Zoom Security and Privacy Problems, Fixes and Response and a Lesson in PR

0

Well, Zoom has exploded in usage and has just been hammered in the last week culminating in bans. There have been countless stories about Zoombombing where kids and conferences have been inundated. Not to mention privacy problems and security holes.

And most importantly, it’s not been if Zoom is a truly evil company bent on selling user data and spying on video calls or not. The company has been largely silent and on the defensive.

TL;dr

When using Zoom, you can be end-to-end encrypted and safe if you should:

  1. Make sure everyone uses a Zoom client. Even on your phones. Try to avoid using the teleconferencing feature as phone calls by their nature are vulnerable to hacking.
  2. Redo all your meetings right now. From now on, every meeting requires a password. So delete all your own meetings and redo them to use a password. It’s inconvenient for dial-in, but for the URL stuff, they stick an encrypted password into the URL and you should be safe.
  3. Make sure that you have the defaults correct on these calls. The new ones are good. Make sure that you have passwords turned on and that no one can start a meeting without you as host present (so people can’t steal your zoom time) and that you don’t allow screen or other sharing with participants.

A Great Response

Personally, I’ve been in plenty of circumstances like this and challenging my best Pam Edstrom (RIP), these are defining moments for companies. Their traffic has gone from 10M active users to 200M in less than 90 days and first of all it’s remarkable they have managed to handle that increase, but a lack of response is horrible. With that usage, comes exponentially more attention to the security and other problems. You can duck and cover or you can take the bull by the horns.

But the good news is that the Eric Yuan, the CEO, himself responded in a super articulate and crisp in a personal blog entry. I’ve never met him, but I sure hope to some day. It’s a great service and they were tuned for a different use case and acknowledging the mistake and being concrete is what matters.

Words are incredibly important because they set the stage, so saying “At Zoom we feel incredibly privileged to be in a position to help you stay connected”, but also to acknowledge “We also feel immense responsibility.” Moreover, the fact he is personally going to host a weekly security webinar is pretty unprecedented.

This is one of the key thing that we want all products we use to have. Believing in companies is just as important as loving the products in modern marketing. And that’s a good thing.

What is even better it to be specific about what you have done and what you are doing. That’s hard to communicate in a tweet, but really important as influentials read this stuff and they are the bedrock of a community. Moreover the words are super strong and having a time line that is hours and days, not weeks and months.

  1. We have permanently removed the attendee tracker and LinkedIn Sales Navigator. I love they were honest about clarifying and saying when the clarification was made.
  2. Specifically crediting people with finding bugs like Partick Wardle and saying what fixes are made.
  3. Changing the various defaults particularly for education users. (As they’ve been banned by various folks, this matters).

What I love the best is that they have down the really important (and painful leadership things) like:

  1. They are in feature freeze, the entire engineering team is focused on trust, safety and privacy. The push to add more is always there.
  2. Doing a transparency report so people know what is going on
  3. Having a real bug bounty program and white hat penetration tests.

Nerdy facts

Besides the obvious bugs, one of the deep technical questions has to do with end-to-end encryption. That is, can Zoom record and monitor (and pass on to others) the actual contents of Zoom calls. their encryption blog entry was actually really good. It says basically:

  1. If you use dedicated Zoom clients on Windows, Mac, iOS and Android, you are in good shape. That is they end to end encrypt so Zoom cannot actually see what you are doing.
  2. The problem has to do with teleconferences and things that are not an endpoint they control. Obviously, they need to translate this into a phone call. They do their best in that the “proxy” clients are walled off, but it is a loop hole.
  3. The conclusion is that you should only use zoom clients when you are doing Zoom calls or just be aware that everything you say could appear in Reddit as a transcript 🙂

Related Posts

© All Right Reserved