As I wrote in Washington State Bar News recently, choosing new technology requires you to consider security issues like encryption and two-factor authentication. As you might imagine, these considerations apply to remote work technology like videoconferencing software.
There are many videoconferencing options out there, including GoToMeeting, Microsoft Teams, WebEx Meetings, JoinMe, and Adobe Connect. But one videoconferencing tool that has been grabbing headlines lately is Zoom. Presumably, due to the coronavirus and the fact that many of us are now adapting to remote work, Zoom daily usage increased from 10 million users to 200 million users between December and March; that’s an increase of 2,000 percent. Given that so many of us are new to using this tool for our work, it makes sense that Zoom is receiving some high-profile media attention.
In this article, I’ll explore some of the emerging issues related to Zoom and offer my best practices for secure communications for any videoconferencing tool that you choose.
First, a caveat: This is an emerging area with new reports coming out every day—CNET is compiling information about Zoom as reporting emerges, and updating on a regular basis—so new information could affect your decision to continue using any particular software service. You should stay apprised of any developments and use your discretion when deciding whether a software service offers the security that you need to protect your clients’ interests.
Zoom in the News
In the last few weeks, several reports have come out regarding Zoom security.
For example, The Intercept recently reported that not all Zoom conversations are end-to-end encrypted as some documentation may suggest. Meanwhile, Vice reported that the Zoom iOS application (for iPhones) sent analytic data to Facebook, even if the Zoom user didn’t have a Facebook account. According to Vice, the Zoom iOS app was sending information about the Zoom user’s device (their iPhone model, for example), time zone and city location data, and the unique advertising ID created by the user’s device (the iPhone device ID is called an IDFA, although devices from other manufacturers have advertising IDs as well). A few days later, Zoom released a statement that the data sharing was an inadvertent result of adding a “Login with Facebook” feature. Reportedly, when Zoom used a software development kit (SDK) from Facebook to implement the login feature, it unknowingly (according to Zoom) included code for data sharing. Zoom removed the Facebook SDK from the iOS app and Vice’s Motherboard group has confirmed that the data was no longer being sent.
Other reports have focused on the openness of Zoom meetings themselves. As The Verge reported, one security expert developed an automated tool that could guess Zoom meeting ID numbers (the nine-digit number that is assigned to each meeting event), which of course would allow someone to join a meeting without having been invited. Additionally, some people have been subject to a trend called “zoom bombing.” As NPR reports, “zoom bombing” occurs when a third party gains unauthorized access to a Zoom meeting and interrupts the meeting with lewd or hateful content.
A number of organizations have grappled with such questions about Zoom data security: “U.S. Senate Reportedly Tells Members to Avoid Zoom,” “School Districts Reportedly Ban Zoom Over Security Issues,” and “Google Told Its Workers That They Can’t Use Zoom On Their Laptops Anymore.”
Zoom Problems are Internet Problems
All of these reports may make you more hesitant to use Zoom in your practice. That’s a good thing, because you should think twice before using any device or software that is connected to the Internet. Don’t be alarmed; I’m not suggesting you get off the Internet, but I do want you to understand the risks of all the technology you are using so you can make informed decisions for your clients and your practice.
In fact, most of the concerns I’ve seen related to Zoom are also true of other tools. For example, while Zoom could be used to send malicious links to other participants on a call, you’re already vulnerable to malicious links from the email and text messages you receive.
While Zoom reportedly ceased collecting device identifiers from Zoom iOS users, that same data is likely collected from other applications or websites you use with your mobile device (both Apple and Android devices). In fact, mobile device IDs are a known concept in app development and marketing.
Finally, if you’re concerned that Zoom conversations may not be end-to-end encrypted, keep in mind that your email communications may be just as insecure. If you are looking for a method to share sensitive information more securely, you can schedule a free consultation with the WSBA practice management program to talk through some options.
Considerations for Better Cybersecurity
The following suggestions can help you protect privacy during Zoom calls, but are also general suggestions for Internet software.
- Guard Against Phishing
Malicious links can come from many sources, and if you can fall for a bad link in Zoom, you can fall for a bad link anywhere. A malicious link can come from someone you don’t know, someone posing as a legitimate institution (“domain spoofing”), or someone you know but whose account is unknowingly compromised. Malicious links are a form of “phishing,” where a hacker sends out bait (malicious links) in the hope that you’ll click the link and grant access to your accounts or data.
To protect yourself from malicious links, consider inspecting links before you click, even if the link is purportedly sent from someone you know, and even if the web address displayed seems OK. Be especially cautious of “short links”: shortened URLs that hide the full web address destination.
- Limit Device ID Tracking
Zoom reportedly stopped sharing device IDs with Facebook; however, your device ID is possibly being shared or collected by other applications. If you are concerned about your device ID being used for marketing, you may be able to change your device settings so that your ID is not shared.
- Keep it Up to Date
Zoom has been pushing out updates to its software applications to incorporate security updates. For example, on April 7, Zoom added a security icon to the application dashboard with controls to enable a waiting room and lock the meeting. However, you won’t receive the benefit of these changes if you are not updating your software when prompted to do so.
This applies to other software and applications, as well. Watch for updates and, when possible, consider changing your application and device settings to allow automatic updates. This simple change will help keep your data secure when new threats emerge.
- Use the Security Options Available
With any online communication tool, make sure you understand the available options and security settings that are in place by default. And make sure you understand the best practices for that tool (especially based on the nature of the information you are transmitting).
For example, Zoom recently made changes to enable its more restrictive settings by default for some users, but you can verify your account settings by logging into your account profile. To prevent unwanted parties from gaining access to your meetings, consider (a) requiring a password to join the meeting, (b) requiring a password for participants joining by phone, and/or (c) requiring each attendee to stay in a virtual “waiting room” until you individually admit them in. You should also keep an eye on the list of participants in your meeting, and if you aren’t sure who an attendee is, consider asking them to identify themselves.
Disclaimer: The WSBA is not endorsing or discouraging the use of any particular platform.