In defence of Zoom
As with all videoconferencing solutions they are traditionally aimed at the professional market. Early versions required you to host a server on your premises. This is also referred to as a bridge. The concept is not unlike a telephone exchange or switchboard. So there are public exchanges and private exchanges (e.g the office switchboard).
With the advent of cloud computing and software as a service it became possible to host the bridge in the cloud. And therefore share a bridge with others. This has democratised video conferencing.
Videoconferencing should not be confused with services like Facetime, Skype (personal) and WhatsApp which are primarily messaging services permitting one to one video communication.
Zoom like many similar solutions, offers a shared bridge in the cloud service. This is not unusual these days and there are many competitors to Zoom. Providers of videoconferencing will have bridges in more than one continent to ensure resilience and local performance.
The recent bad publicity suffered by Zoom is as a result of poor configuration by home level end users, who do not have access to ICT professionals, Zoom’s very successful “freemium” marketing strategy, ease of use, as well as some rather poor journalism.
The criticisms are these: anyone can join a meeting and misbehave. This was due to people publicising meetings and not setting a password. Word would spread on social media that another “open” meeting was taking place, and a group would invade and misbehave.
This coupled with the fact the default settings were to allow any participant to take control of the desktop led to spectacular results and became known in the press as “Zoombombing”
The defaults are now that a password is needed, and that desktop control for participants is “off” until granted individually. There is a further option to place people in a “waiting room” before admitting them to the meeting.
It also became known that the zoom app (on I-Phones only) did pass data to Facebook. This has been removed.
Another rather non-story surfaced that recordings made during Zoom meetings were appearing on the web. Zoom allows you to record a meeting to your own hard disk or to a cloud storage location. In this instance it emerged that people were storing recordings on their own unsecured cloud storage. There was no mass data breach that the press and content producers were alluding to.
The claim that encryption is end-to-end was true, however since May the 30th this year this has changed, any client software of v5 or over is fully encrypted – end to end. Older versions will be “force upgraded” when using Zoom.
The last issue “found” was that the bridge you were using could be in China or other countries where data protection is maybe not so highly regarded. However the meeting still would have been encrypted. Again a serious or state actor might have recorded the message and could record the encrypted session with a view to cracking the encryption code later.
If you have purchased a full (professional) license you can log into the settings of your account and prohibit recordings, as well as select which countries you are happy for your traffic to be routed via.
Mozilla, as a non for profit and an organisation concerned with data privacy have undertaken a review of the mainstream offerings.
It is viewable here: https://foundation.mozilla.org/en/privacynotincluded/categories/video-call-apps/
One may see that Zoom like many other mainstream products scores 5/5 for security.
Additionally Zoom has a good set of videos on how to use the software and how to reduce risks. https://zoom.us/resources
If you would like to know more or have any particular concerns please contact me here or email me at chris.reid@djinn-consulting.co.uk