Sunday, April 5, 2020

Zoom - a question of trust

Photo by ThisIsEngineering from Pexels
Since my last post there has been increasing media attention on Zoom, not just on the phenomenon of zoombombing that I experienced but also on various serious security and privacy issues. The platform has become almost default for millions of teachers in schools and universities around the world, increasing its usage from about 10 million users in December to over 200 million in March. But such extreme usage has revealed that privacy and security were not top of the company's priorities according to an article in NPRA Must For Millions, Zoom Has A Dark Side — And An FBI Warning.
"Things you just would like to have in a chat and video application — strong encryption, strong privacy controls, strong security — just seem to be completely missing," said Patrick Wardle, a security researcher who previously worked at the National Security Agency.
The article also tells of several unfortunate examples of zoombombing including a doctoral thesis defence that got hijacked and a meeting of a branch of Alcoholics Anonymous, prompting even a warning from the FBI. Zoom has been working hard at calming fears and they are now prioritising security issues while putting new feature development on hold (see the Zoom message to users from 1 April). It was also revealed that the company have been sharing user data with Facebook and LinkedIn (see Mashable), something that they admitted and claimed was a mistake. Furthermore, a bug was found that enabled hackers to access users' accounts (see Mashable). I can imagine that many of Zoom's staff have had little sleep during the past week.

I have been trying to adjust my Zoom settings and giving participants much less control than before. Many articles recommend using passwords for all meetings but I haven't gone that far yet. Since I'm often involved in webinars and open sessions in Zoom we usually want to reach a wide audience. I love the idea of people from different places, professions and areas of expertise getting together to discuss and exchange ideas and up till now that has been possible using different e-meeting platforms. Adding passwords and so on adds barriers to spontaneous participation and it is sad to lose that opportunity because of the destructive behaviour of a minority of idiots.

I'm sure Zoom will address all these issues and are promising regular updates on progress, but the central issue here is one of trust. The education sector works with children and young people whose privacy and integrity we have a duty to safeguard. We are also dependent on commercial platforms and tools that we assume also respect this duty and with whom there are special agreements adapted for the education sector. But if we find that there are loopholes in these agreements that trust is broken and we have to face the question of who we should trust in the future. I can almost understand that if you use a service that is labelled as free there will be a price in terms of how my data is used, but if you are paying a lot of money for a tailored educational solution then there should be very strict controls on encryption, data protection and so on. If these companies want to be in the education sector they have to be able to guarantee security and integrity. The alternative is for the education sector to run its own platforms in its own infrastructure and be in control of its own security. Not a very likely scenario given the costs but in today's world who knows what lies ahead.

Update: A good and balanced overview of the situation is an article, Zoom isn't malware, by three security experts.


  1. You can still use Adobe Connect, it has HTML5 now and e-meetings Keith Microsoft Teams...

  2. Mycket av detta gäller väl bara den publika versionen av zoom som körs på amerikanska servrar? Universitet i Sverige kör på svenska servrar genom sunet vilket är betydligt säkrare.
    Viktigt att inte jaga upp sig, för det cirkulerar mycket felaktig information i media just nu.

  3. Visst PC. Tänker mest på många skolor och universitet som använder öppnare versioner. Men även i Norden har man haft en del att göra för att säkra det hela. Som jag skrev har Zoom agerat snabbt men kanske en läxa för många inom utbildning att tänka mer kring säkerhet.