By Kiki Schirr, {grow} Contributing Columnist
In this time of social distancing and sudden transition to working from home, Zoom has emerged as the primary tool for online collaboration.
Their stock price has soared to ridiculous levels. Zoom’s PE ratio, a measurement of the value of all their stock against one year’s revenue, is far above the 13-15 ratio most investors seek. Over the last few weeks, Zoom’s PE ratio has been in the 1000’s, with a high of over 6,400.
And during these last few weeks, Zoom has abruptly changed from an obscure service with 10 million business users. Now, amid this coronavirus crisis, Zoom has become the connection point for an economy that relies on communication and collaboration. Within a few weeks, Zoom ballooned to 200 Million users.
And privacy advocates are up in arms because Zoom is a security mess.
Zoom’s security problems
News outlets as prestigious as NPR have bashed Zoom’s lack of user protections. EFF, the digital privacy advocacy group, has written about them numerous times, often in relation to the class action lawsuit currently levied against Zoom. The suit posits that Zoom gave user information to Facebook even if Zoom users did not have a Facebook account.
Zoom CEO Eric Yuan said he “really messed up” and is struggling to restore the reputation of the video tool.
In light of Zoom’s new popularity, the EFF has renewed their warnings with a fresh wave of articles. I’ll recommend the most important of these later in this post.
Wired magazine laid out all of Zoom’s security failures in a dizzyingly long list of offenses. This post explains how a hacker could breach any account if he knows the email address.
Senators and government prosecutors have launched independent investigations into security failures, the most damning of which might be Ohio Senator Sherrod Brown’s letter to the FTC seeking an investigation of Zoom’s advertising claim of providing end-to-end encryption of messages and other data shared between users.
Zoom is trying to address security issues
Likely in response to Brown’s letter, Zoom wrote a blog post clarifying that not everything is encrypted, with diagrams and definitions to help Zoom users discern when they have or have not been protected.
Even with my technical knowledge, I find the blog post overly complicated. The crux of the post seems to be that if you don’t download their software onto your computer or phone (and grant Zoom greater access to your systems and personal data), they will not guarantee your protection in return. This fact has not been clear in Zoom’s marketing efforts, according to Senator Brown.
And The Guardian went so far as to question if Zoom is malware in the headline of a widely circulated article.
Being malware is a serious charge. Trojan viruses are probably the most famous form of malware, but ransomware attacks on hospitals are quickly catching up. These attacks target patient medical data and lock hospital staff out of their own files until the hospital pays the attacker to retreat. And recently, we have discovered that these hackers are even willing to lock COVID-19 research.
Zoom’s CEO also made a public statement on April 1st vowing to pause any development projects that were not security-focused in order to make safety their primary directive. However the security conditions on Zoom seem to only be getting worse as new users, and new trolls, sign up.
Google has banned Zoom
Shortly after this article was first published, internal emails surfaced warning Google employees that if their company computer had Zoom installed, not to worry if the app soon no longer operated. The company’s IT department had decided it was a liability and was working on remotely removing it from all employee devices.
Of course, Google wasn’t the only one to ban Zoom.
Other entities who brought the hammer down include SpaceX, NASA, NYC Department of Education, the Australian Defense Force, and Taiwan. The whole Taiwanese government.
Meanwhile the United States Senate is sending each other memos about trying to avoid it, maybe. One day.
Zoom and harassment
In my view, Zoom’s lack of security seems to be more oversight or incompetence than malicious intent. However, because I think Zoom is culpable, I’m confused by the United States government’s haste to prosecute so-called Zoombombers.
As Internet trolls became more aware of Zoom’s vulnerabilities, they began to use Zoom as a platform for harassment. In particular, they tend to target racial minorities and women. Black women professors at Historically Black Colleges and Universities seem to be the most desirable target. Zoombombers post pornographic images and racial slurs into group discussions and there is no method of defense after a bomber enters the room, beyond ending the call.
If that isn’t bad enough, remember that many grade schools are now using Zoom, and a Texan Sunday school was recently exposed to pornography and harassment.
Zoom just enacted a measure that could prove helpful. Zoom has turned on, by default, the password-protection, and waiting room visual identity confirmation and approval tools within their software that hadn’t been widely adopted. Time will tell whether this will solve the Zoombombing issue.
Uncomfortable truths
While Zoombombing is both criminal and vile, I am concerned that the United State’s government’s crackdown on troll perpetrators doesn’t address that Zoom’s service is also at fault.
I think it is fair to liken Zoom’s vulnerabilities to the legal definition of an attractive nuisance. An attractive nuisance creates a dangerous situation for children that also appeals to them. The most common offense in real life is having a swimming pool without a lock or barrier. I see the illegal but easy act of Zoombombing as similarly dangerous and appealing to young would-be hackers who wish to prove themselves online.
While the age of Internet trolls has yet to be a focus of research, anyone who plays Fortnite is aware that trolls begin at very young ages. Last year a mother in California attempted to raise awareness when she discovered that her teenage sons had been targeted by white supremacist groups. These groups were recruiting minors with Hitler memes and funny YouTube videos with subtle anti-Semitic overtones.
It is very likely that many of the Zoombombers are underage. Some might be pre-teens. It is possible that over the next few weeks we might begin to see children being accused of criminal activity on Zoom.
Recently a criminal mastermind leading an organized group of more than 70 white nationalists had come to the attention of international authorities, after multiple attempted bombings of places of worship or other public spaces were thwarted around the globe.
The group called their leader by the code name “Commander” but knew nothing of his identity.
