Is ZOOM broken?
Bill Lewis
Empowering visionaries to achieve success. Experienced Chair, NED, CEO and Technologist. Strategic advisor on growth, funding, and transformation. Speaker on leadership and empowerment. Active entrepreneur and investor.
In the past decade Zoom emerged from a start up in a crowded video conferencing sector to be a firm “stand alone” solution adopted by business, and as a video conferencing solution re-branded and resold by large communcations companies. And a multi billion dollar valuation.
In recent weeks and months its market share has shown meteoric growth on the back of a Pandemic. However, underlying problems that were being aired in 2019 by security and technology analysts and bloggers (before the growth curve accelerated) were thrown into sharp relief when mainstream media picked up the story about serious flaws and dubious practices, and marquee clients started to ban the use of the app.
Was Zoom always vulnerable? Was it inherently broken?
It was a Business App before the public found the “Free” version
Early adopters were corporate users. Zoom was not attractive to the personal market which was was already cornered by Skype, and then by the likes of Google Hangouts, FaceTime, FaceBook Messenger, WhatsApp, and WeChat and Line in Asia.
Many users found the need to download a Zoom app slightly archaic; elsewhere communication tools were being embedded in all manner of productivity apps including Slack, Microsoft Teams, Evernote, and communcations between browsers (Google HangOut / Google Meet) was fast catching on (driven by a technology called Web Real Time Communications - WebRTC - which Zoom appeared to eschew).
Mass adoption was also slowed by Zoom’s clunky user interface that did not endear it to users and reports that it was difficult to use its more advanced features have not been uncommon.
Audio and video performance has lagged behind its web based cousins. And its pricing formula, that racks up charges based on increasing functionality and per host / per month pricing (with 50 minimum hosts) soon put companies wanting to adopt it plunging deep into their pockets to sustain a significant roll out.
Growth nevertheless
Despite these negatives, Zoom has grown worldwide; from its beginning in 2013, to the present day, it claims to have amassed 10 million users (2019).
Then came the boom!
The Coronavirus outbreak has seen users surge to 200 million. WFH (Work From Home), remote teaching, and the a seismic shift in how companies operate remotely, has driven the usage of video conferencing in general and Zoom in particular.
How much of the growth is fuelled by the limited Free Version of the app has yet to be declared. (A very close friend declared she can use it free for 40 minutes, switch off, and then have another 40 minutes also free!)
Behind the scenes, all was not well
With increased adoption came increased visibility and scrutiny and Zoom has found to be wanting.
While a small cadre of bloggers and technologist have been sniping at Zoom’s security flaws for a few years, the avalanche of criticism has now been accelerated by exposure in major media of issues which are not trivial.
The outcome of this public exposure has seen the banning of Zoom from major governmental and corporate institutions across the world - ranging from the Australian Defence Force to the German Ministry of Foreign Affairs, from NASA and SpaceX to New York City Public Schools. And this list has been topped of by a class action suit against the company by one of its major shareholders.
What’s the noise about?
Over the past year, and certainly building in intensity over the past two months, there have been the allegations against Zoom? The list was not trivial:
- “Zoombombing” - Zoom meetings being penetrated and interrupted by hackers spewing hate male and showing porn,
- “Zooming In” - unauthorised opening of your device and camera; a meeting can be started and cameras turned on without you initiating it,
- Monetising personal data - Zoom had been spying on its users for personal profit. The company allegedly collects a laundry list of data about it’s hosts and viewers, and it uses all of this surveillance data for profit,
- Unauthorised sending of data to Facebook - the Zoom iOS App sent data to Facebook, even if you did not have a Facebook account,
- Your call is not fully secure, the call is not fully encrypted. Zoom claims that it “end to end” encrypts your call - but it doesn't. It only provides something called “link encryption”, and it is said to have lied about the level of encryption - claiming AES-256 (the top level) while using AES-128 (which is a weak cousin),
- Zoom has been criticised for its surveillance tool and “attention tracking” feature, which allows a host to see if a user clicks away from a Zoom window for 30 seconds or more,
- There is public access to private Zoom video recordings - thousands of Zoom video calls have been left exposed on the open Web and finally but certainly not the least…
- Zoom has easily-identifiable limitations in cryptography, security issues, and offshore servers located in China which handle meeting keys and this presents a clear target to reasonably well-resourced nation state attackers, including the People’s Republic of China.
