Wikipedia tells us that Zoom Video Communications was founded in 2011 by Eric Yuan, a lead engineer from Cisco Systems and its collaboration business unit, WebEx. Its headquarters are in San Jose, California and it was valued at just under US$16 billion at the end of its IPO in April 2019. By February 2015, the number of participants using its chief product, Zoom Meetings, reached 40 million individuals, with 65,000 organisations subscribed to the service. Users may access Zoom Meetings through a web portal or they may download a Zoom Meeting app onto their desktop, laptop or mobile device.
Wikipedia also tells us that in 2020 usage of Zoom rose 67 percent from the start of the year to mid-March as schools and companies adopted the platform for remote work in response to COVID-19. Many of us know from our own experience about the pivot to online meeting tools in the past three months and, similarly, know that, ZOOM is one of the most popular of such tools.
However, from about mid-March various privacy protection concerns have been raised about aspects of Zoom Meetings. In the US, members of Congress have raised concerns and at least one lawsuit has been filed. In early April, some companies, and even some governments, either suspended the use of Zoom Meetings or banned it altogether. The publicity has been overwhelmingly negative for ZOOM - though the extent to which that can be traced to uninformed commentators or even to jealous competitors of Zoom is unknowable.
Founder Eric Yuan admitted publicly that ZOOM Meeting's user-facing security features aren't friendly enough for the average user. He also admitted that enterprise-focused tools like its attention-tracking feature don't make sense for privacy-minded average consumers.
We did not design the product with the foresight that, in a matter of weeks, every person in the world would suddenly be working, studying, and socializing from home. We now have a much broader set of users who are utilizing our product in a myriad of unexpected ways, presenting us with challenges we did not anticipate when the platform was conceived.
We find this statement somewhat disingenuous. Yes, a 67 percent increase in usage in three months is massive, but it is no excuse for not having taken privacy protection into account for the number of organisations and users as of the end of 2019. Given the growth trajectory of Zoom since 2013, the 40 million users and 65,000 organisations that it had in February 2015 had surely grown significantly by the end of 2019.
The challenges not anticipated when the platform was conceived in 2011 should have been addressed well before 2020, rather than nothing being done until they were exposed publicly after the recent growth spurt.
In any event, it is important that users should be aware of the Zoom Meeting features that are available now that may mitigate compromises in privacy. So, here we offer 10 security and privacy tips for Zoom users.
1. Users scheduling a Zoom Meeting may protect their account by using strong and unique passwords and two-factor authentication. They may apply a Personal Meeting ID and should keep it private, other than sharing it with invited meeting attendees.
2. Users should use a work email address when they register with ZOOM. According to a reviewer, the Zoom Meeting app considers e-mails of the same domain, unless it’s a really common domain such as @gmail.com or @yahoo.com, as belonging to one organisation. Hence it shares the user’s email address to everyone in the same domain (for example, an email address such as firstname.lastname@example.org may be shared with everyone whose email address includes ‘@singnet.com.sg’).
3. Individuals should be on guard against fake Zoom apps. In March 2020, experts said that malware being incorporated into popular video conference services such as Zoom had tripled as compared with March 2019. Clearly, hackers are taking advantage of the sudden spike in usage of these services, often by individuals who are relatively unsophisticated in IT terms and may therefore be vulnerable to online scams.
4. Users should avoid sharing the link to a Zoom Meeting on social media, even if the meeting is open to everyone. “Zoombombing” is a new term. It refers Zoom Meetings being disrupted with offensive content. It happens when bad actors get to know about upcoming events through social media. If sharing the link to a Zoom Meeting on social media cannot be avoided, use a per-meeting ID, exclusive to a single meeting, not a Personal Meeting ID.
5. Users scheduling a Zoom Meeting should protect it with a password, so that only the invitees are able to attend. Recently Zoom turned password protection on by default - a good move. The passwords should of course be kept away from social media or other public channels.
6. Users scheduling a Zoom Meeting should use the Waiting Room feature in Zoom, which was recently enabled by default - it enables the host to “vett” participants before allowing them to enter the Zoom Meeting.
7. Users hosting a Zoom Meeting should limit screen-sharing, keeping it to themselves or selectively permitting it only to those meeting participants who really need it. Zoom Meeting has settings to enable multiple participants to share their screens simultaneously. If a meeting host can’t immediately see why your meeting would need this capability, they will probably never need it; just keep it in mind in case it ever needs to be enabled.
8. Users should restrict themselves to using it through the Zoom Web portal if possible versus using one of the various Zoom apps. The apps have demonstrated a variety of flaws. While Zoom says it has fixed them, any vulnerabilities in the apps can be avoided by not using them. The Web portal sits in a sandbox in the user’s browser and doesn’t have the permissions required by an installed app. This limits the harm that can be caused by using Zoom for online meetings.
9. Even where the Web portal is used, do consider using it only on a secondary smartphone or on a spare laptop. Choose a device with minimal personal data.
10. Individuals should be skeptical about Zoom’s claim that it is secure. Zoom employees and potentially law enforcement agencies have access to Zoom servers. No video conference services are totally secure, but do be mindful and avoid discussing personal or trade secrets on Zoom. Be aware that, and therefore be prepared for, what you say and your video being seen by others. This one applies to every video conferencing service, not just Zoom. The same holds true for what you show on your screen.
As with technology, nothing is 100% but the above are steps that individuals may take to reduce the risks of using Zoom Meeting and other video conferencing services. In this period of being restricted at home, the above tips may be of help.
Adapted from 10 tips for Zoom security and privacy
by Lyn Boxall, CIPP/E, CIPP/A, CIPM, FIP
Leong Wai Chong, GRCP
Access online / in-person courses and view past training records
Join lively discussions on pertinent data protection topics
Gain access to data protection research and video resources
Receive value-added data protection updates from the region