Thoughts and Struggles of using Zoom — its Security Issues and Good Practice tips
“ME” : Personal Preface
I have been thinking and planning to write this article since I used Zoom several times during lockdown. Finally, I wrote it here.
‘How can I be off-the-grid?’ — People always keep asking the same question. To be honest, it is unavoidable.
It sounds a bit old-school and pessimistic, no matter we use or not to use Zoom — ‘We’re always being watched or monitored, don’t think it may never happen.’
Personally, using Zoom for inevitable online studying or joint work conversations, I am fine with it.
However, one thing which makes me a bit more sensitive with, we all have left many cyber-footprints on the internet, voluntarily and unconsciously. Nowadays, the borderline between real life and internet is so blurry, we no longer keep our real privacy, inner thoughts and emotional exchanges IRL, but disclose them all to the online world — internet.
It isn’t a thing to be fear of, but the real concern behind that make us uncomfortable is — imagine how the daily Netflix shows its care and consideration by displaying a super thoughtful personalise movie list on your account, they are monitoring you in silence.
Well, Lets get into the topic.
Security vulnerabilities in Zoom : Are we being further commercialised?
There are many controversies on Zoom since the beginning of COVID-19. Most of them seems to be related to the monitoring and commercialisation issues. To be more specific, this is pointing to the security vulnerabilities in the overall application architecture.
For instance,
(1) The host (person who established/presided over the meeting, e.g. teacher) — can know whether the participants had participated during the whole process, partly participated, or absent for a short period of time, however, the participants wouldn’t be notified. If the chair has such privileges, I hope she/he is someone you can trust.
(2) Administrative Operators in Zoom — including the internal managers who use Zoom in the institution. For example, if the whole college are using Zoom, the administrator can check everyone’s data, such as IP address, region and even the hardware information when users are using the service. Well, you probably think, I don’t care about this, we are all used to it and it is unavoidable. Yes, this means that we all suddenly become much more transparent and naked than usual in the Zoom world.
(3) The manager from the Zoom meeting — have a series of privilege which includes the record of the meeting as well. Not only record audio and videos, obtain the text transcript version from the meeting, but also store them in the cloud PERMANENTLY, allowing other users in the company to access.
(4) According to a report from Motherboard (the US technology service company), Zoom share user data with Facebook even if you don’t have a Facebook account. As long as you open Zoom, your device model, duration of use, mobile communication service provider, and the advertising ID of the mobile device which connected to Facebook can all be viewed, making it easier to target more advertising campaigns! Yet, Zoom announced that they had stopped sending user data to Facebook few months ago. I am appreciated with their prompt response, but the problem is Zoom didn’t mention these arrangement under their privacy and data protection clauses. Well.. so, what else we haven’t been told?
(5) The most terrifying part among all these various problems we mentioned is, the user data and content from the conference will be partially diverted to servers in mainland China [1]. According to Citizen Lab (The R&D laboratory of cyberspace in University of Toronto) pointed that Zoom used a non-standard encryption method to transmit encrypted information to China. (P.S. China officially announced that Zoom was banned in China last September.)
That brings with it a list of international institutions called for abandoning Zoom,
(1) Taiwan — Ministry of Education announced that all government institutions and schools are prohibited from using Zoom.
(2) US— US Senate urged its members to choose platforms other than Zoom due to its security concern, and NASA has banned all employees from using Zoom.
(3) Singapore — All teachers are completely prohibited from using Zoom. The incident that hackers intruded during an educational video meeting and caused indecent behavior was under investigation.
(4) Germany — The German Foreign Ministry has restricted Zoom use to personal computers in emergency situations only.
And the government agencies in Australia, Canada…etc.
Eventually, after a list of problems were revealed, Zoom made a series of ‘corrections’ and fixes. For example, Zoom’s end-to-end-encryption feature finally went live on Tuesday, Oct 27 2020. (P.S. except on iOS where it still has to wait for Apple’s approval)
From a positive perspective, “speak up in advance, give full pay to the basic responsibilities as a citizen, netizen and user of conscience” — is the way how we live in the data age.
Who’s peeking? Who’s secretly recording?
Talking about Zoom’s security vulnerabilities, they were discovered as early as the summer of 2019 (According to Mike Kuketz, a German national data protection security researcher). It was told that the company’s system allowed the intruders to access the cameras on millions of Mac users. In short, that means hackers can spy on us through the camera on individual computer. The idea of the ‘phishing’ game is — make an excuse to attract users to visit a website prepared by the hacker, or to embed code on the website they have visited to start a video conversation. Therefore, the user joined the zoom video chat that they didn’t want to or even know.
You can still be peeked even if you uninstalled Zoom ?
Yes! Because Zoom installed an undocumented local web server on the Mac computer, even if the actual application is uninstalled, the local web server remains on the computer. Zoom did make some adjustments, but in fact it was resolved by Apple after Apple made corresponding adjustments.
If Zoom has slipped this kind of unsafe mechanism into its software, what else will it try to do?
Check Point Research reported another loophole of Zoom — hackers can join the meetings that you set up even if you didn’t invited them. They can listen, read the shared files in your meetings. Zoom emphasised that this issue has been overcome. Maybe it is, but The Verge (an online technology messaging platform from the US) who responsible for the testing and inspection claimed that the scope of their similar test result doesn’t apply on services such as Google Hangout or Skype [2].
Well. Zoom need to watch out. The issue of trust is still an issue.
Protect Yourself : When Zoom became an unavoidable trend. What can we do to prevent Zoombombing?
Here are some suggested good and simple practices for you.
(1) It is safer to open Zoom in browser (web interface) than directly open via Zoom app. This is because modern web browsers are built in a way that make you more secure — the Zoom web version operates within the restricted environment of your ‘browser sandbox’ and this reduces the amount of risk it can do if there is a security issue with the app.
(2) Cover your camera when you are not in use.
(3) DON’T disclose the class/meeting ID and password that you are going to participate to unrelated people. DON’T post them on social media platforms. The most common situation is that someone browses on Google and look for the URLs of ‘zoom.us’ and then finds the event ID you have opened. So, be careful if your social media sites are leaking.
(4) Directly point out your concerns about security and privacy vulnerabilities to the related parties (e.g. students and participants) so that all parties can still conduct regular online communications in a short period of time with a trustworthy attitude.
(5) Make good use of Zoom’s built-in options, identify features that are useful or unnecessary. Don’t be greedy because of convenience, such as who can show up or not, decide whether to join in a communication with comments, whether the content of the chat box will be stored as a text file, whether the speech of the video conference should be converted into a text version, the rights and limitations of sharing desktop screens, and the default setting of sound playback when the meeting starts, especially the basic step of ‘turning off the microphone’ as default at the beginning.
(6) Set a different random meeting ID for each meeting. DON’T use and share your personal meeting ID. You can create a ‘waiting room’ if necessary in order to give yourself a chance to check if the list of participants are the one you expected.
Have you even made any mistake from above? I did somehow, we all learnt from mistake.
No worries, you are all settled now! Happy and safe Zooming!
(The above measures gonna bring us back to the situation I have mentioned earlier… where the conference host is overprivileged HAHA:P)
[1]Micah Lee: “Zoom’s Encryption is ‘not suited for secrets’ and has surprising links to China, researchers discovered”; The Intercept, 3 April 2020.
[2](1) Meike LAAFF: “Ok, Zoomer”, in: ZEIT Online (2020.03.31)https://www.zeit.de/digital/2020-03/videokonferenzen-zoom-app-homeoffice-quarantaene-coronavirus?wt_zmc=sm.ext.zonaudev.mail.ref.zeitde.share.link.x
