Every Zoom Security and Privacy Flaw, So Far, and What You Can Do to Protect Yourself

Originally published at: https://tidbits.com/2020/04/03/every-zoom-security-and-privacy-flaw-so-far-and-what-you-can-do-to-protect-yourself/

The videoconferencing service Zoom has seen a 20-fold increase in usage during the coronavirus pandemic. That extra attention has put a spotlight on poor technical and policy decisions that have exposed Zoom’s users to harm and revealed personal data unnecessarily. But hope blooms with the company’s latest comprehensive apology and roadmap.

Thank you for that very informative article. I will follow the advice for Mac users. I have just updated the Zoom app for the update recommended above (to prevent malicious updates!) but don’t intend to use it.
A colleague in Europe is switching to Microsoft Team so I will check that out. However, as Mac users, he or I should also be able to host Facetime conference calls (will look for tips on Tidbits).
A pity that Facetime appears to be designed for the iPhone and still doesn’t have all the great features of iChat on Macs from years ago.

Thanks for this rundown. Wow! In Holland we say: “Trust comes on foot and goes on horseback.” As far as I’m concerned that trust is beyond the horizon by now.

No Zoom on any of my devices that’s for sure.

Glenn, you’ve done a truly excellent job of researching and explaining Zoom’s flaws. Even a not very technically oriented reader, such as myself, can understand all these complicated issues in this clearly written and well organized article. My thanks.

Glen, you did a great job with this article. I’m pleased you’re working on a Take Control book on Zoom. You asked for suggestions or ideas for that book. How should we contact you about that? I’ve set up Zoom meetings for different kinds of groups the past couple weeks, and have a couple tips I’d like to suggest.

I have to admit…I never thought I would hear “In Holland” and “goes on horseback” in the same context. There are horses in Holland of course and they get ridden…but that’s a much more “American west” sounding sort of combination.

For short stuff that would be useful in public, feel free to share here; if you have some longer insights, I’m eager! You can email me glenn@glennf.com.

Zoom has admitted it accidentally routed some calls via China. This doesn’t help explain the bad encryption choices, the misleading information about encryption (they’re using a far weaker form than they advertise they use and they rolled the encryption themselves), and generating keys from servers in China.

John Gruber has a pithy, acerbic, accurate take here.

This Forbes article has some tips for alternatives to Zoom. I would be interested in users’ comments/experiences with these alternatives.

New York has banned Zoom for use by the schools.

Seems like a knee-jerk overreaction by someone who spent too much time listening to a sales-pitch from someone at Microsoft.

You…read my article, right? I was just talking to a local professor friend last night. It’s RAMPANT on her major university. She had to comfort a friend of hers whose 250+ class session was zoombombed by people with anti-Semitic slurs and video.

Microsoft Teams has the advantage that it requires registration and a subscription. (I’m not sure you can have non-subscribers enter a Team session). It’s a great idea for groups that already have subscriptions to Office 365, like my kids’ school.

My understanding is I can bump disruptive people off a Zoom meeting. I can also choose a password for a meeting.

Yes. But if you allow anyone to join who has the password (you don’t restrict to registered Zoom accounts) trolls have automated scripts that let them rejoin with a new moniker.

Maybe I’m being dense here. But if I make publicly available a URL and a password, is it not obvious that’s a bad thing as with every other web service that relies on user/pass? Isn’t the entire point that you have to limit the Zoom URL and password combo to a limited number of (known) participants? Obviously in some cases you want to broadly publish a Zoom meeting ID, but I suppose in those cases you have to resort to a non-public password, right?

My admittedly limited understanding is, one of the reasons an entity such as the UC system likes a service like Zoom is because anybody can join, regardless of operating system or type of hardware. You can even just dial in with a regular old phone. Of course that wouldn’t jive with true E2E. While something like FaceTime would most likely be far more secure, I can’t reach as broad an audience as I can with Zoom. And call me biased, but I’d never resort to something from MS in the name of security. For me, their credibility ship sailed a long time ago and I’m not giving them any fourth (or fifth) chances.

I’d definitely like to try something like Jitsi, but just recently colleagues of mine from the CS department told me they had to revert back to Zoom, because of serious audio issues they had been experiencing with their Jitsi. Maybe it was just user error (they mentioned that themselves) so I’d definitely want to give it a try myself. If one of my meeting groups were interested. I guess we’ll see a lot happening in this area the next few weeks and months.

The person creating the meeting must be a subscriber, but anyone can join. Either anybody invited or anybody with the URL, depending on how the meeting is configured. There is a (limited functionality) web client for people who don’t have the app installed.

Right, and teachers and others are being told to not share a URL, but require registered users, or even rely on integrations for class rosters.

With Zoom, you can limited meetings to certain users (I believe at a paid tier and using enterprise integration with directories). But most Zoom participants aren’t registered users.

With Teams, primary users are registered users, because it’s used for businesses and schools.

It’s a good solution right now for those who already have an Office 365 subscription in a corporate or academic setting.

We’re in extraordinary times and people are flailing to find solutions. That means that literally tens of millions of people are using a tool they never have before, partly because it’s free and relatively simple to set up. School districts with no money—or the knowledge they are about to face huge cuts to their budgets—are using Zoom, for instance, because of the zero cost issue.

That leads to what I’d describe as “naive” users (not stupid, not generally unsophisticated or inexperienced as computer or Internet users even, but new to this particular kind of online thing) find themselves on the front lines of waves of attacks by trolls. Trolls are the equivalent of war criminals attacking a civilian population. (There’s no legitimate enemy here, either, but civilians are absolutely clearly not legitimate targets, either.)

So the URL with a password embedded or a meeting ID and a password, which Zoom has very nifty and easy ways to share, does not carry the sense of “this is a private thing you need to protect.” Especially when people are new to it, stressed out by everything around them, and often being told to scramble with little assistance. IT workers are surely overwhelmed—if a school or business is lucky enough to have dedicated IT help.

Zoom made a bunch of changes that went into effect yesterday. Passwords are now mandatory on all meetings from free-tier users, upgraded education users, and single-host (one-license) users.

However, you can still generate a URL with the password embedded (that can be manually disabled in Zoom settings). It’ll be harder for trolls to grab URLs, and people are becoming quickly savvier about setting up sessions.

Then you configure the meeting to only allow those who have been invited.

In addition to the security and privacy issues surrounding Zoom in the largest US school system, there’s been big problems with content management. And it’s far from a what-if situation:

"In some cases, students have taken to “Zoombombing” online classes, essentially logging into online classes uninvited and hijacking everyone’s screens with inappropriate images or audio. “Zoombombing is no joke. I don’t think we were ready for that,” Pat Finley, a co-principal at the Metropolitan Expeditionary Learning School in Queens, previously said.

Students have also sometimes flooded the platform’s chat function with inappropriate comments, disrupting virtual instruction.

Last week, New York Attorney General Letitia James raised concerns about the platform, including whether third parties could secretly access users’ webcams, reports that the company shares data with Facebook, and whether the company was following state requirements about safeguarding student data."

The author is a former high ranking education officer who served during the Clinton, Obama and Bush administrations, who rose through the ranks of the NYC School System, and is also highly regarded author and commentator on education who has remained involved in NY City and State schools.