[ Pour la version française, veuillez cliquer ici ]
This piece was posted yesterday, but has been updated
As it is in everything in cybersecurity, choosing Zoom totally depends
upon an individual’s threat model
8 April 2020 (Brussels, Belgium) – Technology has allowed the extraordinary to become quotidian. And we learned the downsides. But after we lived through the various Facebook imbroglios on how AI … tech’s steroids … could super-scale manipulation of human behavior and launch super-scale cyber attacks that enabled malicious use by corporations and governments and bad actors, we acted. Never again would we be subject to the machinations of trolls, profit-seekers, foreign governments, etc. because cyber security would come first and foremost in all tech development from now on and …
Oh … hold on. You say we didn’t act?
Zoom has come under a lot of scrutiny over the last couple of weeks after the COVID-19 crisis led a surge of users to its video conferencing platform. It has gone from 10 million to 200+ million daily users in the past few weeks (averaging 215 million as of the past week). And rightly so. But it should be possible to conduct your meetings and chats without privacy violations, or the threat of “Zoom-bombing”, which has plagued the site. In fact there has been a laundry list of issues and I am not going to note each and every one of them. But here are the key ones that created the firestorm:
• Zoom was found to be using an undisclosed data mining feature that automatically matched users’ names and email addresses to their LinkedIn profiles when they signed in — even if they were anonymous or using a pseudonym on their call. If another user in their meeting was subscribed to a service called LinkedIn Sales Navigator, they were able to access the LinkedIn profiles of other participants in their Zoom meetings without those users’ knowledge or consent. In response, Zoom disabled the feature.
• Vice revealed that Zoom is leaking thousands of users’ email addresses and photos, and letting strangers try to initiate calls with each other. That’s because users with the same domain name in their email address (non-standard email providers that are not Gmail, Outlook, Hotmail, or Yahoo!) are being grouped together as if they work for the same company. Zoom blacklisted these domains.
• On April 3, 2020, the Washington Post reported that it was able to find video recordings made in Zoom by searching the common file-naming pattern that Zoom applies automatically. These videos were found on publicly accessible Amazon storage buckets. Amazon and Zoom are cleaning that up.
• Researchers created a new tool called “zWarDial” that searches for open Zoom meeting IDs, finding around 100 meetings per hour that aren’t protected by any password. Zoom, the EFF and others have published password guides (see link below).
• Some non-China users had their calls routed through China servers.
• And Zoom claimed it was end-to-end encrypted but cyber sleuths quickly mimicked a UK Pantomime: “Oh no it’s not!!”
This forced three admissions from the company:
1. No, we really did not ask ourselves “what would malicious people do with our software?”
2. We had not taken powerful security and privacy moves, but will do so now in response to growing criticism of our service.
3. We are pausing all new features to focus on security during the COVID-19 surge and shifting our engineering resources to focus on our biggest trust, safety, and privacy issues.
Hmm. “What would malicious people do with our software? Has there been any other technology around that faced this issue?” Yes, surely novel issues.
On one hand, following the typical modus operandi, since the tech was designed for the enterprise it wasn’t hardened against abuse, so “Zoom-bombing” (eg crashing random open group calls and putting obscene things onto everyone’s screen) is now a thing.
On the other hand, knowing and seeing the surge in adoption by homes and non-enterprises, privacy and security issues did not come up? There are lots of trolls organizing in dark corners of the internet to find people to abuse. We connected the world, and that includes all the bad people.
These are two sides of the same coin: you CANNOT ignore “what would malicious people do with our software?” and the answers will be both human engineering and software engineering. A lot of the Zoom flaws people found look like simple product decisions to make installing and using easier – for example, it used the Facebook SDK so you could log-in with Facebook, but that sends some device data to Facebook.
Oh, and that traffic through Chinese servers. Many cyber sleuths quickly pounced: “We must assume that the Chinese state can/will listen in to anything if it wanted to!” To its credit, Zoom is trying to respond pretty quickly to (most) of these concerns, and some of this can be over-played. It seems pretty silly for a school system to ban it in case the Chinese intelligence agencies are listening to drama class. But I’m not so sure the UK cabinet should carry on using this.
Stepping back, it’s striking that Zoom has made such a big impact despite every tech giant having quite a big mature product in this space, or even several (just how many Zoom-type apps does Google have now?) But as we’ve learned from the history of technology, it’s really not as hard to displace these companies as some would think, if you can find the right wedge. I was reminded of this watching an interview of Drew Houston (he co-founded Dropbox in 2007 with fellow MIT student Arash Ferdowsi as a startup company). He said:
Everybody told us “there are dozens of these Dropbox things out there. How will you compete”. I simply answered ‘”yes, but do you use any of them?”
Dropbox then made history.
Interestingly, for the very first time, we are witnessing different opinions from experts in the cybersecurity community. Some say it’s wrong to criticize Zoom at this critical phase of time when the software is helping people do their work remotely, while others believe it’s best to abandon the platform for other alternatives.
