Zoom has gotten so much attention since the Coronavirus pandemic started, that the value of its stock ballooned from $87 to $260 a piece within the span of 4 months (Zoom is currently worth more than 7 of the world’s largest airlines combined). Most of the attention hasn’t been positive though and with news coming out on a daily basis, it can be difficult to decide whether you should use Zoom.
So much has been written about Zoom’s security and privacy issues since February that it’s completely understandable if you can’t keep up. These are just some of the updates in the past few months (in no particular order):
- stolen Windows credentials
- new security features
- Zoom bought an encryption company
- Zoom’s working on their security and privacy flaws
- they’re not working on them
- they’re routing traffic through China
- Zoom is sharing data with Facebook
- they won’t be offering end-to-end encryption
- they’ll offer end-to-end encryption
- you can trust them
- you can’t trust them.
This is why we wanted to offer an overview of where Zoom is right now and give you our opinion on whether or not you should use this tool for your work.
Long story short: the same way you use different messaging services to communicate (Gmail, Facebook, Signal, Slack etc.), you should also use different video conferencing platforms for different purposes. Zoom is fine for your conversations with family and meetings that don’t include sensitive information, but otherwise, avoid it. Zoom’s security features are not much worse than Google’s or Cisco’s, but Zoom has only been fixing their security flaws AFTER they become public and cause backlash, and has issued misleading statements that make us distrust them as a company. Stick with us a little bit longer and we’ll explain what we mean.
It’s true that Zoom has added security features and has been trying to keep their users safe. Since they experienced a massive increase in user numbers Zoom implemented certain features that are designed to keep your calls secure, when used properly. Organizers can require passwords for meetings, turn on waiting rooms for participants so the host can admit those asking to enter, and screen sharing can be disabled. A meeting organizer can put all these measures in place to keep the meeting private and prevent strangers from coming in and causing harm. And real harm has been done. There have been instances of people joining meetings and flashing child pornography or other disturbing images to online school classes and meetings of sexual violence survivors. That said, there are definitely ways to keep Zoom private and secure, and that was made even easier with some of these upgrades the company made recently. If you want more details on how to use all these security features, check out Zoom’s own guide.
Zoom also acquired Keybase, an encryption focused company that developed a platform that is essentially a super-encrypted and private Slack. The reason behind this was Zoom’s push to encrypt their video calls. They initially claimed that they have end-to-end encryption (E2EE), until it came out in late March that they only have encryption in transport and the EE2E claim was false.
Encryption-in-transit ensures that your data is protected while it’s travelling between devices, but your application or software provider, in this case Zoom, can read your data once it reaches their servers. End-to-End encryption offers much better protection because only the devices participating in a call can read the data, which means that not even Zoom can record and store the contents of your calls. In late May they announced that EE2E will only be available for paid users in order for the company to keep track of free accounts and share information with law enforcement if any of those accounts participate in Zoombombing or other illegal activities. After more backlash they changed their tune and are now offering EE2E to every account starting in July. Hosts will be able to turn the option on or off, since E2EE does limit some features.
Now, here’s the thing: end-to-end encryption is not standard for video conferencing platforms and Google, Slack and Microsoft can all read your messages and store your calls. In fact, Zoom will now have better encryption features than most of these other video conferencing platforms. Google Meet and Slack do not have EE2E for example, and only have the standard transit encryption. The fact that Zoom doesn’t have EE2E is not the reason why you should avoid it, but rather the fact that they first stated that they do offer it and then had to walk that statement back after researchers realized it’s not true.
Zoom also routed traffic through Chinese servers at the beginning of the pandemic, potentially revealing the data of their users to the Chinese government, and then had to issue another statement and stop sending the traffic through those servers. Around that same time, it was revealed that the app was sending metadata to Facebook without the knowledge of users, and none of this was disclosed in any of the Zoom’s policies. This has been Zoom’s modus operandi since the start: they do not fix their security flaws until they become public and the company is pressured to do something about the problem. And their security problems have been known to industry experts and business partners for a while, so much so that Dropbox organized a live hacking competition in 2019 where they offered rewards to those security researchers who identified vulnerabilities in Zoom’s platform because “former Dropbox engineers said they were stunned by the volume and severity of the security flaws that hackers discovered in Zoom’s code — and troubled by Zoom’s slowness in fixing them.”
So, Should You Use Zoom or Not?
From a security and privacy standpoint, Zoom makes us nervous and, as a company, we do not conduct any meetings or activities through Zoom. Our advice would be to completely avoid Zoom during business meetings, and especially if the information you are discussing is confidential and only meant for your employees and clients. If you are working with sensitive information and you have a responsibility to keep that data private, choose another option. Get a paid account with Cisco Webex, Google One or Microsoft Teams for meetings with your team members, and you can easily invite external partners to join by sharing a link. Google Meet might be the best option for small businesses and organizations because you can rely on Google’s robust infrastructure and security, but you only need a Gmail address to start or join a meeting. It’s a simple platform that comes with Google’s security and a low price.
All of these platforms have similar security features and measures, the only difference is that Cisco, Google and Microsoft do not have Zoom’s history of misleading statements and scrambling to fix issues only after they become public. And considering that Zoom had to beef up their security, they lost some of the features that made them the most user friendly, which means that they are at the same level of usability as any of these other platforms. You want your team and your data in the hands of a company that has a good track record, does not have any breaches, a history of bad decisions and is not famous for its security vulnerabilities and dubious privacy practices.
If you are hosting meetings and events that are not high risk, by all means, use Zoom but make sure to have a password on the meeting and only share it with people who are supposed to attend- do not share your password publicly. If you want to keep your communication fully private, we suggest Signal, which keeps all calls and texts fully encrypted. The issue with Signal is that you can only communicate with one person at a time, but if you need to share a highly sensitive piece of data with a team member or have a confidential conversation, this app is a good option.
Ultimately, for your day to day work calls, we recommend paid versions of Google Meet, Cisco Webex or Microsoft Teams and suggest you leave Zoom for family and social calls.