We speak to law firms, clients, and security advisers in the most comprehensive piece of analysis around Zoom in the legal sector.
In the months and years to come Zoom will no doubt be used in business schools as a fascinating case study of a company that had to scale almost overnight and became the darling of a quarantined world, with all the challenges that entails. How does that help law firms that are trying to find the right balance between lawyers in lockdown that want its easy external communication capability and CISOs and clients that don’t? Not one bit. No wonder, then, that some firms have taken the decision to outright ban Zoom for client communication. But many continue to use it, and the client picture is far from black and white. To boot, we spoke to leading security specialists who warn against setting a precedent in which clients dictate the technology that firms use.
The flaws, security concerns and patches
The security flaws and criticisms that have emerged over the past weeks range from the fact that Zoom’s encryption is not end to end, as it initially claimed; to the fact that its default settings mean meetings have a generic ID that can easily be discovered and ‘Zoombombed’ by anyone ranging from bad actors to people uploading pornography; to the fact that it allegedly passed on data to third parties such as Facebook without notifying users (leading to a class action); to fears that Zoom calls could be vulnerable to Chinese surveillance.
Also published on the likes of darkreading.com are claims that Zoom chat could be used to post links in the universal naming convention (UNC) format, which could be used to capture a username and password hash, with one cyber expert saying: “Here is an example of exploiting the Zoom Windows client using UNC path injection to expose credentials for use in SMBRelay attacks.”
Another researcher posted vulnerabilities as a result of Zoom circumventing a specific security function of the Mac OS installer, which CEO Eric S Yuan has said is to, in effect, reduce the number of clicks it take to join a meeting from a Mac.
On 23 April Zoom released Zoom 5.0, which includes better encryption and new privacy controls as part of its 90-day plan to raise security standards. The new version allows hosts to report suspect users and introduces a waiting room, meaning that participants have to be let into the meeting. All meetings now need a password.
Zoom 5.0 will now use the AES 256-bit GCM encryption standard, which while still not end to end, is a significant improvement. Zoom is also giving account managers the ability to control which data regions it avoids.
This doesn’t change the fact that Zoom’s software appears to be developed by three companies in China. Telecoms.com reports that of the three, all known as Ruanshi Software, only two are owned by Zoom. The ownership of the third, also known as American Video Software Technology, is unknown. Telecoms.com also reports: “As it stands, 700 employees are currently in China, which is not unusual as it can save on salaries in comparison to the US, though it does open up the firm to pressure and influence from the Chinese Government. This is not a position which will make US authorities comfortable.”
A spokesperson for Zoom told us: “Ruanshi is the Chinese name that Zoom uses to name our subsidiaries in China. So, our offices in China are owned by subsidiaries of the US parent – Hangzhou Ruanshi, Suzhou Ruanshi, Hefei Ruanshi. Our engineers are employed through these subsidiaries and all of this is disclosed in our filings.”
The client picture
It is too early to say whether Zoom 5.0 will reverse the damage to date but at the point of writing, many big US corporates have banned their employees from using Zoom. Reuters reports that that SpaceX staff members have been told to use email, text, or phone calls instead of Zoom. Reuters also reports that NASA, one of SpaceX’s biggest customers, has prohibited its employees from using Zoom, and BuzzFeed news reports that Google has banned Zoom from its employees’ devices. According to Bloomberg, Daimler AG, Ericsson AB, NXP Semiconductors NV and Bank of America Corp are among the wave of companies forbidding or warning employees against using Zoom.
In the UK, The Guardian reported on Friday 24 April that the UK Government and parliament have been advised by the National Cyber Security Centre not to use Zoom for confidential business due to fears of Chinese surveillance, although other senior parliamentary figures were told that Zoom was safe to use for public business.
In South America the picture for Zoom looks bleak. Local paper El Mercurio reports that Banco de Chile has banned it, and the Ministry of Defence in Chile in a strongly worded internal communication dated 4 April seen and translated by Legal IT Insider said: “DO NOT USE Zoom for matters of the Service, either public, reserved or secret, since information could be violated, exposing the data of users and services.”
However, the picture above is in contrast with our own very recent conversations with privacy heads at major corporates.
At financial institution Santander, managing legal counsel for privacy and data, legal and regulatory, Jenna Franklin told Legal IT Insider: “We are using Zoom on a trial basis. There are obviously some privacy and security concerns with using Zoom that we would be looking to address if we were looking to enter into a more fixed term arrangement with the provider. Certainly, a password would be a requirement, at a minimum. I cannot speak for law firms but again, they would need to ensure that the appropriate privacy and data security measures are in place.”
At National Grid, which itself uses WebEx and Microsoft Teams, not Zoom, chief operations officer Mo Ajaz told us: “If the settings are changed there should be no issue for anyone to use it.”
And at UK media business Ascential, group general counsel Kent Dreadon told us: “We don’t use it at Ascential, we use Fuze and Google Hangouts.” But added: “I’m not aware of any policy preventing staff from using Zoom for calls with customers or suppliers if the customer or supplier wants to use it.”
Interestingly, Dreadon has not come across any of Ascential’s law firms using Zoom. He says: “Most are still opting for normal dial in type functionality from what I’ve seen rather than video calling; they are continuing to work in the same way as previously rather than moving to a preference for video calling, which is certainly a change we’ve seen in the business. Not to say there wasn’t video calling in our business before, but it’s become the norm for people to activate the video/camera.”
