Zoom confronted over security fears: tips and advice

With many law firms and legal tech vendors finding that Zoom is the easiest way to keep them connected to staff and clients while working from home, it’s worrying that the enterprise video communications company is again facing a privacy and security backlash as security experts warn that its default settings aren’t secure enough.

Each Zoom call generates a randomly generated ID number between nine and 11 digits that if shared publicly can lead to ‘Zoomcrashing’ or ‘Zoombombing’, with the app seeing a rise in trolling and graphic content.

Zoom has published a blog with tips on how to prevent that happening here: https://blog.zoom.us/wordpress/2020/03/20/keep-the-party-crashers-from-crashing-your-zoom-event/

There’s also some good advice here: https://www.pcmag.com/how-to/how-to-prevent-zoom-bombing

In particular, users ought to ‘generate automatically’ meeting IDs to plug this vulnerability. You can also require a meeting password and create a Zoom Waiting Room so the host lets participants in.

The company has also come under fire for claiming that users can secure a meeting with end to end encryption. The company said in a statement to The Intercept that this is in fact not possible and that it is using transport encryption. A Zoom spokesperson told The Intercept: “Currently, it is not possible to enable E2E encryption for Zoom video meetings. Zoom video meetings use a combination of TCP and UDP. TCP connections are made using TLS and UDP connections are encrypted with AES using a key negotiated over a TLS connection.”

Human rights group Access Now has published an open letter calling on Zoom to release a transparency report to help users understand how their data is being handled. The concern for law firms will be that Zoom could be compelled to hand over recordings of meetings if compelled.

Zoom last week updated its iOS app to remove code that sent device data to Facebook after tech publication Motherboard revealed that the Zoom iOS app was sending analytics information to Facebook when users opened the app. That included information such as the mobile OS type and version, the device time zone, device OS, model and carrier and processor cores and disk space. In a blog, CEO Eric Yuan said: “We sincerely apologize for the concern this has caused, and remain firmly committed to the protection of our users’ privacy. We are reviewing our process and protocols for implementing these features in the future to ensure this does not happen again.”

Zoom has been hit by a class action in California over the Facebook controversy.