Zoom calling and privacy

By Alison Stone (Cyber Resilience Co-ordinator, SCVO) on 8th Apr 2020

To Zoom or not to Zoom? That is the question…  

Zoom has quickly moved from a niche platform to a ubiquitous part of ‘lockdown life’. Along the way, the videoconferencing platform has run into controversy about its approach to security and privacy. So what’s been happening, and should you be looking for another videoconferencing platform?  

In a very short space of time Zoom has grown from 10 million to more than 200 million daily meeting participants. It’s easy to use on a wide range of devices, and it offers a good set of features. But the company has recently had to address concerns about security and privacy. 

Update 23 April: The National Cyber Security Centre have just released some updated guidance on video calling:

Detailed guidance for organisations
An accessible overview for end users

So, what should you think about before adopting Zoom? 

Zoombombing: 

We’ve probably all heard of the new term featuring in the media of late – Zoombombing. This is where uninvited attendees break into and disrupt your meeting, and, sadly, it is remarkably simple for a malicious actor or troll to join in your online conversation.  

That said, there are some simple steps to avoid unwelcome guests. Zoom have now password protection set for meetings by default, and you can use the ‘waiting room’ feature to check participants before you add them to the call. Of course, you still need to make sure that you keep meeting passwords private. Here are some useful practical tips from the Mozilla foundation

Encryption: 

Another question that has come up is whether Zoom calls have adequate encryption. There’s been confusion and controversy over what Zoom mean by ‘end-to-end’ encryption. Privacy advocates and security researchers have pointed out that Zoom’s definition of ‘end-to-end’ is not what people usually mean when they use this term. So what is the issue?  

Encryption means that data is scrambled so it can’t be intercepted and read by a third party. And ‘end-to-end encryption’ is where encryption is in place all the way from the sender to the receiver, so there is no way that anyone could unscramble and intercept the communication, even if they worked at the platform that was providing the online service. End to end encryption offers a really high level of security. But Zoom doesn’t offer this level of protection at the moment. 

It turns out that it’s quite hard to build video-conferencing that works on multiple platforms, is easy to use and includes full end-to-end encryption. MS Teams and Google Hangouts Meet don’t offer full end-to-end encryption either. This is because some of the features that make video conferencing work well (spotlighting speaker video, working outside corporate networks, managing call participants) is hard to do with true end-to-end encryption.  

What Zoom does provide is ‘encryption in transit’ – this means that as communications pass from one Zoom server to another, the information is encrypted so it can’t be accessed by third parties. This is a similar level of security to what you get when you use https:// to browse a website securely. So the good news is that third parties won’t be able to listen into your Zoom calls. But you will need to think about how you feel about unencrypted  data sitting on Zoom’s servers.

So, should you use Zoom? 

All this attention means that Zoom do seem to be more willing to address issues than they have been in the past. This article gives a good roundup of recent developments and the technical detail behind them. 

Zoom have publicly committed to dedicating the “resources needed to better identify, address and fix issues proactively” – in a recent blog, their CEO championed transparency, collaborative working with third party experts and the implementation of a CISO Council to facilitate ongoing dialogue regards security and privacy best practices. Furthermore, they are enhancing their bug bounty programme – Ideal for those security researchers who love exposing system flaws!  

So, to Zoom or not to Zoom? – There are, as always, alternative platforms for video conferencing available. This article gives a quick overview of some common platforms. These include the long established Webex, Microsoft Teams, and the Google products of Hangouts and Duo. 

Ultimately, the decision to choose Zoom over its rival is up to each organisation based on your use case and a cost/risk analysis. Discussing matters of “top secret security clearance” on the free version of Zoom might not stack up as a good business decision, however, a team chat or that newly established stalwart of the quarantine – Friday Night Zoom Drinks, should be positively encouraged!  

In my view, I think we should give Zoom the benefit of the doubt and see what the improvements of the next 90 days bring. Its service is easy to use, good quality and affordable by all. They have been given notice to up their game by 200 million daily users – I rather hope they deliver.