Zoom Repairs Flaws and Improves Privacy
The Zoom videoconferencing service has faced unprecedented scrutiny amid massive growth, largely from consumer and school users relying on its free service tier. At the beginning of April, TidBITS published my extensive list of every Zoom security, privacy, and encryption flaw, design mistake, and judgment error (see âEvery Zoom Security and Privacy Flaw So Far, and What You Can Do to Protect Yourself,â 3 April 2020).
Even during the writing and editing of that article, new exploits and problems emerged while Zoom was simultaneously addressing all the concerns it could. The companyâs all-hands-on-deck efforts continued in the following days, but have finally slowed down as it has gotten ahead of urgent changes. Letâs look at the now-solved issues, new disclosures, and Zoomâs update on its roadmap.
Heightened Safety Controls
The companyâs biggest problem was one that arises from toxic Internet culture, but the firm and its users were caught in the crossfire. âZoombombingâ entered the lexicon to describe trolls and bigots leaping into meetings to stream pornography, post anti-Semitic remarks, or scream racial epithets, among other forms of unacceptable behavior.
This happens on other systems, too: my kidsâ public-school system standardized on Microsoft Teams, and a teacher sent an email last week about what one could call âTeamsbombing.â But Zoom has seen the most growth by far and ostensibly had the weakest safeguards.
Zoom had published a set of best practices to help hosts avoid unwanted participants or bad behavior by people in both publicly announced and private meetings. That proved insufficient, and on 4 April 2020, the company began a series of measures that have transformed the safety profile of using its service, albeit with additional overhead for hosts and people joining meetings. On 8 April 2020, Zoomâs CEO, Eric Yuan, told NPR, âWhen it comes to a conflict between usability and privacy and security, privacy and security [are] more importantâeven at the cost of multiple clicks.â
Some of these changes made it into the last article, but most are new. They include:
- Passwords required: All free-tier accounts, free upgraded education accounts, and single-host paid accounts now require a password. Itâs generated automatically and may be changed but cannot be removed. This blocks access by those who obtain the meeting ID but not the password, and it prevents access through bots trying to join randomly generated meeting IDs in the reasonable hope of connecting to a password-free session.
- Meeting ID hidden: The meeting ID no longer appears in the title bar of Zoom apps to prevent it from appearing in screen captures posted on social media or elsewhere.
- Waiting Room enabled: By default, the Waiting Room feature is now enabled for all accounts, even those that previously had the option turned off. The Waiting Room puts participants who attempt to join the meeting into a holding position. The host must admit them. Itâs fussy, and if itâs unnecessary in your environment, you can override the default on a per-meeting or per-host basis.
- Centralized security settings: A new Security button in Zoom apps centralizes all privacy and safety settings, including locking participants out of the chat and preventing them from sharing their screen.
A new Security button centralizes safety options for hosts. - Meeting locks: With a click of the Security button, hosts can lock a meeting at any point to prevent new participants from being added to the Waiting Room or joining directly. Another click unlocks the meeting.
- Name change prevention: Hosts can prevent participants from changing the name that appears when they join or request to join a meeting. Some peopleâboth unwanted visitors and juveniles who thought it was funnyâwere changing their names to derogatory or abusive forms during meetings.
A less obvious anti-troll change involves requiring a Zoom account sign-in for those using Zoomâs Web app, available across all major browsers. Reportedly, malicious conference joiners could script the Web app to let them continuously re-join a meeting with a new name each time. Hosts can disable that requirement if itâs undesirable to require everyone to sign in with a Zoom account. However, for recurring meetings among an affinity group, like an addiction-support group that has moved online, itâs likely to help deter abuse.
Other Security and Privacy Fixes
Zoom has also repaired other security and privacy problems:
- Domain contacts visibility: Zoom no longer treats every user with the same domain in their email address as belonging to the same organization. Previously, anyone with a given address could view account information or add everyone to their contacts who had the same domain, excluding some major ISPs and mail hosts, like Gmail and iCloud. That feature is now disabled for free tier and paid single-host accounts, and must be enabled on higher-tier paid accounts.
- Waiting Room vulnerability: Citizen Lab discovered a security problem with the Waiting Room feature that it didnât include in its 3 April 2020 report in order to give Zoom a chance to fix it. That bug, later disclosed on 8 April 2020 after Zoom updated server software, would have let someone with a little technical expertise be restricted to a meetingâs Waiting Room and yet still be able to extract the sessionâs encryption key and video stream.
- Traffic routed through China: The paths that data travels is a political, regulatory, and business question, not just a technical one. Citizen Labâs report revealed that Zoom was routing some traffic that didnât involve any participants in China through servers in that country. Zoom explained that it was an error in load balancing, which seemed plausible given the quick scaling of operations it needed to have. The company said it made permanent changes to prevent data passing through Chinese servers from outside the country. A new feature for paid users starts 18 April 2020, and those users will be able to select which of several regions data may pass through. Free users are locked to data centers in the region from which they subscribed. Apart from concerns about China, some people outside the United States donât trust the National Security Agency or other US intelligence groups.
Zoom has also announced that it has formed a council of chief information security officers (CISOs) to advise the company. In addition, it contracted with former Facebook chief security officer Alex Stamos to work as a paid advisor.
While Facebook has faced extreme criticism and government investigations into its security and privacy practices, Stamos had reportedly become a thorn in the side of Mark Zuckerberg and other executives for stressing the danger of Russian misinformation on the platform. In 2018, Stamos left the company to pursue academic research and engage in paid consulting.
Is Continued Progress Enough for You?
