To Zoom or not to Zoom: a Data Security Pro Weighs in
Over the last few weeks, Zoom has seen an extreme surge in usage. Everybody from teachers to doctors found themselves having to communicate over the internet. Many tried out Zoom. With its popularity, it also attracted close attention from security researchers. You have probably read one of the many reports about Zoom’s security concerns. Many experts now recommend against using Zoom.
Before jumping on the bandwagon, I wanted to take the time to sort through everything we know so far and to offer my opinion on the matter.
First of all, a little background. I ran a data company for over a decade. I have designed two end-to-end data encrypted systems and also hold 3 patents on data security. Although I am not a full-time security researcher, I do know more than the average person in this regard.
I am also a teacher at a small private school and we put the entire school online in a few days, using Zoom. Read more about that story here:
How a small Montessori school transformed into an online school overnight.
I will try to explain everything we know so far. On each charge I will offer my opinion of whether Zoom is “guilty” or not.
- Zoombombing
This was the earliest Zoom issue that pushed Zoom security to the front page. Basically, if you don’t set a password for your meeting, strangers can guess your Zoom ID and join your meeting.
Verdict: Not guilty. Set your meeting password. Case closed.
2. False Claim About End-to-End Encryption
Zoom’s marketing material falsely claims that their meetings are end-to-end encrypted.
Zoom meetings are NOT end-to-end encrypted. They are encrypted from your machine to Zoom servers, and from Zoom servers to other parties. Other digital meeting tools — Google Meet, Skype, Slack, GotoMeeting — also do NOT offer end-to-end encryption. However, they never claim to. If you read GotoMeeting’s security white paper, it states that GotoMeeting employs end-to-end security, which is true.
Of the consumer-grade video conferencing solutions, only Facetime and WebEx offer end-to-end encryption. Honesty matters in the security world as this field is complicated.
Verdict: Guilty for false claim.
3. Facebook Data Sharing
There was a report that Zoom’s iOS app shared usage data with Facebook even if the user did not have a Facebook account. This is — or WAS — problematic. They pushed out an App update on March 27th removing the feature.
Verdict: Guilty for shady data mining practice.
4. LinkedIn Sales Navigator
LinkedIn sells a feature called LinkedIn Sales Navigator. It’s a feature that allows salespeople to mine the LinkedIn database in order to market to potential customers. Zoom is an integration partner of LinkedIn, which allows Zoom users with this feature to match other participants to their LinkedIn profiles, potentially exposing emails and other information that they may not want to share with their Zoom friends. What’s worse is that this feature will work even if someone signs in anonymously.
Zoom disabled the feature after a New York Times report.
These two facts (Facebook data sharing and LinkedIn Sales Navigator) combined, point to a shady business practice on Zoom’s part. Although both of these issues were fixed immediately, one would wonder if they are hiding anything else.
Verdict: Guilty for shady data mining practice.
5. Privilege Escalation on Mac
Researcher Felix Seele discovered that Zoom abuses the pre-installation process and installs itself during the pre-installation process, saving the user a few clicks. This wasn’t really a ‘problem’ as they did not install anything that they shouldn’t have. However, why would they do that? To save a few clicks? Felix also found that if Zoom was already installed but the user did not have administrative privileges, Zoom popped up a vague message asking for the admin password.
After the original finding, reports popped up saying that Zoom allows hackers to control user cameras and microphones. While those charges were technically correct, such an attack required that someone first download a pre-modified Zoom package and that the hacker gained physical access to the computer in question.
Here’s the thing, if a hacker can trick you into installing something and then gain physical access to your computer, they can hack into your computer regardless of whether you’re using Zoom or not.
Verdict: Not guilty, but incredibly bad practice.
6. Password Leak on Windows
Researcher @_g0dmode discovered that if you paste a Windows network UNC path (\\evilserver.com\readme.pdf) to a Zoom chat room, it becomes clickable. If clicked, Windows will send login credentials to the target server pointed to by the link. To me, this is more of a Windows issue than a Zoom issue. Zoom issued a fix soon after the report.
Verdict: Not guilty.
7. Private Chat Not Private
During Zoom meetings, Zoom claims you can have private chats between participants. During the call, these chat messages are only visible to the intended recipient. However, once the meeting has ended, the entire chat history, including both public and private messages are all saved. This chat history file can be downloaded by the host, potentially exposing private messages outside of their intended recipients. This is, again, a false claim. Private chat should be private.
