Zoom: Is It Safe to Use?

I want address some of the hyperbole around Zoom and the recent issues that have surfaced as Zoom has become a considerably more popular and widely-used application during the COVID-19 pandemic. 

Updated 4/9/2020:

Here are a number of updates from our contact on Zoom. This is a list of features they have updated over the last week or so.

Security Toolbar Icon for Hosts

  • The meeting host will now have a Security option in their meeting controls, which exposes all of Zoom’s existing in-meeting security controls one place. This includes locking the meeting, enabling Waiting Room, and more. Users can also now enable Waiting Room in a meeting, even if the feature was not turned on before the start of the meeting. For more information, please visit this recently published Blog.

Invite Button on Meeting Client Toolbar

  • The button to invite others to join your Zoom meeting is now available at the bottom of the Participants panel

Meeting ID No Longer Displayed

  • The meeting ID will no longer be displayed in the title bar of the Zoom meeting window. The meeting ID can be found by clicking on Participants, then Invite or by clicking on the info icon at the top left of the client window.

Remove Attendee Attention Tracking Feature

  • Zoom has removed the attendee attention tracker feature as part of our commitment to the security and privacy of our customers. For more background on this change and how we are pivoting during these unprecedented times, please see a note from our CEO, Eric S. Yuan 

Removal of the Facebook SDK in our iOS client 

  • We have reconfigured the feature so that users will still be able to log in with Facebook via their browser

File Transfers

  • The option to do third-party file transfers in Meeting and Chat was temporarily disabled. Local file transfer is available with our latest release. Third-party file transfers and clickable URLs in meeting chat will be added back in an upcoming release

New Join Flow for the Web client

  • By default, users will now need to sign in to their Zoom account or create a Zoom account when joining a meeting with the Web client. This can be disabled by the Admin or the User from their settings page

Join Before Host Emails Disabled

  • Notifications sent to the host via email when participants are waiting for the host to join the meeting have been disabled.

Setting to Allow Participants to Rename Themselves

  • Account admins and hosts can now disable the ability for participants to rename themselves in any meeting. This setting is available at the account, group, and user level in the Web portal.

Language for Directory and Company Directory (please note, this does not impact your account)

  • Domain contacts: For free Basic and single licensed Pro accounts with unmanaged domains, contacts in the same domain will no longer be visible. We’ve also removed the option to auto-populate your Contacts list with users from the same domain. If you would like to keep those contacts, you can add them as External Contacts.

Change in visibility of contacts with same domain (please note, this does not impact your account)

  • For Basic and single licensed Pro accounts with unmanaged domains, contacts in the same domain will no longer be visible under ‘Company Directory’ in the ‘Contacts’ tab. Consequently, for the single Pro accounts with unmanaged domains, we’ve removed the option in the admin experience to populate Company Directory with users from the same domain. If these affected users would like to keep contacts with the same domain, they can add them as External contacts. This change will not impact paid accounts with multiple licenses and all accounts with managed domains.

Growth of this magnitude for any technology product attracts legitimate users and also the attention of malicious actors who seek to abuse or compromise the platform.  This attraction, particularly by those with mal intent, is the same faced by any technology company, including Microsoft, Cisco, Blackboard, Ellucian (Banner) and many others.

It is difficult for any vendor to anticipate every fracture that results from heavy and continued usage, particularly by those with evil intentions.  All technology at some point will fail: some is small ways, others in more pronounced ways .  The challenge for any technology organization, whether that is Zoom, Microsoft or OIT, is how to react to the failure. 

Zoom has experienced issues in recent weeks.  Zoom Bombing, that is interrupting a class lecture or a meeting by hijacking a meeting to display inappropriate, vulgar or racists material on the Zoom connection, is the most pronounced and obvious way the Zoom meetings have been attacked recently. 

As these events occurred and were discussed in the media, Zoom provided solutions for the issues and communicated to their customers in a matter of hours.  And Zoom continues to provide fixes for their software to ensure all of us have the best  and safest experience possible.  See this article, https://medium.com/@0xamit/zoom-isnt-malware-ae01618e2046, authored by security professionals for a perspective on Zoom’s response to recent attacks.

Additionally, here is a message from the CEO of Zoom detailing the approach they took when this all started, including actions taken by Zoom and what they continue to do to ensure the best experience possible: https://blog.zoom.us/wordpress/2020/04/01/a-message-to-our-users/.

Allow me to address some of the more talked about issues that you may be aware of.

  1. Zoom Bombing: Most of the attention surrounding Zoom currently is focused on Zoom Bombing. Zoom’s product is designed to be very flexible and to be able to easily accommodate attendees from outside of your organization. That flexibility provides the host of a meeting a great deal of flexibility in how strict or lax they want to be in protecting their online meeting. Here is an article that provides guidelines provided by Zoom to help prevent Zoom Bombing: https://blog.zoom.us/wordpress/2020/03/20/keep-uninvited-guests-out-of-your-zoom-event/.  Those of you hosting classes in a Distance Education Room need to contact OIT for assistance as those spaces require special handling in regards to managing your guests.

One action you can take, if you are concerned about Zoom Bombing, is to password protect your meeting.  This is done by selecting the Require Meeting Password checkbox on your Zoom MeetingID setup and supplying a reasonably complex password.  Share this password with your students or other staff members so they can attend the meeting.

  1. Zoom Encryption: Encryption is defined as providing cryptographic assurances that only the individuals that are supposed to see a message can do so.  End-to-end encryption (E2E) describes a system where content is encrypted when it is stored (sitting on a hard drive or server) and when it is being transmitted (sent over the internet or a network). Zoom does guarantee E2E for every device attached to a Zoom meeting that is using their software for a connection.  If you use the Zoom app on a desktop, laptop or mobile device to connect to Zoom, your connection is end-to-end encrypted.  If you use one of the Distance Education rooms to connect to Zoom through a Conference Room Connector (CRC), which is what we do with our DE rooms at Sul Ross, the connection is end-to-end encrypted as well once it connects to the CRC in the cloud.  One device that is never E2E is a telephone connecting over a traditional land line.  As state in the article on encryption, Zoom’s goal is to “keep data encrypted throughout as much of the transmission process as possible.”  If you would like more information on encryption methods used by Zoom, see this article: https://blog.zoom.us/wordpress/2020/04/01/facts-around-zoom-encryption-for-meetings-webinars/.   
  1. Zoom Privacy: Zoom sharing usage data with Facebook has been a recent headline. The Facebook sharing was limited to the IOS mobile app, involved aggregate metadata only, meaning there is no evidence that identifiable or sensitive information is being shared without user consent, and was removed after the PR backlash that resulted from this awareness.  Zoom addresses where they share data with third-parties in their privacy policy at https://zoom.us/privacy.

My intention is not to convince you to use Zoom.  If you are uncomfortable using Zoom for your classes or your meetings, I encourage you to look at one of our other supported applications such as Blackboard or Microsoft Teams.  My goal here is to break through much of the hyperbole in the media and to assure you that while some issues surfaced recently with the Zoom product, it is a good solution for your meeting needs and comes with a great deal of usability, stability and security.  I am comfortable recommending the use of Zoom for any of your classes or meetings.

If you have questions, feel free to contact me directly.  If you need assistance with any of the configuration items in Zoom, please contact my staff at the Helpdesk and we will guide you through those discussions.

Leave a Reply