What We Can Learn From Zoom's Privacy Problems
San Jose, Calif.-based Zoom is a conflicted company at the moment. While it has never had it so good in terms of the number of people using it for remote work, it is also struggling to convince those users that the privacy issues that have been revealed over the past few months are being addressed.
As part of a "charm" offensive to keep its forward momentum going, CEO Eric S. Yuan announced that he would hold weekly webinars to outline the progress the company is making in making the platform safer. The most recent one, week ending April 27th, announced the release of Zoom 5.0 and the fact that the company had reached a new milestone of 300 million daily Zoom meeting participants. With v5.0 there were two new security features introduced that are designed to safeguard people’s data:
- Support for AES 256-bit GCM: Zoom 5.0 supports AES 256-bit GCM encryption, which provides more protection for meeting data and greater resistance to tampering. Organizations will have access to GCM encryption with the release of Zoom 5.0, and a system-wide account enablement will occur May 30, when all Zoom customers will switch to the new cryptographic mode.
- Report a user: Hosts and co-hosts can report users to Zoom’s Trust & Safety team, who will review any potential misuse of the platform and take appropriate action. This feature will be found within the Security icon in the meeting controls.
It is encouraging for Zoom users, but is it enough? Fiorella Riccobono of San Francisco-based Blind, told us that with the ongoing problems at Zoom, they carried out a survey to find out how it was impacting users’ perception of Zoom. Blind is an anonymous professional network with 3.5 million verified by work email from companies like Amazon, Microsoft, Google, and Facebook. The asked their users two questions:
- Has your usage of Zoom been affected by their security issues?
- Are you worried your information may have been compromised?
Of the 4,392 responses to the survey carried out between April 9th and April 11th:
- 12.1% of professionals completely stopped using Zoom
- 9.7% of professionals are using Zoom less
- 100% of Tesla professionals completely stopped using Zoom
- 36.8% of Salesforce professionals completely stopped using Zoom
- 20.6% of Apple professionals completely stopped using Zoom
- 30% of Cisco professionals using Zoom less
- 17% of professionals completely stopped using Zoom
Even Yuan said it was a mess: “I really messed up as CEO, and we need to win their trust back. This kind of thing shouldn’t have happened,”
Security No Longer a Luxury
While Zoom is in the process of "fixing" the problems, many users are beginning to ask if there is an alternative future beyond Zoom.To maintain a steady level of productivity, communication, and collaboration during remote work, businesses have rapidly adopted video conferencing solutions.
Peter Jackson is CEO of San Francisco-based Bluescape. He pointed out that the real problem is that no one could have anticipated such a dramatic onslaught of new users in such a short window of time. Caught off guard, these video conferencing solutions did not have the proper security infrastructure needed to manage waves of new threats.
As such, companies have had to scramble to take reactionary security measures as these new threats have emerged. “Because of the coronavirus, we are no longer ignorant of the threats that hackers pose to video conferencing tools and remote workers,” he said. The result is that video conferencing providers will adopt a security-first mindset, making sure that any existing or future product is much more equipped to handle modern security risks. “Security will no longer be an afterthought or take a backseat to UX. Security will be the focal point,” he said.
The question, he added, should not be if we will be using video conferencing tools, but how we will use them. A range of competitive players in the market is a good thing, and users should not have to discard our favorite tool because of security concerns. Instead, enterprises should move toward using video conferencing solutions in virtual workspaces that function as a single, secure “compartment” — versus a risky web-based URL.
Privacy Is Not the Only Problem
Logan Kipp director at Scottsdale, AZ.-based SiteLock says that while the sudden rise in the number of users is a convenient scapegoat for current problems like those that Zoom is experiencing, it is not the only problem. “It would be easy to blame the overlooking of privacy issues on the rapid growth in adoption of remote conferencing due to the COVID-19 social distancing guidelines, but missteps like using substandard encryption methods or electing to share data with outside entities are decisions that would have been made at the corporate level prior to this growth.
The best takeaway, he said, is that large or small, companies need to adopt a proactive security approach from the very beginning, and avoid policies that could alienate, or worse, threaten the privacy and security consumer base.
The best way for users to protect themselves is to ensure they use a meeting pin and have the host admit attendees to the meeting individually. Doing this is like enabling Two-Factor Authentication (2FA) on a website. Even if bad actors discover a zoom meeting link, they will not be able to gain full access to the meeting.
Additionally, Zoom users should take advantage of the number of useful features within Zoom that help to prevent abuse, on top of the ones that are being added. Some of these features include:
- Disabling the “Join Before Host” feature to prevent guests (or adversaries) from beginning your meeting without you.
- Enabling the “Waiting Room” feature which allows you to admit guests on a per-person basis. This is a great way to prevent “Zoombombing,” which is the unwanted intrusion into a video conference by an individual looking to cause disruption.
- Locking your meeting once all the invited guests have arrived.
What happened to Zoom should become a great stimulus for other video-conferencing software vendors to make their services more secure by default, said Ilia Sotnikov, Vice President of Product Management for Irvine, CA-based Netwrix. The users that are new to video conferencing should not try hard to ensure that their meetings are secured. It is the vendor who should set certain security and privacy controls by default, such as enabling the “Waiting room” or setting per-meeting ID. Thus, I expect that the ability to provide secure and stable video-conferencing service will become a competitive advantage and will help vendors attract new users and build more trusting relationships with the existing ones.
As to emerging threats, we might expect hackers using live deep fakes to spoof video calls. The malicious emails impersonating C-level management asking employees to transfer money or provide access to specific data will turn into sophisticated scams through video conferences. “AI and neural networks have already made deepfake tech possible, so as the technology will get more affordable, hackers will try to leverage it,” he said.
Investing in the Future
Security aside, this spike in demand for video conferencing will prompt many types of investment, Heidi Wisbach, SVP of business intelligence at New York City-based FROM, a digital transformation agency, said.
Consumers and businesses will buy better equipment — bigger monitors, greater bandwidth, and better audio and video. Online meeting platform providers will transform the user experience to map better to marketplace apps — smoother navigation, better feature integration, more sophisticated chat, enhanced video features, and other user-sharing and reaction tools.
Platforms will integrate with external tools like document sharing/co-authoring software and advanced polling tools. Organizations with bigger budgets will build video conferencing into offices to support better group-to-group collaboration and save on travel costs. “While consumers have been using video conferencing as a matter of necessity, we expect in post-pandemic life they’ll likely choose it,” she said. “Consumers have gotten a taste of daily life without the hassles of commuting and with more time for family and personal growth. This will be hard to give up.”