The Zoom Follies

Zoom is arguably the most popular video conferencing solution right now- but does it deserve that status?

The COVID-19 pandemic has caused almost all in-person meetings and events to be moved to online meeting platforms such as Zoom, Webex, Jitsi Meet, Skype, or Google Hangouts Meet. In the past few weeks, I’ve attended several such meetings, all of which have occurred on Zoom’s platform.

Zoom seems to be the go-to platform because of its many features and ease of use, however, in my opinion, the privacy issues outweigh these benefits.

The most recent issue, “Zoom-bombing” happens when a bad actor randomly tries meeting ID’s with the intent to crash the meeting. In an any setting, this could be a disaster, but especially in education and enterprise. Zoom has recently published an update that suggests meetings be protected with a password to prevent this. It only took us 9 years to find and fix this issue.

It has also been discovered that the Zoom iOS app sends analytics data to Facebook. On its own, this isn’t a huge deal, as many apps send analytics data to Facebook or Google. However, apps usually disclose this in their privacy policies. Zoom does not.

Schools in New York City banned the use of Zoom to conduct distance learning. The Department of Education Chancellor cited Zoom’s increasingly tarnished record as the reason for the decision. (article)

This morning, a ZDnet article was published announcing research completed by the University of Toronto’s Citizen Lab. They found that Zoom was using an insecure encryption method that can be broken easily. Zoom’s CEO recently addressed this issue, stating:

We recognize that we can do better with our encryption design. Due to the unique needs of our platform, our goal is to utilize encryption best practices to provide maximum security, while also covering the large range of use cases that we support. We are working with outside experts and will also solicit feedback from our community to ensure it is optimized for our platform.

Here’s my take on that statement. Zoom has had more that 5 years to figure out an encryption scheme that “[covers] the large range of use cases that [Zoom] supports.”

Citizen Lab also found that Zoom’s Waiting Room feature had a vulnerability that they were not disclosing until Zoom had a chance to resolve it. The Waiting Room feature was recently enabled to address “Zoombombing.”

Finally, the research group discovered that Zoom encryption keys are often served from servers in China. The company says this is because they recently added servers in China, causing the software to mistakenly choose the Chinese servers instead of servers closer to the meeting participant. In the same press release quoted above, Zoom stated that these servers were quickly removed from the backup whitelist for users outside of China.

These issues aren’t Zoom’s first brush up with controversy. In July, it was found that a server application installed with Zoom had a remote code execution vulnerability. (read more)

What I’m trying to say is that Zoom (and most of the other platforms), are a lifeline for so many right now. We trust them blindly to provide a secure, reliable, and easy platform to conduct business while we can’t meet in person. “With great power comes great responsibility.” If Zoom continues to have missteps and vulnerabilities, I don’t think we should trust them with our meetings.

I’ll still be using Zoom when attending a meeting, but if I organize one, it will most likely be on another platform. Let me know your thoughts, about Zoom or another platform, in the comments below!

FURTHER READING:

• The need for online privacy is finally resonating with video chat – Mashable
• Feds: Zoom-Bombing Is a Crime, Not a Joke – PCMag
• Zoom concedes custom encryption is substandard as Citizen Lab pokes holes in it – ZDNet (cited above)
• Skype rivals Zoom with new ‘Meet Now’ feature for app-free video calls – Android Authority
• Zoom’s response to its own flaws should set the industry standard – Chrome Unboxed