Update April 4, 2020: Zoom has been under quite the microscope this past week, and there's no shortage of reports about its various shortcomings. Be sure to read all the way to the bottom of this post (there are two updates) to get the whole picture. But I stand by this punchline: If you know what you're doing with Zoom, it is an effective, affordable, easy-to-use tool for holding group conversations—even sensitive ones. As with any tool, there are ways to screw it up, and I'll admit that Zoom could have originally made its default settings more intuitive to prevent those screw-ups. But I'll give them this: Zoom has been quick to respond to the barrage of criticisms they've received, and they've already made several changes to their tool to address user concerns. You'll have to make up your own mind whether Zoom is right for the specific uses you have, but it works well for mine.
As lawyers necessarily move their conversations online, Zoom has been one of the most popular tools for enabling multi-party and even one-to-one communication. From a systems standpoint it has performed admirably, absorbing the flood of new traffic with few hiccups. Yesterday (March 25), however, a media report made the rounds discussing a phenomenon that was quickly dubbed “ZoomBombing,” where uninvited and unexpected participants drop into Zoom “rooms” and cause disruptions.
One commonly told story came out of the University of Southern California, where “Saboteurs using ‘racist and vile language’ infiltrated and disrupted online classes” according to a story from the Washington Post.
This has led lawyers and judges to the knee-jerk reaction that Zoom is not safe or secure, as typified by this emailed message from the Oregon Trial Courts later in the day: “We have been asked by several community partners and attorneys about the possibility of using Zoom for video conferencing. We learned from ETSD this morning that Zoom will not be an option for our court. Zoom is not a secure platform and has been hacked while in use.”
I wanted to get to the bottom of the question of whether Zoom is secure for use in legal settings, so I called up Simon Boehme, a mediator and legal technologist who has spent the past few years training lawyers and mediators how to effectively and securely use Zoom as an online dispute resolution tool.
The following conversation is edited for clarity:
John Grant: Let’s cut to the chase: is Zoom secure?
Simon Boehme: Yes. Zoom is the best available option for the majority of lawyers and mediators seeking to have secure conversations. Technology will always have flaws but so do physical-world solutions. It’s just that we’re more used to the steps we need to take to secure things in the physical world. Once you learn how to use Zoom properly, it is as secure a solution as you can ask for online.
If we're talking about security from a technology standpoint, Zoom uses strong end-to-end encryption under the AES256 standard for all communications on the platform including audio, video and chat. Their infrastructure lives on US-based servers inside of SAE 16 SOC2 compliant datacenters. That’s pretty much as good as it gets for tools that are available to the general public.
JG: But has Zoom been hacked?
SB: Only in a very loose sense of the term “hack.” Zoom, by default, is an open platform. This is one of its great features; anyone with the 10-digit code can enter a standard Zoom room and participate in the conversation. Ten digits is enough to create a lot of randomness, but there are a couple of ways that unwanted people can get access to your room if you only use the default settings.
People have recently discussed ZoomBombing, which is dropping into a Zoom room uninvited or unwanted. Let’s talk about how people can do that.
The first way is easy; people just get the code from somewhere. Many of the Zoom rooms that have fallen victim to ZoomBombing in the last few days were promoted on the internet, so open access was the point. I don’t have specific information on the USC event, but my guess is that the meeting code was distributed widely to make sure all of the students in that class had access to the lecture. It wouldn’t have been hard for someone not in that class to get the code, join the room, and cause the disruption that they seem to have caused.
The second way is a little harder, but, considering that there are a lot of people sitting around with time on their hands right now, it’s hardly a stretch. That would be for a person to keep entering random 10-digit codes until they find one that works, at which point they can join whatever meeting corresponds to that code.
But it is important to remember that this is a feature of Zoom, not a flaw. Zoom wants to make it easy for people to join rooms if that's what you want too. Fortunately it has other features to prevent unauthorized access to a room if you want to keep things private. It’s just that with a lot of people using the platform for the first time, many of them simply don’t know that these features exist or how to use them.
JG: So what’s the first step?
SB: The first thing to do is use a password when you set up a room or meeting. That way only people with both the meeting ID and the password can join. Ideally choose a strong password, and ask your participants to protect the password just like they would their own accounts. I like to use passwords that are strong, but not too complicated to type.
Also when you’re setting up a meeting, turn off the “join before host” option. That gives you more control over who is inside your room and prevents people from getting in without you there.
