To ZOOM or not to ZOOM? That is the question.

The Coronavirus pandemic has changed the world in more ways than we can possibly comprehend at this stage. However some of the changes are self evident and apparent to all. The advent of the video-call or video-conference, the remote-training and the webinar, are the things that are now part of our daily vocabulary.

Video calls is nothing new. It existed since MSN Messenger and ICQ and Skype, and it has been getting better as technology and broadband improves.

In the start of the pandemic, one tool seemed to attrack attention and to increase its appeal around the world: Zoom.

Zoom’s appeal came from the ease of use and the functions it offered. Its free version was ideal for short meetings and almost everyone I know that works with a computer has used it at one point or another.

Together with the exponential rise of users, came issues of reliability and security. Although the reliability issues have been resolved with minor changes and altering settings (ie having HD or SD while sharing screens), the issues of cyber security seemed to have a more serious effect, raising concerns about the privacy of people using the platform, and the safety of any information exchanged during those meetings.

There were concerns about erroneous or misleading statements about end-to-end encryption. But the reality is that most users have been concerned with what they read online or watched on the news: Zoombombing.

Zoombombing is the entry of uninvited guests in a zoom call, who end up shouting abuse, share pornography and generally being abusive. This was considered as a major breach of security by millions of users. But I do not believe it is.

Zoom Bombing happens because people found online the links to the meeting or they guessed the meeting room number. That is like someone walking into your home because you left the front door open and you put a note at the entrance about which apartment you live in. That was not really hacking. That is just the users being careless and not understanding how the tool they use is working.

According to the BBC reporting, Zoom’s CEO Eric Yuan committed to:

  • clarifying its encryption practices
  • removing code that meant information was shared from its iOS app to Facebook
  • releasing fixes for Mac-related issues
  • removing a LinkedIn feature to prevent unnecessary data disclosure
  • issuing guidelines about how to avoid becoming a victim of zoombombing
  • freeze development of new features to focus on safety and privacy
  • conduct a review with independent experts to understand new security features needed for new customers
  • prepare a transparency report on data requests
  • enhance its bug bounty program
  • hold a weekly webinar to provide privacy and security updates

The truth is that Zoom seemed to get its act together. It is easy to accuse one tool that gets all the media attention, but the truth is that ALL video conference tools have their issues and vulnerabilities.

This article is not about defending Zoom, far from it. It is about putting things into perspective. It is about having some context when a tool or platform is banned by an employer not because of solid expert advice but because of what people saw on the news.

Zoom was created by the guy who helped create WebEx (now owned by CISCO) so it is fair to assume that some of the underlying technology is similar.

In most of the tools like Zoom, there are two main options in order to have a video call:

a. You invite people in your private room which normally has a fixed number (like the fixed number of your home address) or

b. You create a single use link for the meeting in question which is only accessible the time you run the meeting.

There are options like a “lobby” or “waiting room” where people who join need to stay until the host (moderator) allows them in.

There is also an option for a password. If you only sent the password privately to other participants, unless they shared it, it would not be available even if someone guessed the meeting link.

Hosts have elevated privileges and when setting up a meeting you can force mute all participants (except co-hosts normally), block people from using the record option on the platform and block them from sharing screens.

All these are simple steps that anyone who uses a video conference tool should be aware of and use.

What happens with the Webinars?

The reason I started writing this article is form personal experience running some webinars. It happened to me and I saw it with other webinar organisers that people did not register (and missed out on some amazing presentations and speakers) because their employer told them they should not use Zoom!

I am not saying to ignore your organisation’s policies, far from it. You should always abide by their IT policies with all things work related. For work related activities you should be using tools provided by your employer, for legal and insurance purposes.

However, I think we should be putting things into a context:

a. A webinar can be a passive participation. It is not an exchange of company secrets and sensitive data. So attending (watching and listening) should not be forbidden especially when there organiser is a trusted source.

b. A webinar can be watched from a private computer / smartphone and that should be outside the scope of your employer’s reach.

c. A webinar can be joined using a private webmail under an alias, keeping your identity and professional affiliation secret.

What bothers me is when decisions like these are not made by the IT or Cybersecurity people of an organisation, but other bureaucrats. It also bothers me when IT people decide to go with the flow and follow the trend, so that they do not upset anyone.

The term Zoom Bombing came to our vocabulary simply because of the number of people using it and the media attention. Nothing else. Bugs and security flaws are in every single piece of software.

Zoom was accused for data being shared with Facebook. Your Whatsapp does the same but you do not stop using it. The contrary.

And what do you think happens when you add a plugin for any video conference tool to your Outlook client?

Why would you think that Alexa or Siri are not listening to you all the time? How would Alexa know that you said “Alexa” if she was not listening in the first place?

Cybersecurity is paramount in our world. I should know. But I also know that keeping things balanced, having some context in what we are doing is equally important. Otherwise we drive ourselves paranoid, we exclude people and technology and we create an environment that is harsher and more dystopian than it needs to be.

Basil Manoussos, BSc,MSc,MBCS,ACSFS

Manager of The Cyber Academy, Edinburgh Napier Uni. Expert Witness & Cybercrime Consultant @ Strathclyde Forensics Ltd. Lecturer at UCLy & West College Scotland