Using Zoom for on-line meetings

Reporting on recent issues with Zoom

Recently Zoom, the app for video chats and conferencing, hascome under fire in the media (Guardian - Zoom is malware, Daily Dot - the perfect tool for an authoritarian boss, Vice - zoom sends data to Facebook, Reuters - SpaceX bans Zoom, etc) in this post we going to look at some of these issues, as well as Zoom’s response to them, and our use of Zoom.

Firstly let’s look at some of the context to this. Since the outbreak of COVID-19 pandemic we have increasingly followed guidelines and now laws that enforce necessary social distancing. This is has had a massive impact on how we live and work, and we as a society have made a sudden and massive shift to online in order to mitigate the social and economic impact.

Fortunately, the internet is built on technologies that are very robust in the face of these kinds of problems; as long as the internet can rely on it’s ‘packet handling’ protocols it can manage the load and grow to cope. However the core protocol that makes this work is trust based protocol whereby a computer looks at address where a data packet is to be sent and passes it on to a connection which takes that data one step closer to where it needs to be. As the internet has grown the very nature of this open protocol has become an issue, people want to communicate sensitive information, and the “don’t look at it, if it isn’t for you” protocol of the early internet isn’t good enough. This led to lots of attempts to add security, most of which are satisfactory within practical limits. It should be noted by all internet users - that there is no perfect solution that can work with the necessary open protocols that keep the internet working. This is a risk management type of issue, where ongoing vigilance, review and response are the route to resilience.

In the face of the media storm Zoom, which is a 9 year old US start-up corporation with around 2000 employees has found itself in controversial territory. It faces far larger competitors such Google, Microsoft, Cisco etc who in this particular exigency have not gained as many users as Zoom. It’s worth keeping this in mind, Zoom’s competitors have far greater media reach than Zoom, and face the same security issues, yet get very little scrutiny from an aggressive news media. Zoom in response to the criticism has issued client updates (which we recommend all users to install) and enforced some defaults. The one that most of our participants will notice is the password requirement to join a Zoom meeting. Like other security features, these requirements can be re-configured by meeting hosts.

This is part knee jerk to media criticisms that are scaremongering, part fixing vulnerabilities and part having to deal with a massive influx of new users who are simply not au fait with safe and sensible online practices. In this post we are going to share information on the criticisms Zoom has faced, and our recommendations and responses so that we can make use of the tools that are available, of which an important one at this time is Zoom.

And we continue to hope that Zoom doesn’t end up bought out by one the oligopoly mega-corporations. The further concentration of ownership of internet technologies into the hands to a very small number of deeply financially and socially connected mega-corporations is not good for us, society or the planet. Until better FOSS (free open source software) alternatives become available, it is our best option to mindfully utilise and encourage the moderation of negative corporate tendencies whilst seeking resilience through person led good practice and development of free (as in freedom) alternatives in the margins.

Software vulnerabilities In July 2019 on the Mac platform a serious vulnerability was revealed. The Zoom app used a built in server to manage connections, and they had failed to secure it from external use. This was a very serious failing, however Zoom did patch this on subsequent updates of the app. In general these types of vulnerability emerge on nearly all platforms quite regularly hence the consistent advice that users should check for updates and update to the latest client for their device. Check in your Zoom app for updates, by logging in, clicking your icon for the drop down user menu and select ‘Check for Updates’, or if you don’t have an account check the window with the ‘Join a Meeting’ button. In small text at the bottom is the version number, compare it to the latest available version number for your device on the - Zoom Downloads page.

Privacy issues & data collection Zoom, like many entities, use Third Party suppliers of services. One of the areas reported was Zoom’s use of Facebook tracking. This is a widespread commercial practice where users are convinced by the convenience to sacrifice their data, most commonly about what they do online and where they look to buy things or find information. We dislike this practice and where possible seek to use FOSS solutions which don’t have such features. However there is no open source version of Zoom that can offer it’s features as this type of software at this time relies on a powerful backend server to stream the video to many people in different locations using the internet. Our advice on this is don’t use Facebook to sign up to a Zoom account, don’t have Facebook open or Facebook aliases such as WhatsApp open if you feel you want to secure your activity information. We don’t think that this can compromise stored information (such as files and settings) on your device, it has the same level of privacy vulnerability as web browsing which uses cookies and usage tracking to record and transmit usage activity. However this does NOT mean Zoom or Facebook listen in to conversations to collect data. Some journalists and commentators are trying to imply this is happening with intimations that it could happen, on current information these people seem to be more interested in raising more worries in already troubled times in order to profit from social media popularity and selling bad news articles. Intrusions The media has also made complaints of “Zoombombing” which is uninvited participants entering a conference and creating a disturbance. In all cases this has happened because the Zoom meeting link has been publicly shared either by a host or invited attendee. In order to respond to this we would like to emphasise that we always ONLY send invitations to known participants and ask participants to use that link just for their own use. If invitees would like someone else invited please inform us and we will send them an invitation with connection details. Zoom has created a new set of security tools in the latest client update that allow for much more thorough meeting moderation. We will be making sure that we make good use of these new features and that volunteers who help us are briefed on these. These tools allow the host to react to intrusions by uninvited guests aka ‘Zoombombing’. Encryption The Zoom client app encrypts data it sends from the client app to the Zoom server. This encryption has security limitations. Connections to users on phone systems is not encrypted as those systems are not compatible with the Zoom use of encryption, this similarly applies to Zoom recordings. The general advice is, Zoom remains a useful communication tool, but not suitable for communicating confidential details, such as finance details, passwords etc. There is no substitute for good judgement, if you would not say certain things in a chat in a public place, then it’s better not say them on Zoom or, in fact, any similar app.

