The main issues are:
- Zoom relies upon random naming of IDs to create private rooms. However, automated tools have been created to allow meeting IDs to be discovered. In other instances, it appears a pattern is present and allows for the guessing of meeting IDs.
- Unauthorized access to “Private” meetings. In some instances, attackers are coordinating “zoom raids” to join and harass participants with unwanted chats, images and other content.
- There is a Data Mining feature in Zoom that can leak unwanted information, including LinkedIn profiles that were not explicitly shared with other LinkedIn users.
- Users Email addresses and other information, including profile photos, were available through a directory feature, exposing it in an unwanted fashion.
- There is no end-to-end encryption for Zoom video meetings and due to the system’s design, it is not possible to implement it. This opens up the potential of an unwanted recording of video feeds without any of the participating parties’ knowledge.
- A flaw in the code allowed the theft of the users’ passwords, allowing malicious actors to assume control of users’ microphone and webcam. This also allowed root-level access on Macintosh-based systems, exposing all the user’s data on their machine/network.
- Though now resolved, the software was previously collecting user data and sharing it with Facebook in a less than transparent manner.
With all that said, there are some great innovations and capabilities that help explain why it’s still a success even with all the issues. Zoom does some things very well:
- Ease of use – the system is considered to be very user friendly. In the best of situations, teleconferencing and multi-part video calls are often a struggle to implement. Zoom took an Apple-like approach, hiding or eliminating the ability to do complex tweaking of the system, instead of making it more of a click and play experience.
- Breakout Rooms – By far the standout feature for Zoom is the ability to break a large group of users into smaller chat groups and then call them back in. This type of control is well suited for teaching and larger collaborations and just hasn’t been matched in a meaningful way from any of the other offerings.
- Streaming to other platforms – the integration with Facebook and YouTube are not to allow data collection, it gives the coordinator an ability to stream content directly to Facebook live and/or a YouTube channel. This fundamentally shifts Zoom from being a video chat platform to a content distribution solution. This is powerful and seamlessly allows creators access to a global audience through channels that are widely known and adopted.
Like any free service, Zoom has its place and is worth more than it’s cost. The risk is the unintended costs of its use when the product is assumed to be secure.
In general, for a higher level of confidence in security, most companies are turning to paid solutions for conferencing. Top on our client’s list is Microsoft Teams. The Teams user base has grown by 50% in the past few weeks and is regularly peaking at over 44 million concurrent users. That said, there is a bit of selection bias at play. We have a strong focus on Microsoft technology, it’s no surprise that our clients lean that way too.
Here’s Gartner’s reviews of video conferencing providers:
In case you’re having trouble keeping all the players straight and what they offer, here’s a rundown of the major players in the video-conferencing universe from QZ.COM.
There’s a good reason Webex, Cisco’s video-conferencing platform, has the look and feel of Zoom: Zoom’s founder, Eric Yuan, started his career as an engineer at Webex. In March, the company offered free personal accounts to those who live in countries impacted by the virus. It removed time restrictions on video calls and will allow sessions to include up to 100 participants. Webex offers end-to-end encryption for its video calls, but it’s not automatic. Call administrators must turn encryption on and can decide whether to make the feature optional or mandatory for each session. Webex has also had its share of security issues.
Microsoft (Teams and Skype)
As the new coronavirus spread, Microsoft announced that organizations could use Microsoft Teams, its workplace collaboration tool that allows video meetings, for free. But unless you’re a Windows user (the company recommends that Team users download its Office 365 suite), signing up for a Microsoft Teams account may be overkill.
Skype, also owned by Microsoft, launched a new feature called Meet Now that lets any user initiate or join a group video call as a guest without signing up as a Skype user. But the feature has its security drawbacks. Any user with the link can access a meeting, and links don’t expire.
BlueJean’s calls are encrypted by default. But what BlueJeans gives in terms of security, it takes away as far as access. Joining BlueJeans isn’t free, and even the $13.99 per month “Pro” account has meeting limits of 75 people.
British platform StarLeaf is subject to local data privacy laws in the UK, and video calls are end-to-end encrypted. Since the pandemic, the company has offered its services for free worldwide. With that, StarLeaf has its limits. Group video calls are restricted to 25 participants, with a maximum length of 45 minutes per call.
Last month, Google announced that it would roll out free access to its Hangouts Meet tool, recently renamed Google Meet. The company announced that its premium features, which include video calls for up to 250 participants, live streaming for up to 100,000, and the ability to record meetings, would be free to users until September. It allows users to save chat sessions to Google Cloud. While Google encrypts messages sent on Meet, it doesn’t utilize end-to-end encryption for video calls. It does have several protections that will likely hinder “Zoombombing,” such as requiring external users to be invited by meeting administrators.
Social media and video chat apps
From FaceTime to Snapchat to Signal, there’s a wide array of video messaging features available for personal use. Snapchat allows video calls for up to 16 people, and you can have fun with its augmented reality tools. Unfortunately, Snapchat has not announced that group video calls are end-to-end encrypted. While Signal offers encrypted video calls, they’re only one-on-one. Facebook Messenger’s group video chat function is extremely limited. A maximum of 50 people can join in on a call, but only six people are displayed at one time. Facebook has promised end-to-end encryption for audio and video Messenger calls, but the jury is out on when that will happen. WhatsApp does offer free, encrypted group video calls, but there’s a limit of four people.
If you’d like help evaluating which solution works best for you, or if your current environment needs attention, please reach out to us.