Abstract
The lax privacy controls that have blighted Zoom should serve as a lesson both to users and to its rivals, says
“Zoom-bombing” has been well-publicised. Businesses have had online meetings hacked, while a virtual Holocaust memorial event organised by the Israeli embassy in Germany was hijacked by infiltrators who yelled anti-Semitic slogans and showed photos of Adolf Hitler.
But that’s not the only issue. The promised end-to-end encryption has yet to materialise; some calls have been routed through China by mistake; data-scraping saw Zoom users’ LinkedIn profiles automatically cross-referenced and made public; and users’ data has been sent to Facebook. The company addressed some problems once they were highlighted, but there is little confidence that every flaw has been discovered, and it has been branded “malware” and a “privacy disaster” by security researchers.
With Zoom being used for everything from business meetings to family get-togethers and social gatherings, intercepted data can include our most intimate secrets, private conversations, political views and personal beliefs, as well as restricted commercial information. It could prove invaluable to authoritarian regimes, blackmailers, ID hackers and corporate saboteurs.
There is also the issue of who can demand access to your information. The data of most users with free Zoom accounts is stored on servers in the USA, meaning it is vulnerable to national security letter requests by the authorities there. These requests can be issued without prior approval from a judge, and typically contain non-disclosure requirements.
Meanwhile, the western intelligence community fears it offers opportunities for foreign surveillance. Governments in countries from Germany to Taiwan have banned employees from using Zoom for work purposes, and members of the US Senate have been advised to steer clear of it.
And Google – which knows a thing or two about online security – has banned its employees from using Zoom on company-owned devices. A spokesman told BuzzFeed that Zoom “does not meet our security standards”.
But Karen McCullagh, a course director in law at the University of East Anglia, UK, is not surprised by the rush to embrace Zoom regardless of all this.
CREDIT: Taylor Callery/Ikon
“The social isolation aspect of the pandemic meant that people actively searched for tools that would allow them to host video group chats and meetings for free online,” she said.
“The primary considerations for most people were convenience and cost.
“Zoom, like many other social media apps, is designed to be easy to use. It appears to be free, but that’s because you’re paying with the personal data you share on the app – something that is not readily understood by users. New users typically focus on an app’s functionality rather than the behind-the-scenes data processing practices.”
So what can we do? There are some basic steps hosts and users can take to stay safe, according to analysts at cybersecurity provider Kaspersky.
As well as a strong account password, keep your “personal meeting ID” secret. If it leaks, anyone who knows your ID can join any meeting you host. Use meeting passwords, too. And don’t share any of these on social media as that could see them shared with thousands of others.
Use Zoom’s “waiting room” facility. This feature means all participants have to be actively allowed by the host to join a conversation, and participants can also be kicked back into the waiting room at any point.
And, if possible, use the web-based version of Zoom rather than apps. Kaspersky believes the apps are more vulnerable.
David Emm, principal security researcher at Kaspersky, told Index: “There has been a huge increase in the use of group meeting apps such as Zoom – and a greater focus on some of the problems associated with their use, including security flaws that could allow hackers to access a device’s camera and microphone and potentially allow attackers to find and join active meetings. The platform’s encryption has also been called into question.”
But Emm says not all problems stem from the platform’s security.
“Sometimes, people make themselves vulnerable because they store recorded meetings outside the platform and fail to secure them properly. In addition, people don’t always review the security and privacy permissions associated with an app or make careful use of configuration options that can keep them safe. It’s important to consider security and privacy before using any group meeting app.”
Zoom and Eric Yuan, its founder and chief executive, have tried to address some of the concerns. Yuan admitted in The Wall Street Journal that he had “really messed up” on security. The company has stepped up its efforts to introduce end-to-end encryption, and has hired former Facebook security chief Alex Stamos to work with its engineers.
David Sullivan, director of learning and development at the Global Network Initiative, which is based in Washington DC, believes Zoom’s experience provides a lesson that others should heed.
He said: “Whether you are an individual using such products or the company that provides them, moments of crisis do not lend themselves to thorough risk analysis.
“People use products that work, and it is unreasonable to expect every person to do a security audit of the conferencing service they use to connect with friends and family. This is why it is critical that companies consider the human rights risks arising from their products and services ahead of time.”
Sullivan believes that start-up tech companies which fail to allocate resources to addressing these issues in advance should expect to suffer reputational damage that can prove hard to undo.
Regarding data protection, McCullagh said: “Zoom has amended its terms of service to require explicit consent from users, in compliance with EU law. These assurances are welcome.
“Other non-EU based technology companies would do well to note that users in EU countries expect social media companies and app developers to comply with EU data protection laws and will quickly leave an app if they have concerns.”
Complaints to regulators can be made about tech firms that do not follow these rules. But by the time that route is taken it’s usually too late for many users, and it’s no substitute for us being on our guard whenever we use Zoom or any other online communication app.