How Secure, and Private, Is Zoom?

How Secure, and Private, Is Zoom? Use of the videoconferencing program Zoom has skyrocketed since the coronavirus pandemic struck, but this surge in popularity has been quickly followed by concern about Zoom’s privacy and security protections.

With millions of people working from home during the pandemic, videoconferencing has become a necessity, and Zoom is one of the most popular programs for connecting with coworkers and clients. Among the millions of users are law firms and courts, which have been using the platform to meet with clients and conduct proceedings remotely. (In ElderLawAnswers’ recent survey of elder law and special needs professionals, two-thirds of respondents said they were using or plan to use Zoom for client video conferences.)

Unfortunately, the increased usage has turned up several potential security and privacy risks, causing New York’s attorney general to investigate the company.

What Are the Concerns?

One security weakness flows from one of Zoom's strengths as an open platform that allows users easy access to conversations.  Unfortunately, this has allowed uninvited participants to disrupt Zoom sessions, usually with lewd or racist messages, something known as “Zoombombing.” The FBI received so many complaints that it has issued a warning to Zoom users about teleconference hijacking.

Zoom is also the subject of a lawsuit in California after the iOS version of Zoom (used with Apple products) allegedly gave users’ information to Facebook even if they did not have a Facebook account. The company has responded that this was a mistake and it is no longer happening.

Another security concern is whether Zoom calls are truly end-to-end encrypted, as the company claims. According to an article in the Intercept, Zoom technically can access video and audio from meetings taking place on its platform. In response, Zoom has published detailed information about how its encryption works.

In a recent blog post, Zoom’s CEO Eric Yuan acknowledged the security concerns and explained the steps his company has taken to address the issues and promised greater transparency in the future. “We now have a much broader set of users who are utilizing our product in a myriad of unexpected ways, presenting us with challenges we did not anticipate when the platform was conceived,” Yuan said.

How Can You Protect Your Meetings?

Luckily, there are steps you can take to secure your meetings with clients and co-workers. In a blog post titled “Zoom is Safe for Lawyers (if you use it right),” strategic consultant John E. Grant interviews legal technologist Simon Boehme, who trains lawyers and mediators in how to use Zoom as a dispute resolution tool.

Asked whether Zoom is secure, Boehme replies “Yes. . . . Once you learn how to use Zoom properly, it is as secure a solution as you can ask for online.”

Boehme says that unwanted visitors can gain access to Zoom “rooms” in one of two ways: by getting ahold of a 10-digit meeting code that was distributed to meeting invitees, or by randomly entering 10-digit codes until they hit upon one that works.

Zoom meeting hosts can keep unwanted visitors out of their meetings in several ways. One strategy is to use a password in addition to the Zoom code. Another is to turn off the “join before host” option so no one can enter the meeting before the host. A third is to “lock” the room once all the participants are in the meeting. (Boehme shares a link to slide deck with more specific information on using Zoom securely.) The FBI makes similar suggestions.

Grant’s blog post also lists alternatives to Zoom for those still wary of it. But Grant concludes that “Zoom is secure enough for my needs. I am comforted that they are being very proactive under their newfound scrutiny, even to the point of making changes to their tool to address concerns.”

ElderLawAnswers reached out to Zoom, asking how attorneys can be assured that their Zoom meetings with clients will be confidential and that no one other than the two parties involved will have access to the meeting either in real time or after it is over. Bernie Senzig, a Zoom account manager, replied: "During a meeting: Zoom has many built-in protections to to help hosts prevent unwanted meeting access from any source, including availability of passwords, waiting room features, inability for participants to hide their participation either through video or audio, restricting users to only those signed in with a particular domain name, locking meetings to prevent additional joins, and mandated registration prior to joining a meeting. After a meeting: Unless a meeting is recorded by the host, the video, audio, and chat content is not stored. When the meeting is recorded, it is, at the host’s choice, stored either locally on the host’s machine or in the Zoom cloud. We have access controls to prevent unauthorized access to meeting recordings saved to our cloud."

For John E. Grant’s blog post on how to secure a Zoom meeting, click here.

For an NPR report on security and privacy concerns with Zoom, click here.

For a New York Times article on how to prevent "Zoombombing," click here.