Law firm reaction
Needless to say, trying to navigate all of this is something of a minefield and it’s interesting to note that Zoom’s CIO Harry Moseley recently met with a number of law firm CIOs in the US to help them unpick the issues being faced.
Most law firms are extremely cagey about their Zoom policy, but one firm that has very recently taken the decision not to use the video conferencing app for client communications is UK law firm Mishcon de Reya which, after a four-week review, told us that unless they have written consent from the client to use Zoom, the policy now is that an alternative means of communication must be used.
Speaking to Legal IT Insider, head of IT operations and security, Ned Stevanovski said: “We spent the last four weeks looking at Zoom because we often get invited by clients to use it. We’ve done a lot of analysis and research around security and we’ve come to the conclusion that unless a client understands the risk and consents to them, that it should not be used.”
He adds: “If the client insists on using Zoom, we have a written statement to say that the risk is for them. It’s not our recommendation and they need to understand the risks if we do use it.”
One of the big concerns for firms is that Zoom has a lot of developers in China, which is a red flag for some clients. It remains to be seen whether great data centre control in 5.0 will resolve that.
According to our data, others that don’t use Zoom include Linklaters, which uses WebEx for client calls (unless the call is initiated by a client, in which case lawyers can use Zoom.) Bird & Bird uses WebEx as its primary communication platform and is moving towards Microsoft Teams in Sydney.
However, Hogan Lovells, Cleary Gottlieb Steen & Hamilton and Debevoise & Plimpton are among those whose lawyers say they use Zoom. A spokesperson for Hogan Lovells said: “We have looked at it very carefully from all the angles you would expect us to when considering client security and confidentiality.” At the time of writing, neither Cleary or Debevoise had returned our request for comment.
The CIO of one UK headquartered international law firm told us: “In the aftermath of some negative stories about and potential breaches of security Zoom have clearly started to address information security with renewed vigour and have made some significant appointments to help in this area.
“Law firms are now talking to Zoom to get comfortable with the current position on security but one can’t help but think that if they’d had in house capabilities before the COVID crisis began they’d not have had to rush this decision making.”
A spokesperson for Zoom said: “Zoom has layered safeguards, robust cybersecurity protection, and internal controls in place to prevent unauthorized access to data, including by Zoom employees. All Zoom source code is stored and versioned in the United States. Zoom’s software developers in China are largely managed by our engineering team in the United States and they carry out their responsibilities in accordance with the design and architecture decisions made by Zoom’s U.S. Engineering group. These developers in China do not have any access to Zoom’s production environment, the power or access to make substantive changes to our platform or the means to access any meeting content. And, importantly, across all of Zoom engineering, regardless of location, our engineers only have access to the source code required for their particular function.”
The cyber experts’ view
For law firms and clients wrangling with Zoom infosec concerns, the advice is not to overcomplicate things and start with the risk you are trying to protect against.
Andrew Beckett, managing director and EMEA leader for cyber risk at Kroll, said: “Do your own risk assessment. ‘What is the risk to the data I hold and what is an appropriate set of protections for me to take?’”
He adds: He adds: “If you’re worried about Zoombombing and someone coming onto the call and flashing obscene images, or someone joining your call and eavesdropping on what is being discussed, there are simple steps you can take and password protecting your meeting is going to stop the majority those attacks.
“If you’re really worried about what the coding is like there are other products such as WebEx which has been around longer and has been tested by the user community and Governments over the years which are probably more robust.”
However, we spoke to Sebastian Carey, globally renowned information security and technology adviser at Tecnolex in Chile, who said categorically: “At this moment it is not a good idea to work only with Zoom because you may encounter clients that have prohibited the tool across the company. Have them invite you to their preferred system and don’t use Zoom for discussing highly confidential IP matters.”
Beckett stresses that it’s important to keep things as straightforward as possible commenting: “There is a real danger in overcomplicating life – are you going to say in every engagement letter ‘are you happy for us to have internal discussions using Zoom? Are you happy to have client calls between us and your team using Zoom? That will become very complicated to manage. There is a danger of the client dictating the technology that you use and the moment that happens you’re in trouble.”
Carey agrees, commenting: “Every law firm is in its absolute right to use Zoom for their internal meetings and clients do not have a say if their legal matters are not being discussed in that virtual space.”
However, he adds: “I think that we will have to wait six months to see what the security community thinks of Zoom. In the meantime, you should be working rapidly towards implementing Microsoft Teams, even if you are not in the Microsoft 365 Cloud. The first step is having it up and running as a videoconference platform because its security is absolutely amazing. This is the tool that you are going to be using and for much more than video conferencing.”
It will be days and weeks before the security community reacts fully to Zoom 5.0 and in the meantime, Zoom has also brought out an automatic transcription service that transcribes your Zoom meetings as you go using Otter.ai.
But Carey adds: “The problem now is one of perception. No matter what Zoom does, only time will tell if they can be trusted. For me is not so much a technology issue. It’s an issue of seeing real changes in their marketing and software development practices. They are trying to repair their mistakes and that is a good first step, but no one can expect to regain my trust in 90 days not even drowning me in security patches every 90 minutes.”
Zoom Steps 1-4 1 Do your own risk assessment: what is the risk to the data you hold, process and share and what are the appropriate protections?2 Come up with a decision that your internal security team is happy with.3 Put a statement in your letter of engagement to say ‘we will protect your data to the same standard as for all our client data and will take appropriate steps to do so.’4 If clients want special measures that may mean they have to pay a premium.