Verdict: Guilty for false claim.
7. Email Grouping
Zoom assumes if your email is from the same domain name, you are from the same organization. It groups all users with the same domain name into the Company Directory. They exclude major email providers such as gmail.com, yahoo.com, etc, but, miss many other common ones. One report found that users from quicknet.nl, a Dutch email provider, are all grouped together as if they work for the same company. This is a glaring security breach and demonstrates sloppy engineering practices.
Verdict: Guilty of sloppy engineering practices.
8. Servers in China
A report surfaced on April 3rd that Zoom employs nearly 700 employees in China. Having employees in China is not a problem. Many tech companies, including Microsoft and Apple, have subsidiaries in China. However, Zoom confirmed that at least some Zoom calls are routed through China. The issue is that if a call routes through a server in China, the encryption keys of those calls will most likely be generated from that server. This means the Chinese government will have jurisdiction over such encryption keys and thus be able to potentially intercept the calls.
The same report also exposed that Zoom does not use the industry standard Real-Time Transport Protocol (RTP) which almost all other video conferencing solutions use.
This charge, on top of the email charge above, seems to demonstrate a pattern. Zoom seems to have a culture where they focus so much on usability that they ignore everything else. The end result is top notch in usability but sloppy on many other aspects.
Verdict: Guilty of sloppy engineering practices.
9. Zoom Recording Exposed
The Washington Post reported on April 3rd that thousands of recorded Zoom calls are exposed on the open internet. At first, the report seemed to indicate that Zoom exposes those files publicly. However, it turns out that somehow, some people simply upload their Zoom recordings to Youtube or Vimeo, two of the most popular video sharing sites. These sites are designed for videos to be viewed publicly. As a result, all the Zoom recordings uploaded by individuals, including therapy sessions, are publicly available.
I really cannot fault Zoom for what people do after they download the files. If your doctor leaves your X-ray film in Starbucks, do you blame the doctor? Or, do you blame the radiologist for making the envelope too easy to forget?
Verdict: Not guilty.
These are just issues reported in the last two weeks. Reading these, one is correct to be concerned about Zoom. I have heard of businesses and schools banning employees and students from using Zoom entirely.
I do not think banning Zoom is the right move for all situations. I can honestly say that without Zoom’s top-notch user experience, we would not have been able to put our entire school online in just a few days. During a short 10-day period, our top priority was to get students back to learning, giving them some structure and allowing them to interact with their classmates. Even knowing what I know now, if time turned back to March 13th, I would still implement Zoom. It was the right tool at the right moment.
Had we had another 6 months to plan, we would have been able to research other tools and may have picked one that offered better overall security.
If you are considering Zoom, please consider why you may not want to use it; if your meetings are about company secrets, or, you are a doctor who needs to protect your patient’s information under HIPAA, do not use Zoom.
The next big reason not to use Zoom is not about technology, but their business practices. As seen in the many charges above, they show a pattern of shady practices. There are reasons to think that one should not trust Zoom. They claim end-to-end encryption which is not true. They claim private chat which is not true. They mine your personal information without disclosure. Are there other things that they are hiding or lying about?
On the other hand, I want to emphasize that your concern over Zoom should not mean taking learning away from students, and also should not mean taking care away from your loved ones.
The recent CDC recommendation of using cloth face masks instead of recommending using surgical masks is a clear example. Surgical masks are more ‘secure,’ offering better protection against the virus than a cloth mask. The reason the CDC did not recommend the most ‘secure’ solution is because cloth masks are good enough. They are ‘secure’ enough for the general public. Surgical masks should be reserved for the medical workers.
If Zoom concerns you, use Facetime. It’s also easy to use. Or use Skype, Google Meet, GotoMeeting, or WebEx. Whatever you end up using, do not allow your concern over Zoom to override your care toward your audience. While we are in quarantine, we need to communicate.
I have heard of schools banning Zoom for any use and as a result, some students missed their teachers hosting storytelling time. Banning the use of Zoom for storytelling is overkill.
Please, go ahead and use Zoom if not using Zoom means you stop teaching, or stop calling your grandparents. Just remember to set a password and don’t post the recording on YouTube.