Zoom continues to squash bugs while making good on its promises of the last few weeks to respond rapidly. To regain the trust of those who have been troubled, to put it mildly, about Zoomâs past lapses, the company will have to continue down this path of improved security and privacy and increased transparency, while maintaining the high levels of quality and performance that have made it one of the most popular options for videoconferencing during the pandemic.
We suspect that Zoom will never be able to recover from its mistakes in the eyes of some people. For those who arenât as adamantly opposed to the company, however, it does seem that the company is both saying the right things and working hard to move in the right direction. For a recent TidBITS staff call, we tried Skype for about 5 minutes and were plagued with audio dropouts and other issues. When we switched to Zoom, the audio and video were rock-solid for the remainder of the hour-long call. Weâll continue to test other options, but Zoom has set the bar high.
Iâm writing a book about Zoom for Take Control Books and would welcome your tips and input in the comments. I would also encourage you to download a free copy of Take Control of Working from Home Temporarily, a book I wrote to help people with the sudden adjustment in their working lives. It contains a number of videoconferencing tips, among many others provided by Take Control authors, TidBITS editors and contributors, and others who donated their experiences and insights.
They have really been saying and doing the right things since the wave of criticism hit. Obviously, this needs to continue, but Iâve been impressed so far.
Thank you, Glenn. Great news.
I like Zoomâs quality and ease of use (I do hope they eventually fix their broken GUI* though). If it can get its act together on governance and security/privacy Iâd be very happy.The UC system uses them even though we are usually a Google shop these days and I personally hope we can continue to use Zoom. These changes sound like they could help make that happen.
[* things like forcing the pref window to float, no return/esc keyboard equivalent for OK/cancel buttons, non-Mac standard GUI behavior, etc. ]
It also looks like they fixed the installation procedure for the Mac app. Previously, the app installed in the pre-flight phase of the procedure, bypassing several checks and installation options for the user. When I installed the current update, I got several windows letting me know the progress of the installation, allowing me to respecify the location where the app should be installed, and whether I wanted to install the app for the current user or all users on the machine.
The only minor annoyance is that after the updated app starts, it covers the window letting you know the the installation has been completed, so that you end up not seeing the notification that the installation is complete until you quit the app.
Iâm afraid this is consistent with the rest of the appâs GUI approach to floating panels. Same with prefs for example. Itâs annoying and un-Mac-like.
Yes, that was fixed within a few days of it being noted on Twitter. The CEO responded to the original poster on Twitter, even! Itâs noted in our article from last week, as the fix was in before we published.
Where I live, we have a saying âTrust comes on foot and goes by horseâ, so I think it is going to take quite some time. The company I work for has forbidden us to use Zoom. Weâll see when they change that directive. For now we can use Teams and Skype.
I wondered about installing it in a separate user in macOS. Is that significantly more snoop resistant to the kinds of things Zoom has done? Iâve been using it in iOS for that reason, but the small screen is a disadvantage.
In its latest update, Zoom said itâs adding an abuse-reporting feature.
Iâve been quite impressed with Jitsi as an alternative solution to zoom, due to its (zoomâs) shoddy security and privacy (which they are fixing, but by bandaids rather than surgery).
Jitsi is open source, free, and has almost all of the features of zoom. I stress tested it against zoom on a multi-party call and found it to be more resilient than zoom in terms of handling network congestion. It has a neat YouTube video sharing feature too.
Downsides are it doesnât behave well in safari (but works fine in Chrome), lacks the breakout rooms that zoom has, and scheduling meetings is a little fiddly (but a Chrome extension has fixed that).
Despite the work they have done, I wonât be going back to zoom.
My companyâs IT people, a defense contractor, have instructed us to NOT participate in any Zoom calls. We have technical data that needs to be controlled and have been told Zoom doesnât cut it for us.
Rich
This is totally fair. As I note in the original article, anyone with heightened security concerns needs to avoid Zoom, because it doesnât have a model thatâs robust enough to ensure protection. That is, it is very likely perfectly private to use, but itâs not effectively guaranteed to be 100% private. For personal and education users and most businesses, the difference isnât meaningful. Steven Bellovinâs examination of the likelihood of interception and decryption is a good read on this.
But if you are in an industry in which thereâs a mandate for government-grade security and protection, as you are, or in legal, financial, or medical fields, I donât think Zoom meets the bar for that. It might be fine, but it hasnât proven it well enough. As they fix their flaws and overhaul encryption, I expect they will then go through independent audit and certification, which will let them provide the sort of outside assurances needed for fields that require it.
I donât think thereâs a risk on that side of things. There were flaws in previous versions (particularly the one fixed mid-2019) that created a risk to your device. More recently, the flaws are largely about meetings, servers, and stuff that happens within an app, as opposed to operating system related flaws. (The Windows link issue was an app thing that allowed a file exploit, so it was serious, but it required someone being able to chat with you or join a meeting; it didnât leave a Windows machine vulnerable generally.)
Hi Glenn: Yes, it was your original article that flagged me to this. I would say that anyone who wants a secure connection, should probably bypass zoom for now. For us, it means BIG fines and penalties, so we really need to avoid Zoom.
The hospital I work at is using VidyoConnect for seeing patients during the COVID pandemic. Some doctors here use Doximity, but I am hesitant to it as it seemed to have grown out of LinkedIn. Also, when I was signing up to verify my identity (after giving only my name and birthdate), it asked me the year of my car on the verification info. That seemed a bit too creepy to me. wasnât sure how my financial info could be pulled from basic data, but caused me to back out of the sign up.
Not sure how secure they are, though they state they are HIPAA compliant.
Thank you Glenn. I was thinking about Zoom grabbing email info, but maybe that was another app.
Zoom has now posted a report on its security progress after 90 days.