Zoom Repairs Flaws and Improves Privacy

The Zoom videoconferencing service has faced unprecedented scrutiny amid massive growth, largely from consumer and school users relying on its free service tier. At the beginning of April, TidBITS published my extensive list of every Zoom security, privacy, and encryption flaw, design mistake, and judgment error (see “Every Zoom Security and Privacy Flaw So Far, and What You Can Do to Protect Yourself,” 3 April 2020).

Even during the writing and editing of that article, new exploits and problems emerged while Zoom was simultaneously addressing all the concerns it could. The company’s all-hands-on-deck efforts continued in the following days, but have finally slowed down as it has gotten ahead of urgent changes. Let’s look at the now-solved issues, new disclosures, and Zoom’s update on its roadmap.

Heightened Safety Controls

The company’s biggest problem was one that arises from toxic Internet culture, but the firm and its users were caught in the crossfire. “Zoombombing” entered the lexicon to describe trolls and bigots leaping into meetings to stream pornography, post anti-Semitic remarks, or scream racial epithets, among other forms of unacceptable behavior.

This happens on other systems, too: my kids’ public-school system standardized on Microsoft Teams, and a teacher sent an email last week about what one could call “Teamsbombing.” But Zoom has seen the most growth by far and ostensibly had the weakest safeguards.

Zoom had published a set of best practices to help hosts avoid unwanted participants or bad behavior by people in both publicly announced and private meetings. That proved insufficient, and on 4 April 2020, the company began a series of measures that have transformed the safety profile of using its service, albeit with additional overhead for hosts and people joining meetings. On 8 April 2020, Zoom’s CEO, Eric Yuan, told NPR, “When it comes to a conflict between usability and privacy and security, privacy and security [are] more important–even at the cost of multiple clicks.”

Some of these changes made it into the last article, but most are new. They include:

  • Passwords required: All free-tier accounts, free upgraded education accounts, and single-host paid accounts now require a password. It’s generated automatically and may be changed but cannot be removed. This blocks access by those who obtain the meeting ID but not the password, and it prevents access through bots trying to join randomly generated meeting IDs in the reasonable hope of connecting to a password-free session.
  • Meeting ID hidden: The meeting ID no longer appears in the title bar of Zoom apps to prevent it from appearing in screen captures posted on social media or elsewhere.
  • Waiting Room enabled: By default, the Waiting Room feature is now enabled for all accounts, even those that previously had the option turned off. The Waiting Room puts participants who attempt to join the meeting into a holding position. The host must admit them. It’s fussy, and if it’s unnecessary in your environment, you can override the default on a per-meeting or per-host basis.
  • Centralized security settings: A new Security button in Zoom apps centralizes all privacy and safety settings, including locking participants out of the chat and preventing them from sharing their screen.
    Zoom security button
    A new Security button centralizes safety options for hosts.
  • Meeting locks: With a click of the Security button, hosts can lock a meeting at any point to prevent new participants from being added to the Waiting Room or joining directly. Another click unlocks the meeting.
  • Name change prevention: Hosts can prevent participants from changing the name that appears when they join or request to join a meeting. Some people—both unwanted visitors and juveniles who thought it was funny—were changing their names to derogatory or abusive forms during meetings.

A less obvious anti-troll change involves requiring a Zoom account sign-in for those using Zoom’s Web app, available across all major browsers. Reportedly, malicious conference joiners could script the Web app to let them continuously re-join a meeting with a new name each time. Hosts can disable that requirement if it’s undesirable to require everyone to sign in with a Zoom account. However, for recurring meetings among an affinity group, like an addiction-support group that has moved online, it’s likely to help deter abuse.

Other Security and Privacy Fixes

Zoom has also repaired other security and privacy problems:

  • Domain contacts visibility: Zoom no longer treats every user with the same domain in their email address as belonging to the same organization. Previously, anyone with a given address could view account information or add everyone to their contacts who had the same domain, excluding some major ISPs and mail hosts, like Gmail and iCloud. That feature is now disabled for free tier and paid single-host accounts, and must be enabled on higher-tier paid accounts.
  • Waiting Room vulnerability: Citizen Lab discovered a security problem with the Waiting Room feature that it didn’t include in its 3 April 2020 report in order to give Zoom a chance to fix it. That bug, later disclosed on 8 April 2020 after Zoom updated server software, would have let someone with a little technical expertise be restricted to a meeting’s Waiting Room and yet still be able to extract the session’s encryption key and video stream.
  • Traffic routed through China: The paths that data travels is a political, regulatory, and business question, not just a technical one. Citizen Lab’s report revealed that Zoom was routing some traffic that didn’t involve any participants in China through servers in that country. Zoom explained that it was an error in load balancing, which seemed plausible given the quick scaling of operations it needed to have. The company said it made permanent changes to prevent data passing through Chinese servers from outside the country. A new feature for paid users starts 18 April 2020, and those users will be able to select which of several regions data may pass through. Free users are locked to data centers in the region from which they subscribed. Apart from concerns about China, some people outside the United States don’t trust the National Security Agency or other US intelligence groups.
Zoom data center region settings
Paid users may select the regions through which their video can pass.

Zoom has also announced that it has formed a council of chief information security officers (CISOs) to advise the company. In addition, it contracted with former Facebook chief security officer Alex Stamos to work as a paid advisor.

While Facebook has faced extreme criticism and government investigations into its security and privacy practices, Stamos had reportedly become a thorn in the side of Mark Zuckerberg and other executives for stressing the danger of Russian misinformation on the platform. In 2018, Stamos left the company to pursue academic research and engage in paid consulting.

Is Continued Progress Enough for You?

Zoom continues to squash bugs while making good on its promises of the last few weeks to respond rapidly. To regain the trust of those who have been troubled, to put it mildly, about Zoom’s past lapses, the company will have to continue down this path of improved security and privacy and increased transparency, while maintaining the high levels of quality and performance that have made it one of the most popular options for videoconferencing during the pandemic.

We suspect that Zoom will never be able to recover from its mistakes in the eyes of some people. For those who aren’t as adamantly opposed to the company, however, it does seem that the company is both saying the right things and working hard to move in the right direction. For a recent TidBITS staff call, we tried Skype for about 5 minutes and were plagued with audio dropouts and other issues. When we switched to Zoom, the audio and video were rock-solid for the remainder of the hour-long call. We’ll continue to test other options, but Zoom has set the bar high.

I’m writing a book about Zoom for Take Control Books and would welcome your tips and input in the comments. I would also encourage you to download a free copy of Take Control of Working from Home Temporarily, a book I wrote to help people with the sudden adjustment in their working lives. It contains a number of videoconferencing tips, among many others provided by Take Control authors, TidBITS editors and contributors, and others who donated their experiences and insights.