But some took a neutral stance, concluding that choosing Zoom totally depends upon an individual’s threat model. And for those of us involved in cybersecurity that is an understandable mindset. Too many people treat cybersecurity as if it were a purely technical problem. We need to stop thinking about it in terms of a solution to the problem, because we’ll never “solve” it. Instead, we need to think of it as a risk management problem. And there are hundreds of cybersecurity vendors out there that can assist.
The fact that Zoom has designed and implemented its own encryption is a major red flag, as custom schemes don’t undergo the same scrutiny and peer review as the encryption standards we all use today are subjected to. The most prominent security issues with Zoom were deliberately designed to reduce friction in meetings, which also, by design, reduce privacy or security. The most important takeaway for regular users is simply to think carefully about their security and privacy needs for each call they make. Zoom’s security is likely sufficient if it’s just for casual conversations or to hold social events and organize lectures.
For everything else that requires sharing sensitive information, there are more secure options like self-hosted Jitsi, Signal and Wire. I have used 5 different video platforms over the last few weeks.
Citizen Lab, which has identified some of the most severe security issues, summarised Zoom as follows:
So if you are worried about being Zoombombed, of being accessed, then set a meeting password, and lock a meeting once everyone who needs to join has joined. For more tips on how to make Zoom calls secure, you can read EFF’s handy guide here.
We’ve all been doing more than our fair share of video calls lately and I think we are all pretty certain that the practice will continue for some time to come, even when life beyond the COVID-19 pandemic starts to return to normal. For those of us that have not done it a lot, we’ve learned from the experience: the proper context and the proper length of time can yield a very effective form of communication. Plus, as we’ve been promised for years, these platforms do give us the flexibility to work from many different locations and, for certain types of events, can reduce the time, costs, and hassles of travel. Conferences, even those with tens of thousands of attendees, are going fully virtual. CogX, one of my favourite tech events which had 16,000 people attend in person last year, is going totally virtual this year. They may set the standard. Two more tech conferences will announce their virtual plans shortly.
That’s not to say, however, that they are a cure all. As we’ve also all learned, there are definitely limitations to what can be achieved via video calls and sometimes things just get awkward. For people who don’t work at large organizations that have standardized on a single videoconferencing platform, another challenge is the need to work with, install, and learn multiple different apps. Over the last few weeks I’ve used Cisco Webex, Skype, Signal, GoToMeeting, and of course, Zoom.
Let’s be clear: there’s definitely work that can be done to enable and/or improve the interoperability across some of these platforms. However, just as choice and competition in other categories ends up creating better products for everyone, the same is true with videoconferencing tools – for many different reasons. It’s interesting to learn that Microsoft was so spooked by the success of Zoom it plans a complete overhaul of Skype to make it more “Zoom like”.
First, as we’ve certainly started to see and learn from much of the Zoom fallout that’s started to occur, things can get ugly if too many people start to over-rely on a single platform. But to the company’s credit, much of the attention and the continuing strong usage of Zoom is because they took the often awkward, painful, and unreliable process of connecting multiple people from multiple locations into a functioning video call and made it easy. For many people and some organizations, that was good enough, and thankfully, we’re starting to see other videoconferencing platforms improve these critical basics as a competitive response. That’s a win for everyone.
But second, it’s also become increasingly clear (as I noted above) that Zoom wasn’t nearly as focused on security and privacy as many people and organizations thought they were and as they should have been. From questions about encryption, to publicly accessible recordings of private calls, the routing of U.S. calls through Chinese servers, etc., Zoom is facing a reckoning on some of the choices they’ve made. Other videoconferencing platforms, including Webex and GotoMeeting have been focused on privacy and security for some time – unfortunately, sometimes at the expense of ease-of-use – but it’s clear that many organizations are starting to look at other alternatives that are a better match for their security needs.
Third, it’s clear in using multiple videoconferencing tools that some are better suited for different types of meetings than others. The mechanisms for sharing and annotating files, for example, take different forms among different tools. In addition, some tools have better capabilities for working within the structure of a defined multi-part meeting, such as a virtual event.
Fourth, the bottom line is this: it’s very difficult to find a single tool that can work for all types of meetings, all types of leaders, or even all types of company cultures. Meetings can vary tremendously across companies or even across groups within companies, so it isn’t realistic to think that a single platform is going to meet everyone’s virtual meeting needs. Choice and focus continue to be important and will likely lead many organizations to adopting several different videoconferencing tools for different meeting needs.
No, we won’t be doing this many video meetings forever. While there’s little doubt that we’ll all be doing more video meetings post-pandemic than we were doing pre-pandemic, the overall number of video meetings will go down from current levels for most people. I think people are actually going to look forward to face-to-face meetings despite the frustrations they often create. But what I think will also happen is we’ll be a lot more sensitive to what types of things work in video meetings and do not need to be live, or generate travel costs. Yep, we’ll still keep feeding off those tech pills.