The use of Zoom as a meeting platform has exploded corresponding to the explosion of COVID-19. With that explosion have come many questions regarding its security and privacy. Those concerns are usually two-fold: (1) Is it secure; and, (2) are meetings private?
As to the first question, is it secure? That question has a lot of different possible meanings, but for this article let’s assume it means, “Can people intercept and access my communications in a technical sense?” While no encryption set-up is perfect, technical analysts have pointed out—again not being technical in describing it—that Zoom did not take a stock-approach to security and “went their own way”. This is known as “roll your own” in security circles.
There is nothing per se wrong with this encryption approach, but it may give rise to non-standard issues. Stated differently, if you build your own engine and install it in a vehicle you built, the vehicle may perform better, worse or just differently, than a vehicle that rolled off the assembly line.
Regardless of the encryption/engine/vehicle metaphor, Zoom catches a lot of heat for not being so-called “end-to-end” encrypted. End-to-end encryption, in this sense, is when the video call data is encrypted at all times in transmission and the platform provider is unable to decrypt. As it currently stands, Zoom is somewhat opaque in revealing the details of its encryption.
Most technical experts seem to agree that the primary issue is that Zoom itself could be capable of decrypting the call data for its own uses, or for the use of the government, or a commercial partner. This last issue has raised the specter of regulatory enforcement, actually, and primarily under the sort of new California Consumer Privacy Act.
Zoom does have the ability to be “end-to-end”, but that would require hardware installation at your company, for which most companies have no appetite. That said, while I would not use Zoom to plan the overthrow of a country, I probably would not be too worried about the standard business fare with respect to technical security.
Given that security (in this article meaning encryption) and privacy are not the same thing, let’s talk privacy for a moment.
Zoom has been criticized for being susceptible to trolling and meeting crashing by Internet trolls who obtain meeting IDs and use them to disrupt meetings. From my perspective, this issue results from the user misunderstanding the technology more than a failing of Zoom itself. When you leave the directions to a party out in the open, it is not really surprising that unwanted people are going to crash the party. There are several ways to address this issue, including not posting or broadcasting the meeting ID, requiring a password, creating a “waiting room”, restricting screen-sharing, and locking the meeting. Each of which, you will see, is more a matter of educating the user than a defect in and of itself.
While this is not to diminish the issues and criticism (especially the lack of clear disclosure which is more or less an industry standard), every tool has its limits. The key is knowing what those limits are. If you don’t think Zoom is for you, there are plenty of alternatives, including FaceTime, WebEx, GoToMeeting, Skype, Slack, Facebook Messenger, and Microsoft Teams. I for one, will still use Zoom… for most things.
For up-to-date news please follow our Coronavirus (COVID-19) Response Team page.