Trapped at home and want to web conference using Zoom? Just be careful...

6 Apr 20, Monty, CTO Federal Resources Corporation, www.fedresources.com

In the new normal of the COVID-19 pandemic organizations of all shapes and sizes as well as the general public are struggling to figure out exactly how to stay visible, relevant, and available to their customers, members, supporters, friends, and family - without being face-to-face. Use of video-teleconferencing, web conferencing, webinars, and other remote forms of communication has stormed to the forefront of our daily lives. My Luddite wife spent an hour last night with her retiree mother making sure they could both do a web conference from their respective living rooms (ours in Maryland, hers in Florida). Like many of your children, my kids are 'attending' classes via web conferencing. For my own part, I have purposefully done every single web conference the last two weeks wearing my fuzzy slippers - just because I can.

However, this new use of the internet at unprecedented scale to replicate being 'face to face' is not without security and privacy considerations. For example, in the case of the Zoom web conferencing client, a few unintended consequences such as Zoombombing are cropping up in virtual meetings, distance learning, and internet classrooms. Dozens of incidents are being reported where pornographic images, racial slurs, hate images, or other questionable visual or audio content are being introduced by 'uninvited guests' to Zoom web conferences. While there is no profit motivation, many miscreants are alleviating the boredom of their government mandated isolation by wreaking havoc on unsuspecting web conferences. Instances of Alcoholics Anonymous meetings, religious services, a women's tech leadership group, and dozens of K-12 classrooms have reported instances where an uninvited participant trolled the event with vile content designed to simply disrupt or halt the meeting.

Further, the unprecedented scale of new use is exposing some best practice challenges for vendors such as Zoom, the use of which has exploded over the last month. Zoom's list of past and present woes isn't any more earth-shattering than any other software vendor. However, these problems should give you pause particularly if the web conference's exchanged data, conversation, or ideas are sensitive, intellectual property, trade secrets, or anything else that should be protected. Take a look at this list of recently identified Zoom challenges:

• allows remote website webcam execution
• installs on Mac without user interaction at root level privilege
• allows piggybacking onto camera and mac privileges, permitting hijacking
• sending user data to Facebook - even without a FB account
• potentially leaking account and personal information between large-scale freemail providers such as Gmail, Yahoo, Hotmail
• encryption limits who can see call or meeting data - except Zoom itself, which has access to unencrypted meeting streams and data

None of this makes Zoom a bad product or company, and in fact some of the above list have already been addressed. However, both people and companies often look only at Availability when determining an internet-enabled tool's value. Once there is widespread use of the tool, that use itself will demonstrate the neglect paid to Confidentiality and Integrity.

So whether you're enabling something for your organization, a group you belong to, or your Luddite wife and mother-in-law, take your time and observe a few basics:

• Make sure you're comfortable with the privacy considerations of hosting your group using someone else's software knowing that software isn't perfect, and companies often apologize afterward for selling your data rather than asking your permission in advance. If you wouldn't have your discussion in front of a group of strangers because of its sensitivity, you may want to consider some alternatives to freeware web conferencing.
• Where are you getting the software from? Make sure that the source is a safe-approved app store such as Google Play, Apple, Microsoft, or directly from the manufacturer's website. When you install from third-party sources, you may be getting additional software you don't want.
• When you're signing up, there's also a few privacy no-no's - the first one is asking for your birth date. What they're really asking: "Are you a minor?" Set the birth date for something over 21 years old, but don't use your real birth date.
• The second one is asking you to link to FB or Google; this aggregation of data, particularly held by Zoom is unnecessary. Go to the trouble of signing up using an e-mail account.
• Zoom has enabled password controls by default, use them! This isn't foolproof by any stretch of the imagination, but your job here is to make it more difficult to have your party crashed, not impossible. Talk to your users - the invite and password should be something they don't advertise except to other known members.
• Do a test-drive of the software by yourself or with one or two other members to gain familiarity with the controls. Practice limiting their usage, or blocking their ability to interact so that if the need comes up during your real meeting, you need to know how to respond without delay.
• There's also a 'lock meeting' function so that when all of your expected participants have shown up, you can lock the meeting from further entrance.
• Under the 'more' section of the client: change the default settings to mute participants upon entry, don't allow them to unmute themselves, and don't allow them to rename themselves; these features, while convenient, can add confusion and allow unintended guests to hijack control with questionable content.
• Lastly, there's a waiting room function - use it! If you don't recognize someone, don't let them in! In this age of hyper-accessible communications I can assure you that your intended guest who can't get in will contact you in real-time to gain access.

If you take a few minutes to understand the software, its features and protections, potential security and privacy challenges, and craft your guest list carefully, your web conference will go smoothly without unintended consequences.