Today, Estonia revealed that when they tracked down Commander, he was a 13 year old boy.
So while it is very tempting to seek retribution against Zoombombers or other racist trolls, I would urge caution. You can’t tell age through the Internet, and if you’re in America doxxing someone under a certain age could be illegal in your state.
In the post-GDPR EU, I don’t even want to think about it.
Alternative video services for working from home
I’m sorry to present all this Zoom gloom-and-doom in one sitting, but a quick and jargon-free summary should be useful.
If at this point you’ve probably decided to avoid using Zoom and if you aren’t compelled to use it by company or university policy, there are more secure alternatives.
My favorite option is FaceTime. Apple has emerged as the dark horse of privacy advocacy in tech. Among the technology giants like Amazon, Google, and Facebook, Apple stands out as the only company that hasn’t sold user data as a primary source of income.
Someone at Apple must have recently realized that this was a selling point. In 2019 Apple launched a highly effective and very blunt marketing campaign to pose the iPhone and all Apple products as the secure option in a sea of personal data leaking devices.
But FaceTime is limited in terms of the maximum number of attendees—32 videos total, including the room’s initiator.
If you need to host larger video meetings, Microsoft Teams allows 250 users to congregate.
While Microsoft has a less stellar record than Apple on privacy over their lifetime, it is only fair to note that many of the complaints once lobbed against them have since been resolved. Further, if you Google “Microsoft Teams security issues” the results that suggest there could be vulnerabilities all seem to be pages devoted to selling corporate data protection services. So take those with a grain of salt.
But Teams is aimed at corporate groups only. Their landing page now has a link for individuals seeking a video calling solution. It brings you to the Skype homepage.
If you have decided to uninstall the app, please be careful
It has become apparent that many Mac laptop users have been deleting the app by putting it in the trash.
Putting the Zoom app in the trash on your Mac is not an uninstall.
In order to remove all Zoom files, Mac laptop users will have to follow a more complicated path, which I will link to below.
If you have already but the Zoom icon into the Trash folder and emptied it, the easiest way to remove all the files, unless you are familiar with Terminal, will be to re-download it, sadly.
(There is also a Terminal solution, which would be more secure in general, but is not more secure for people who have never used Terminal and could accidentally follow malicious advice.)
How to uninstall Zoom safely
When removing the Zoom app from a device, first sign out of your Zoom account within the app, or even better, disable your account entirely.
Then, you’ll be able to follow the steps within this guide to remove the app from your device.
Because every device has a different install method, I didn’t want to go into all of the instructions here myself. The link above is up to date and has every major form of device. While I was not previously familiar with the site, I read through the instructions to verify they were all correct and did not suggest unsafe practices.
If your friends also want to uninstall Zoom, I’d recommend sharing that link.
When I Googled uninstallation instructions, I was dismayed to see that malicious sites are already capitalizing on the Zoom confusion to get less computer savvy individuals to download expensive software or even “free” malware.
Don’t download new software to uninstall Zoom.
If you have to use it for work
Many of you might be required to use Zoom. If you are, I apologize for what might seem like an alarmist article. But, in the words of G.I. Joe: “Now you know, and knowing is half the battle.”
And there are many ways to protect your data even when you have to use Zoom.
First, start by reading and following the EFF’s guide to optimal Zoom settings for privacy.
This guide is wonderful. It not only gives instructions for each setting with images but also tips on how to avoid common pitfalls.
The most important pitfall is that even if a Zoom password is enabled, and you take the necessary precaution of sending the password via a secure route like encrypted email, you could accidentally expose that password by sharing the Zoom room location publicly.
EFF explains that if you use the “Copy Invitation” button to copy-paste your Zoom room’s location invite link, it often inserts the password into the URL, allowing instant access to anyone who sees only the invite link and knows what to look for. EFF says that if you notice that the URL you have saved to your clipboard is unusually long and contains a question mark, it probably has your password embedded inside.
Another quick way to protect yourself is that if you are not the host of Zoom meetings, you can often avoid downloading the software on your device. Use Zoom’s in-browser solution as a more secure alternative. That means losing a lot of fun features like digital backdrops. If you’re disappointed, weigh that against the possibility that Zoom (or Facebook, if you believe the lawsuits) could have a list of everything you ever bought on Amazon.
Another option many people are pursuing is adding VPN to your work-at-home arsenal. A good resource to learn about that can be found here: what is a VPN guide by Surfshark.
Also, here is a helpful article if you’re feeling Zoom fatigue!
Or try using nothing but Zoom
Should you have to host meetings, another option could be to limit your use of the app to a quarantined device. An old computer or smartphone that you don’t use anymore would be perfect. Wipe the hard drive, go through set up again, and afterward only use that device to access Zoom, turning it off between uses.
This method might not be perfect since you’re going to be spending so much time on home wifi, but it will make it much harder to get interesting information about your Internet use.
Alternatively, if you are one of the few individuals who use a work computer as her IT department wishes she would, you might already possess a rather private device! But keep in mind that checking your bank account, ordering something from an online retailer, or having ever accessed Facebook on that work computer does pretty much compromise its use as a quarantined device.
I hope that you’ve found this post helpful. If you want to keep up with developing news regarding Zoom or privacy in general, I would recommend setting a Google Alert for “Zoom + security” or periodically checking EFF.org.
Please also consider sharing this article and its resources since bad actors have started utilizing the confusion to prey on less tech-savvy workers.
If you have any other tips or video platform recommendations, please feel free to share them with the {grow} community in the comments.
Disclosure: Surfshark VPN link is affiliate link
Latest update on April 14, 2020