The following is a post made by Daniel Rainey, a Fellow with the National Centre for Technology and Dispute Resolution (NCTDR), and may be of interest to those who have turned to Zoom as a communication tool during the time of Covid 19:
The Zoom question is complicated, particularly because of the negative press the platform is getting. Forgive me for going on about this, but I’ve been getting a lot of questions about whether it is ok to use Zoom.
To begin, remember the rule that one can never absolutely guarantee privacy online. Having said that, I think Zoom is still relatively low risk. The negative news has been about a few specific issues related to the platform.
First, that the platform is subject to Zoombombing – having unauthorized users break into meeting to eavesdrop or inject objectionable content. I dealt with this a bit before, but to recap, the interruption of Zoom meetings that fit under this category have been, to my knowledge, either due to compromised linkage software that allows users in a company’s internal system to connect to Zoom (where the linking software is the hackable weakness), or due to careless handling of URL login’s and passwords. I am not aware at this point of any hacks of Zoom meetings conducted using Zoom apps on both ends.
A second bit of bad news is that Zoom used its platform to gather information about users. My response to this is that most, if not all, online platforms do this. Due to the negative publicity, Zoom has disabled the function that allowed users who paid for Zoom’s marketing service to access user LinkedIn data, but the fact remains that just about any online service has the ability, and the inclination, to gather user data. That’s just part of the business they are in.
The other bad news has been that Zoom was not totally up front about the “end-to-end” encryption they use. For reasons I won’t go into, true end-to-end encryption with multiple users is damned hard to do. If they are to be believed, FaceTime does it, but most platforms don’t. According to some tech investigators, Zoom encrypts video, audio, and text for meetings held with all users on the Zoom platform – the encryption is from the user to Zoom’s servers, and from Zoom’s servers back to the user, but not between Zoom servers in the cloud. This allows Zoom to view/hear meeting content on its own servers, but makes hacking the steam from user to user very difficult. There may have been one, but I do not know of a case of hacking that has broken the encryption in transit, nor do I know of a case of hacking involving Zoom’s cloud servers. Again, the Zoombombing and data problems of which I am aware have been due to either connecting software or bad user behavior. As an aside, the way Zoom handles encryption means that they could comply with court orders to reveal information stored on their servers, and that info is not encrypted (except for text in the chat room, which is apparently really encrypted end-to-end in the classic sense).
So, should you still use Zoom? I’d say the answer is a slightly qualified “yes.” If you are dealing with info that would truly ruin you if it were compromised, and if you had a way to send that information in offline ways, or in self-encrypted formats, I’d not use any online platform. But most info does not fall into that category – if may be sensitive or proprietary, but the question of whether to deal with it online is a risk/damage assessment that would make using a reasonably secure platform ok. Zoom is a reasonably secure platform, in my opinion. Apparently, some of the organizations that have blocked the use of Zoom have suggested that employees share information by email (perhaps the most vulnerable online platform that exists) or by phone (making the simple act of hacking mobile systems a risk). I still think WebEx, as a web video platform. is slightly more secure, but it is not as user friendly – if you set Zoom up well, use it with all participants on the Zoom platform (not calling in by phone or joining from another platform) using computer audio, and you are smart about how to handle URL login information and passwords I think you can use it responsibly and ethically with parties.
If I run across information that changes my mind, I’ll post it.