JG: What if someone you don’t want in the room shows up after your meeting has started?
SB: You can prevent that by locking the room once all of your desired participants are present. There is a button toward the bottom of the screen that says “Lock Meeting,” which will prevent new people from entering, even if they have the meeting ID and password.
If you don’t want to lock your room for some reason, like if you’re waiting for someone to arrive, you can still see everyone who is in your room in the “Participants” panel. It is always a good idea to keep an eye on your participants and, if someone shows up who you’re not expecting, you can hover your mouse over that person’s name and click “remove” from the menu that shows up. That will expel them from the room. You can also turn on a sound notification when someone joins your meeting so nobody can sneak in unannounced.
JG: What if you need to have a side-bar conversation with just one or two people who are in a Zoom meeting?
SB: This is where Zoom is really cool, but it also pays to take some time up-front to learn how to use its more advanced functionality. You can set up a virtual waiting room for some participants to hang out in while you talk to others, and you can also put individual participants “on hold” so that they no longer have access to the audio, video, or chat from your room. The Zoom website has all of the information you need to learn how to use these features.
JG: What about alternatives to Zoom?
SB: I haven’t tried them all, but in my experience Zoom has the best combination of security, functionality, and accessibility for most people. There are some issues with other services, like Skype for example, where anyone who joins a meeting automatically has all of the information from their Skype profile made visible to other meeting attendees. That is obviously not a good idea when you are in a mediation with a party who, for any number of reasons, doesn’t want their opposing party to be able to find their contact or other personal information.
JG: Have you heard about Judge Scott Schlegel using Zoom in his courtroom in Louisiana?
SB: No! What’s he doing?
JG: A few of us in Oregon spoke with him earlier this week, on Zoom of course. It was funny ‘cause he was sitting at home like almost everyone these days, but he had a virtual background of his courtroom behind him.
SB: Ha! Of course he did.
JG: My understanding is that he has been using Zoom for a while now to hold judicial conferences and even some hearings remotely. And he’s no stranger to security needs; he also serves as chairperson of his Parrish Court’s Technology and Security committee, so he is definitely up to speed on the issues.
SB: That’s so cool.
JG: Simon, thank you so much for sharing your insight. Where can people go for more information about how to use Zoom in a legal setting?
SB: The Zoom website itself is great, with lots of information and even some video tutorials on how to use its many security features.
For people looking for more specific information on using Zoom in a legal setting like mediation, I’ve put up a website at www.odrzoom.com where I’ve posted the slide deck I use for my trainings to ADR professionals on using Zoom in their work. I also offer training and technology consulting services for anyone looking to engage in online dispute resolution but who needs help with the setup, and you can connect with me through my website.
Note: Simon's slide deck has step-by-step visuals for how to enable the various features he discusses, so be sure to visit his site and check it out.
Update April 1, 2020 (no joke)
The topic of Zoom Security continues to make its way around lawyer circles and the internet in general. Representative stories include this NY Times piece that the New York Attorney General Looks Into Zoom's Privacy Practices, and this one from CBS news noting that Zoom Sued for Allegedly Sharing Users' Personal Data with Facebook.
A few further thoughts seem to be in order.
(1) Because so many people are flocking to Zoom right now, any article that calls the safety / security / privacy of Zoom into question is bound to be awesome click bait. I'm not saying that any claims do or don't have merit, just that talking about Zoom at all is going to get folks' attention right now, and that bodes well for websites that monetize web traffic. (My site does not, thought I've had plenty of traffic on this post too).
(2) With respect to those specific stories, if you read the NY Times one you'll see that the AG is asking questions and Zoom seems to be forthcoming in answering them. The inquiry seems to be more a result of media reports regarding Zoom security than an indictment of that security.
As for the second story... well, my audience is mostly lawyers so you all know that lawyers gonna lawyer. And there are good reasons to try to be first to file if there does turn out to be an issue and some lawyer can grab the pole position in a class action suit. And, again, maybe there's something there, but Zoom has been quick to respond to the allegations. This specific situation seems to have something to do with users logging in to Zoom using a Facebook tool via the Facebook Software Developer Kit. It was actually reported on about a week ago by Vice Media, and upon learning of the issue Zoom promptly disabled the Facebook SDK.