In meeting good practice points.

Transmitting video and voice Please ensure your mic is muted and video is off unless you intend to speak and mute / turn off video after you have shared your message. This is good practice for conserving bandwidth, and also it will prevent accidental transmission of things said or happening in the vicinity of your computer’s camera and microphone. Don’t forget you ‘attend’ online meetings from the privacy of your own home and your natural guard may be lowered compared to when meeting in a public place, however if you are transmitting you could accidental share with the entire group a private comment from a family member. This is best avoided. There is a ‘Raise Hands’ button in the Zoom Participants window that can be used to signal that you have a question or comment you would like to share. File sharing Zoom temporarily disabled the ‘Send File’ option, however in the latest client update it has returned. If you have files you would like to share with other participants or staff, please alert staff and we will check with you how best to share the file. In many cases sharing a download link is more efficient and will work more reliably. Please do this with prior warning, we do not advise any of our meeting participants to click on links, especially download links that have not been discussed beforehand nor had trust in the download location established. Screen sharing and web whiteboards We always try to work with participants who have volunteered to share a screen or whiteboard and we go through using this feature with them. Viewers of shared screen or whiteboards are not under any risk. For those sharing the screen, similar advice to audio and sound is given, don’t have on screen anything you don’t wish to share. Shutdown email and documents that contain private information to prevent it being accidentally shown. Remote Desktop Sharing Don’t touch it. Don’t switch it on. Don’t request others to. We will never in any support meeting or presentation request remote control or offer remote control. We ask participants not to use these features for their own safety and that of others. This feature has it’s uses but we do not intend to use any of those at this time.

“Between keyboard and chair” areas of concern

Certain Zoom features have been hyped as vulnerabilities by a controversy seeking media. These are Attention Tracking, File Sharing and Remote Desktop Access.

Attention Tracking is a host feature that lets the host see an indicator that Zoom has been ‘backgrounded’ by a user. It’s of limited use since a lot of users open windows whilst listening to another. However the media in the current atmosphere have chosen to describe this limited feature as privacy busting employee tracking, when it really isn’t. It’s a limited feature that only the most bombastic boss could overuse with the most thickheaded employees. In view of the criticism Zoom have removed this feature. File Sharing, we would always recommend to never accept a file from an unknown source, and always keep an up to date anti-virus on your system which actively scans downloads. File sharing is very useful but can be misused by those with deceptive ill intent, our view is that we all do need to participate in working out who is in our ‘web of trust’ - i.e. a group of people who behave responsibly to others and connect people to others who also behave responsibly to others. Remote Desktop Access is a feature on Zoom that allows a person sharing their desktop screen to allow a user to take control of their desktop. This is sometimes used in a support context, we did test it and found it wasn’t very effective. In the case of this feature in Zoom, it requires the user to allow access, it can’t be forced remotely or taken without knowledge. In general we would strongly advise any device user to know about this feature in ANY software and NEVER switch it on, nor allow others to use it; unless you are absolutely sure this is your informed choice and you remain in attendance to cut the connection.

Conclusion We feel that this set of problems have emerged after Zoom’s rapid expansion due to the pandemic. Zoom in a well meaning gesture offered full featured accounts to tens of thousands of schools and the teachers tried using to shift their classes online. Zoom found that this meant thousands of ill prepared hosts, with young students who found considerable ‘lock down’ relief by pranking and engaging in rudeness. Zoom has gone through a rapid learning process, finding that it’s former mostly adult and business users didn’t destruction test the platform quite like our tech savvy and socially risque younger generation. Zoom’s response over the past two weeks and addition of security tools in the client has been satisfactory and shown a care for users that is often missing from it’s far larger rivals.

Links - Further Information

https://blog.zoom.us/wordpress/2020/03/29/zoom-privacy-policy/

https://www.eff.org/deeplinks/2020/03/what-you-should-know-about-online-tools-during-covid-19-crisis

https://protonmail.com/blog/zoom-privacy-issues/