To Zoom or not to Zoom: A Lesson in Privacy & Security

The global lockdown placed a spotlight on tech platforms that can attempt to replicate the normality of our previous lives.

Perhaps one of the biggest success stories to have come out of this need is the now omnipresent Zoom. From business meetings to gym classes, to virtual classrooms and drinks nights, the videoconference platform has become a household name.

We have seen an exponential increase in Zoom users; the company reached 300 million users last month from 10 million at the end of 2019. Even tech giants such as Facebook are worried, seen through the launch of competitor Messenger Rooms.

However, the platform’s privacy and security vulnerabilities have become a cause for concern for both the private and public sector. Nasa, Google and Elon Musk’s Space X have banned their employees from using it, alongside the Taiwanese and Canadian governments. The UK government also came under scrutiny when Prime Minister Boris Johnson tweeted a photo of a meeting including the ID number.

What are the privacy issues posed by video-conferencing platforms?

In the case of Zoom, privacy and security issues were originally bought to light by the platform’s own shareholders, highlighting the absence of end-to-end encryption and overestimation of its confidentiality measures.

End-to-end encryption is a method of ensuring the confidentiality and security of data from third party access when transferred from one end system to another. This is done using cryptographic keys that are stored exclusively on the endpoints. Despite Zoom’s claims that end-to-end encryption was in place on their platform, this was quickly disproved by numerous bodies around the world.

The platform’s sharing of user data has also been in the spotlight. Vice’s Motherboard broke the story that Zoom sends the data of its iOS app users to Facebook for advertising purposes, regardless of whether you have a Facebook account.

Furthermore, the platform has suffered from the phenomenon now dubbed “Zoombombing”; this is where meetings have been hacked with the dissemination of pornographic images, racist threats and verbal abuse.

How have these issues been dealt with?

Zoom has addressed these concerns, stating that in their defence they did not expect the platform’s active users to increase at the rate that they have in such a short amount of time. They have promised a 90-day period solely dedicated to improving their privacy and security procedures. As part of this, they have launched Zoom 5.0.

This new version addresses the concerns highlighted above. In terms of end-to-end encryption, Zoom has now enrolled the ‘gold standard’ in the form of AES 256-bit GCM encryption. To put into perspective how seriously Zoom are taking their new-found status, this is the same standard used by the US government to secure data. However, this does not mean that the platform is end-to-end encrypted yet, just that they have increased their level of encryption. Nevertheless, TechCrunch has reported that the platform has acquired Keybase, a start-up focusing on encryption, to solve this problem.

In response to Zoombombing, this new version now places users in a waiting room as a default, prior to approval to enter a meeting and allows hosts to report any malicious users. Meetings now also require a password as a default setting in order to keep any Zoombombers at bay.  

So, should you Zoom or not?

For the moment, any sensitive or exceptionally private conversations should be conducted on more reliable and longstanding platforms. Given Zoom’s overnight success and active measures to overcome their privacy vulnerabilities, it will be interesting to see their position once their 90-day period comes to an end.

Article by Komal Shemar @ Gerrish Legal, first published on TechGirl in May 2020 / Cover photo by Claudiu Hegedus on Unsplash

Previous
Previous

Privacy: The use of Artificial Intelligence in Recruitment

Next
Next

Track and Trace Apps: Privacy review