(3) This is one of those topics that can generate a ton of attorney hand-wringing over hints and allegations (which is why I picked up the phone and called Simon for this article to begin with). Obviously lawyers have a duty to get comfortable that the tech they're using isn't violating an ethical duty. Although as Simon points out above, that may have more to do with how you're using the tool than the tool itself. And, of course, different attorneys will have different comfort levels (after all, the ethical standard is the open-to-infinite-debate "reasonable" one). That said, most attorneys aren't well equipped to analyze all of the various components of the risk, equation which is why we turn to experts.
I put myself in the "fairly savvy non-expert" camp (again, why I called Simon). But when balancing the risks I look at it this way: Do you still email potentially sensitive information back and forth with clients or opposing counsel? Do you send attachments via email? Do you occasionally log into public wifi hotspots without using a VPN? If so, and you're worried about security/privacy, then you should take a hard look at those practices before you worry about Zoom.
If you've got your common communication forms dialed in and need to make sure your videoconferencing is as secure as the rest of your practices, then dive into the weeds on Zoom (or whatever you want to use) if it is important to you. But I think you need to start with a standard that you're trying to hold your software to instead of asking a general question like "is it safe?"
The standard itself could have rules like "All of my communications tools must have ___ level of encryption in transit and ___ level of encryption at rest" or "All of my communications tools must require a (unique? strong?) password to access the content of a communication." Then go through all of your tools, including videoconferencing, and decide if they comply. (Bonus: now you have a security policy!)
(4) Finally, if you're still afraid of Zoom and are looking for alternatives, some popular ones include:
April 4 edit: I'll interject here to say that if you truly want or need secure, end-to-end encrypted conversations, then Signal is almost certainly your best bet. With increased security comes more hoops to jump through (everyone must be on the platform and know how to use it properly), but Signal is the tool of choice for journalists, whistle-blowers, and probably a whole host of nefarious actors who want their communications to remain as private as possible.
I'm sure there are more options. I'm not going to deep-dive into any of these because, again, I'm reasonably savvy but I don't consider myself an expert. If you intend to use any of them, then I suggest you come up with your standard of review and then quality-check your desired tool against that standard to see how it stacks up.
For me, I remain confident that Zoom is secure enough for the things I use it for. I am comforted that, as a company, they are being very proactive under their newfound scrutiny, even to the point of making changes to their tool to address concerns.
Update April 4
Live footage of the Zoom PR Spokesperson:
One is a Washington Post article that describes how Zoom was frankly pretty lazy with how it stores "cloud recordings" online. When a host records a Zoom call they have two options for where to store that recording: on their own computer or as a "cloud recording" on the Zoom server. Turns out those cloud recordings are listed on the open internet--no login or password needed to access them and the naming convention for storing them is pretty predictable. So for someone who knows the naming convention, they can literally browse other people's Zoom recordings to see what's happening. Not cool.
The short-term answer to this issue is don't use the Cloud Recording option on Zoom unless you actually want the meeting to be freely available online. But it is sloppy design on Zoom's part that it would be an issue to begin with. At the very least they should have messaged it better, but I can't understand why they would default their recordings to publicly available in the first place.
The Guardian has a more scathing article under the headline Zoom is Malware. A brief synopsis: Zoom is walking back its earlier claims of "end to end" encryption, though, to me, part of the debate on that is semantics (sorta like the term "hack"). More troubling (though this is old news that was first reported in April 2019), Zoom's Mac client had been installing some server-like functions that most users wouldn't expect to be there and that could be exploited by hackers. Both Zoom and Apple have addressed that exploit with software updates. Still, if you are a Mac user (like I am), you probably should make sure you're using the most recent update of the Zoom client.
I think I've already hit on the other concerns in the Guardian article so I won't re-hash them.
I'll leave you with this thought: I never met my grandfather (who was a flight instructor in WW2), but my Mom tells me he used to say "the safest time to fly an airline is right after they've had a crash." I take that to mean that the airline is going to be hyper-sensitive to safety issues at that time, so the likelihood of a repeat mistake is low. There are reasons to be wary of any Silicon Valley unicorn that has just experienced a wave of hypergrowth, but, to my eye, Zoom has done a pretty darn good job under its newfound scrutiny. It has owned the criticism and has been quick to roll out updates to address it.
The Zoom of today is already substantially better than the Zoom of a week ago. And, according to another Guardian article, Zoom has put all hands on deck towards improving privacy and security for the next three months of development cycles (which are almost certainly Agile sprints). I think that bodes well for its future.
If you feel strongly that I'm wrong, I'd be happy to hear from you. Leave me a message using that orange button on the right-side of your screen, or contact me to send me a written note.