our online meetings, collaboration, and sense of community. A few short weeks later, we’re re-evaluating our engagement with the Zoom platform due to a number of concerning security and business practice elements that have become much more visible. In this article, we’re going to take you through why Zoom was chosen as the de-facto standard conferencing platform at the onset of the COVID pandemic and how organizations and individuals around the world have dealt with the significant security challenges of Zoom, up to and including completely abandoning the platform.

Zoom’s History

Zoom has grown quickly since it was founded in 2011 by Eric Yuan, who in 2020 made Forbes’ list of billionaires with a $5.5 billion net worth as a result of the booming growth of the Zoom platform amid the Coronavirus outbreak. During this time, they have had a number of security related challenges, including an issue that allowed Mac user’s cameras to be viewed by exploit, an iOS app that sent data to Facebook, even if a user didn’t have a Facebook account, and Zoom treating users that share a common e-mail domain name (that section of an e-mail address that comes after the @ symbol – @example.com, for example) as trusted members of the same company – a status which would normally be used to initiate unsolicited video calls.

Coronavirus

Zoom was in a unique position at the beginning of 2020. They had enough corporate buy-in to be a formidable presence in the conference room scene and its users had years of experience talking their less technologically-adept colleagues through joining their first meetings. They knew all the hurdles their families were going to hit before they even hit them. Zoom was easy enough to use that businesspeople the world over felt comfortable bringing it home to meet Mom and Dad without worrying too much about how to get them online with the platform.

The other competitive platforms were either significantly long in the tooth – WebEx, GoToMeeting – or relative newcomers to the corporate IT arsenal – Teams, BlueJeans – so when the world began to shut down, Zoom was the obvious cross-platform choice to stay connected with colleagues, host virtual happy hours, and share a birthday song with Grandma. Zoom also was quick to try to help the community by allowing educators to use their platform for free. Teachers, students, and support staff in districts everywhere embraced the platform – UOTech.co even did a Zoom tutorial to help educators become familiar with the platform. But it didn’t take long for all of this newfound exposure to begin showing the holes in the Zoom security stance.

Zoom’s Security

In the early part of March reports began to come in about people joining school-age educational Zoom sessions to perform lewd acts, others joining therapy sessions to torment those seeking support, and other reprehensible actions. TechCrunch was early to post Zoom configuration tips to help prevent these issues from occurring, and Zoom itself responded to these concerns by adding a Security toolbar to their platform quickly. But have these changes gone far enough?

The short answer is that with some configuration, Zoom’s security is probably good enough for most casual use cases. The problem, however, is that Zoom has never been and continues to not be entirely forthright about the capabilities of their platform. It seems that Zoom as a company adheres to the “don’t ask permission, ask forgiveness” doctrine.

For a case study, take a look at Zoom’s website. On April 1, 2020, Zoom felt compelled to write a blog article that opened with this:

Zoom had been advertising on their website that they supported end-to-end encryption. By its definition, end-to-end encryption means that it must be fully encrypted from the origin to the endpoint of the call, and that only the participants on the call are capable of watching the video, listening to the audio, or viewing the screen shares. Now, this is relatively easy to do when there are only two participants, but Zoom calls can support hundreds of simultaneous participants – something that makes end-to-end encryption exceedingly hard to accomplish. In order to make this work, Zoom opted to utilize a hub-and-spoke methodology where all participants were actually talking with Zoom’s servers – each participant was an endpoint and the Zoom server was the other endpoint.

Sounds great, right?

Well, while that method would protect your meeting from being viewed by others on your WiFi network or the internet at large, there is one critical loophole – Zoom employees and those with network access at Zoom’s datacenter would be able to see your meeting in its entirety without you ever being aware. Just to reiterate, the issue isn’t the way that Zoom architected their system, it’s the way they represented that architecture. Zoom users believed their communications to be fully confidential because of how Zoom represented them, and Zoom was willing to let their users continue to have this fundamental misconception of the way their platform worked.

As stated at the beginning of this section, we find Zoom’s security stance to be acceptable for most common uses, but people must be informed about how confidential their communications really are. People are going to act differently, be willing to share differently, if they understand that there is a possibility of a Zoom employee eavesdropping on their communication. Zoom needed to be transparent in what was included in their offering and what wasn’t. We don’t yet have the confidence that Zoom has learned their lesson here.

Zoombombing

Zoombombing is a buzzword right now, being bandied about by the news media and Mom and Dad’s dinnertime conversation equally. Zoom’s platform has universally erred on the side of ease of use and feature richness, which is how Zoom became the de facto teleconferencing service at the onset of the COVID-19 pandemic. Their default meeting settings were designed to make joining calls in the corporate setting as easy as possible, to eliminate resistance in order to facilitate adoption. These default settings allowed for anyone with the Meeting ID to easily join a call with almost no resistance. No passwords needed, no action required from the meeting facilitator, just easy, seamless communication.

Zoombombing was an outcome of scrutiny of Zoom’s platform when under the world spotlight and not just relegated to the corporate boardroom any longer. Kids took advantage of the ease of joining meetings to pull pranks and practical jokes, trolls joined substance abuse meetings to taunt those seeking help with their addictions, and people began to fear Zoom’s platform security and confidentiality in total. Zoom responded by enabling by default a set of pre-existent features – such as meeting passwords, waiting rooms, and randomized meeting ids – and making some interface changes from hard lessons learned – such as removing the meeting ID from prominent display on the top bar and allowing for quick toggle to the host’s control. Many of these configuration items already existed, but were frequently not utilized to ensure ease-of-access to the meetings.

Is Zoom the Right Platform for Me?

The robustness of the Zoom platform, coupled with its ubiquity, ensure that it will weather this storm. Zoom remains a capable collaboration space and is becoming more security aware due to public pressure and corporate shame. Zoom will also be a platform that we avoid for any confidential, personal, or non-public communications we have. While UOTech.co is not joining the ranks of organizations like Disney, Google, the New York Public School System, and NASA that have completely banned the usage of Zoom for official business, we will only be leveraging the platform for non-confidential and public facing communications.

Alternatives to Zoom are out there. Platforms like Microsoft Teams and BlueJeans are excellent alternatives. We recommend each organization do their research into the platform under consideration, and, of course, UOTech.co is here to help you decide by providing up-to-date guidance on the security, usability, configurability, and stability of platforms in communication, collaboration, and beyond.