Zoom should be criticized for poor communication rather than privacy, security, expert says

by

Zoom

Zoom

The video platform Zoom has experienced overnight success with offices and schools closed around the world due to the coronavirus pandemic. The increased usage has resulted in a string of security concerns, which, according to a University of Notre Dame cybersecurity and privacy expert, have largely been blown out of proportion.

Zoom is not dealing with a security and privacy crisis, it’s facing a communication and transparency crisis, according to Mike Chapple, associate teaching professor of IT, analytics and operations at Notre Dame’s Mendoza College of Business.

Mike Chapple Expert
Mike Chapple

“Zoom’s recent privacy and security issues aren’t any more significant than those facing any other tech company, and Zoom has quickly moved to correct each one of them,” said Chapple, a former computer scientist with the National Security Agency. “The challenge Zoom faces is that they were a specialized niche company that was suddenly thrust into the role of a critical infrastructure provider overnight and they simply weren’t ready for the intense level of scrutiny that they’ve received as a result.”

Perhaps the most publicized of Zoom’s woes is the practice of ‘Zoombombing’ where people join unsecured Zoom calls and disrupt private conversations.

“These aren’t the result of a security flaw in Zoom,” Chapple explained. “Zoombombing occurs when people either don’t use a password to secure their Zoom meeting or give out the password on a public forum. You can protect yourself against this by following some simple best practices, such as not publishing your meeting password, using a waiting room to control access to your meeting and restricting screen sharing.”

Zoom also has been criticized for not offering end-to-end encryption for videoconferences, an approach Chapple says most people never use.

“It’s true that Zoom doesn’t offer this level of encryption,” Chapple said. “That’s because it’s technically very difficult to do so. Look at the other major videoconferencing providers. Skype, Microsoft Teams and BlueJeans don’t offer end-to-end encryption either. It’s simply not a reasonable security expectation. Cisco WebEx does offer an end-to-end encryption option, but choosing that option disables major features of the platform, including the ability to record a meeting.

Chapple points out that Zoom did make a major mistake in this area by publishing a false claim that the service supported end-to-end encryption. They’ve since apologized and published a technical description of exactly how their encryption works.

There also have been reports of Zoom video recordings appearing on public websites and cloud storage services, but Chapple says there is no indication this was Zoom’s doing.

“Zoom offers a recording feature to meeting hosts and discloses to all participants when a meeting is being recorded,” he said. “At the end of the meeting, the host gets a copy of the video file. If they post it on an open forum, it’s not reasonable to hold Zoom accountable for the meeting host’s actions.”

While researchers have identified a few security flaws in Zoom’s technology over the past few weeks, Chapple says that’s not unexpected for a platform suddenly thrust into the spotlight.

“The reality is that every software product has critical security flaws that we simply haven’t discovered yet,” he said. “Zoom reacted to each one of these with a patch that corrected the problem. That’s what any responsible technology company would do.”

Where Zoom really failed, according to Chapple, is with their pre-pandemic privacy policy.

“It contained some truly awful terms and conditions that basically granted the company the right to access private meeting information. After some scathing public criticism, Zoom revised their privacy policy to align with industry best practices.

"If you’re worried about the privacy and security issues at Zoom, don’t use the service. Personally, I’ve found Zoom to be a crucial part of my ability to teach and work from home. I’m comfortable that they’re focusing on correcting security issues quickly and have built a platform that is scalable, reliable, and secure.”

 

Contact: Mike Chapple, mchapple@nd.edu