This article is part of Privacy in the Pandemic, a new Future Tense series.
The digital privacy class I’m teaching this semester is now taking place … on Zoom. All of a sudden, an application that most people hadn’t even heard of a month ago is at the center of some of the strongest privacy and security scrutiny that any company has been subject to since Facebook’s Cambridge Analytica scandal.
Absolutely, Zoom has made some significant mistakes when it comes to privacy and security. It lied about using end-to-end encryption and AES-256 encryption to protect its video conferences. It routed some encryption keys for meetings through Chinese servers even when the meeting participants were not themselves located in China. It sent data about some users to Facebook even when they didn’t have Facebook accounts, and it displayed information from people’s LinkedIn profiles during some meetings. Meanwhile, some users have experienced “Zoom bombings,” in which unwanted participants disrupt their online meetings. Because of Zoom’s file naming conventions, some people’s meeting recordings were easy to locate on the public internet. (This was not the case when the recordings were actually stored on Zoom servers, only when users saved and stored recordings themselves.) Those issues stem from the inability of users to configure their Zoom settings to protect meetings (something Zoom actually offers fairly good controls for) or recordings, but it would be reasonable to look to Zoom to provide more assistance on both of those fronts.
That’s a long list of problems, a few of them very clearly Zoom’s fault (for instance, lying about its use of encryption), but many of them also forgivable, especially when viewed in the context of a company that is scaling up much more quickly than it ever could have hoped or planned. A recent Zoom blog post says that in December, “the maximum number of daily meeting participants, both free and paid, conducted on Zoom was approximately 10 million. In March this year, we reached more than 200 million daily meeting participants, both free and paid.” That’s a staggering increase.
So I was a little bit surprised when the New York City school system announced a ban on Zoom last week, not least because many other schools and universities (including my own!) still rely entirely on the company’s platform to deliver their online courses. I use Zoom to teach my class, to hold office hours, to talk to friends and family. If I sound like a Zoom apologist, it’s because the program does feel like a bit of a godsend at this particular moment—and also because I pretty much have to use it for work. Certainly, I worry about the privacy and security protections in place, but it’s also one of the best performing and easiest to use applications for synchronous video chatting with large groups of people. At the moment, those performance qualities trump many other concerns.
There are alternatives, of course. Cisco’s Webex platform is another popular program being used by many companies and universities right now, and FaceTime works well for small groups, as does Skype, Houseparty, and the open-source videoconferencing software Jitsi. But when an organization like the New York City public schools decides to ban Zoom altogether, it’s not clear which—if any—of these alternatives they could turn to for the same variety of features, much less comparable performance. New York City is apparently recommending that teachers and students instead rely on Microsoft Teams, a tool that suffered an outage just last month during a surge in demand and has only recently begun working on crucial synchronous video chat features such as background noise suppression.
Simply put, Zoom works very well for synchronous video chatting. Security and privacy issues aside (a phrase I don’t love writing, but here we are), Zoom requires relatively low bandwidth to provide adequate video and fairly good audio for much larger groups than most other platforms can handle. For many of us trying to teach classes or hold other large group events online right now, that’s the top priority.
I wish Zoom had taken security and privacy more seriously from the get-go. I wish it had been more honest about its encryption practices earlier on, and I very much wish it did a better job of protecting meeting recordings,. But all things considered, it’s doing a hell of a job scaling up its service and trying to respond very quickly to all of the concerns being raised about its product. Most of all, I admire its honesty and transparency about its shortcomings and its attempts to fix the vulnerabilities that have been identified, almost entirely within the past few weeks. “We recognize that we have fallen short of the community’s—and our own—privacy and security expectations,” Zoom CEO Eric Yuan wrote in a blog post last week, adding, “we did not design the product with the foresight that, in a matter of weeks, every person in the world would suddenly be working, studying, and socializing from home. We now have a much broader set of users who are utilizing our product in a myriad of unexpected ways, presenting us with challenges we did not anticipate when the platform was conceived.”
I’m not going to tell you that you should use Zoom over the other options, but neither do I think it’s a terrible or reckless choice. And if you are still using Zoom, whether by choice or because you have to, here are some things you can do to protect your meetings with regard to the three general areas of concern around Zoom communications.
The first of these concerns is zoom bombing, when people show up to meetings or classes uninvited and troll the participants with unwanted content or speech. This can be partly mitigated through using passwords to protect Zoom meetings, or requiring participants to be logged in with valid credentials before allowing them access to a meeting. Zoom also offers meeting hosts a function to expel unwanted participants from their meetings and forbid them from rejoining.
The second category of risks is real-time espionage or capture of Zoom meetings—someone spying on or intercepting Zoom traffic while a meeting is being held. This is a risk that Zoom users have almost no ability to protect themselves from beyond setting passwords for their meetings to keep out unwanted intruders. The Citizen Lab at the University of Toronto reported last week on the handling of encryption keys by Zoom and the potential for those keys to be intercepted by or routed through China. Zoom has already announced it has taken “the mainland China datacenters off of the whitelist of secondary backup bridges for users outside of China” so that those encryption keys should no longer be passing through Chinese servers. That doesn’t mean there isn’t potential for other espionage pathways, but there is very little you, as a Zoom user, can do to prevent that.
Finally, the third category of risks stems from how data can be accessed and used when Zoom meetings are recorded and stored on the company’s servers. The Washington Post reported last week that thousands of those recordings are accessible online because Zoom had named and stored them in a predictable manner. The easiest way to avoid this is to not record your meetings, or, if you do record them, to store and encrypt them locally on your own computer so that you can protect them yourself. Another option might be to use a separate recording function to make voice-only recordings of your meetings, to minimize the collected data and avoid storing video or face information about participants.
Even if you choose not to record your Zoom meetings, though, you should be prepared for the possibility that anyone else in the meeting could be making a recording without your knowledge, simply by training their smartphone on the computer screen and taking video with it, or through separate screen recording software. You should expect that everything you say or do on Zoom could resurface some day on YouTube, in the same way that you should be prepared for everything you write in an email to appear on the front page of a newspaper. I’m not saying it’s likely that anyone will be interested enough in my class or your meetings to do that, but it’s always a possibility. That’s not a unique threat to Zoom—you could be recorded or captured on any video chatting tool. It’s not even unique to online communications—any one of my students could have recorded my class with their phone while sitting in the classroom.
In short, create passwords for your Zoom meetings, always cover your computer camera when you’re not using it, and be prepared for the possibility that anything you do or say over the internet, including on Zoom, could be captured for posterity.
If you’re teaching on Zoom, I also think it’s worth talking to your students about the security and privacy shortcomings of the service and asking them what sorts of measures would make them feel most comfortable in class. Do they want class meetings to be recorded, to help students who miss class? Or would they prefer to have only the audio recorded so that their faces are not captured? Do they not want to be recorded at all and instead have the teacher create short video summaries of each class afterward so that no student data is stored? Those were some of the options I offered to my own class. Naturally, I solicited their opinions via Zoom poll.