The following is a guest blog from Darren A. Lee, executive director of the National Academy of Distinguished Neutrals.
I’ve heard from a few dozen members over the last week now, concerning the media stories about Zoom’s "security flaws”. Firstly, I have to say that it’s pretty clear that this sudden avalanche of scary headlines appears to have been orchestrated (or at least, encouraged) by big tech/media corporations, who are understandably annoyed that Zoom has literally exploded in market share over the last month (from 10M users in January to over 200M and counting today!). It’s worth noting that ALL other video platforms have had security issues, just in recent months (See: WebEx, GoToMeeting) but that reporting was confined to IT/software blogs, not the pages of tabloids and evening news broadcasts.
Let’s deal with the “Zoom Bombing” story that’s gotten most of the headlines and even had the FBI issue an advisory. Bored teenagers (and there are many of those around at present!) were gatecrashing public Zoom meetings; in most cases, these appear to have been meetings where the actual invite link had been TWEETED out for *anyone* to click on. If you invite the entire Internet to attend a house party, it really shouldn’t be headline news when some unwanted guests behave badly(!)
This is a classic case of “user error” – as advised during our Zoom webinar in March, if you’re going to use Zoom for mediations (or any business purpose) you should ALWAYS ENABLE WAITING ROOMS functionality and ALWAYS PASSWORD PROTECT your meetings. Once mediations start, you can also LOCK those meetings. Those steps alone make it impossible for unwanted guests to crash your meeting - period. And, on Apr 5, Zoom changed DEFAULT settings so waiting rooms + password requirement are the norm across all paid accounts now. (I’d also recommend NOT recording any meetings – but if you must, be sure to save the file to your local device, not in Zoom's cloud.) Please note: Participants in a UWWM mediation will never be recorded through the Zoom platform, either by the mediator or another participant.
There’s also been an awful lot of fuss among IT folks over Zoom’s use of a technical term - “End-To-End encryption” or “E2E”. That term is reserved for messaging services like WhatsApp, Signal that are (in theory!) quite unbreakable. Zoom’s marketing folks played fast and loose, using the sacred E2E description when in fact the audio/video data encryption is tight, but not strictly end-to-end. Due to the complicated nature of the transmitted audio-visual data, Zoom’s servers need to 'interpret' who is speaking at any moment, so as to highlight that speaker’s window in realtime and improve their bandwidth. In short, Zoom’s encryption is “only” as good as that employed by many major websites (including Google, Amazon, EBay, and a million others using 128-bit SSL-standard encryption). Still, and I can’t stress this enough - in real life, there’s never been an example where a scheduled and password-protected live Zoom meeting was ever hacked into. If any hacker HAD ever done so, you can be certain that "trophy video" would have been shared far and wide within the community for bragging rights.
That said, Zoom took the E2E criticism on the chin last week and their CEO published an open-letter making it clear that they’re tripling down on efforts to ensure that their security is the best in the industry and *genuinely* E2E, thus (in theory) unbreakable. They’re smartly inviting outside "white hat" hacker groups, paying them to identify vulnerabilities which can then immediately be patched. So, does Zoom currently have "military-grade" encryption? No. Do any of us NEED military-grade encryption?! Well, no. BUT - ironically enough - in another 2-3 months, the coders I've spoken with believe that Zoom will likely have the tightest and most hacker-proof security in the entire industry, all the better for this wave of criticism.
The fact remains that Zoom has been used by some of the Academy’s most experienced mediators & arbitrators for several years now – and not one has ever had a problem. Zoom’s interface (as most of you know by now!) is by far the most intuitive, allowing us to *painlessly* move parties into caucus via the Breakout Rooms tool, which is an absolute necessity for our work. If Zoom remains good enough for use by most of the governments of Europe, currently meeting remotely, I think we’ll all be just fine!
I'm not alone in this analysis, good security analyst write-up here.
Btw, if you’re with a firm or have eager IT folks at the ready, there is a way to increase security right now, at a cost - by having the actual meetings run on your OWN server - further reading here and here.
Alternatives?
All that said, there are other options. If you've clients that have been spooked by the tabloid headlines and insist on (military grade!) E2E security right-here-right-now, Cisco's WebEx is likely the best option. Members that have experience with WebEx and Zoom tell me they much prefer using Zoom, but WebEx does have its own version of the BreakOut room function, and within the settings is an option to remove some "realtime" features and enable strict End-to-End data transfer.
Right, well - that's quite enough tech talk for one day!
Keep Calm and Carry On!