OK, but I don’t use Zoom so I am safe…
Few people are aware that Zoom is also white labeled to major communications companies and branded as thus.
Zoom vulnerabilities also impact (to a greater or lesser extent) some video services offered by RingCentral, Telus Meetings, BT Cloud Phone Meetings, Office Suite HD Meeting, AT&T Video Meetings, BizConf, Huihui, UMeeting, Zhumu, Zoom CN, EarthLink Meeting Room, Video Conferencia Telmex, and Accession Meeting.
What has been done and what can be done?
Zoom’s problems will not be cleared up in a few days. The issues that have been reported are not trivial - and now, with increasing scrutiny, more issues may come out of the woodwork .
CEO Action
However, Eric Yuan, Zoom’s CEO has gone public in a blog listing the actions taken by his company to deal with allegations (including the ones listed above) and has dealt in depth with many of the reported issues. “We moved too fast... and we had some missteps,” Yuan said in an interview with CNN’s Brian Stelter. “We’ve learned our lessons and we’ve taken a step back to focus on privacy and security.” see here
Zoom has announced “fixes” or “solutions” for some of the areas identified, and will - we assume - continue to do so.
This is an example of a CEO stepping into the fray and publicly taking charge - and being very visible and accountable. Just what a CEO should be in circumstances such as these - s kudos to him.
Whether the actions will be sufficient to quieten the critics and deliver a believable reassurance that the problems are solved is yet to be seen.
However, as I read through the recommendations in the CEO’s blog and related /referenced Zoom blogs, there is a lot of onus placed back on the user to solve the problem.
For example - to solve Zoombombing, you must learn how to generate random meeting ID’s and use the ‘Waiting Room” feature. And there’s a further long list of actions which helps you manage your room to exclude unwanted guests.
Having created a monster, Zoom wants its users to learn more and more complicated steps and actions to mitigate the problem. They want you to go deep down in the bowels of an app which is already known for being cumbersome and difficult to use to find tools and configurations which may solve some of the security problems identified. I would not be optimistic … users are not techies. Most users just want “plug and play” - switch it on and use it. The last thing they want (or even may be capable of) is following a series of cumbersome steps.
The most difficult one …
However, there are major design issues which are not trivial. And the issue getting most attention is something called "End - to - End" encryption. Your call goes via the internet, via servers, via networks…. this routing, which simple in concept is fiendishly difficult and torturous to secure. And with Zoom you are not encrypted all the way. And most pundits are doubtful that Zoom will crack this one anytime soon.
Interestingly, a conversation with our own techncial gurus in CoSMo revealed that they are one of the few teams in the world who have cracked this problem and their solution is being used by Symphony in the Fin-tech space and by (unnamed) government agencies. (Contact CoSMo).
Is Zoom broken?
Broken technically - certainly, there are many aspects of the underlying technology which will require much rectification. This work is not minor and it may be months or a year plus before we see results.
Broken integrity - there have clearly been some very dubious practices with regards to users data which have not been accidental. To regain trust that the application has a “fair set of rules” will need a major reset in the corporate mind and the ethos of the company.
Broken reputation - with marque clients banning the use of Zoom, with Senators calling for an enquiry, and with class action law suits being instigated by its own shareholders Zoom can hardly be described as untarnished. Damage limitation is - no doubt - on full throttle. Zoom has not yet suffered a “Ratner moment” but it will have to haul back to recover the 26 per cent loss in company value over the past ten days and invest heavily to build a reputation that is unsullied by its past actions.
Contact Bill Lewis via Linked In
Like, Share, Comment
__________________________________________________________________________
The opinion in this article are the author's own and do not represent the opinions of any organisation.
References from which data was gathered includes:
https://www.schneier.com/blog/archives/2020/04/security_and_pr_1.html
https://theintercept.com/2020/03/31/zoom-meeting-encryption/
https://www.businessinsider.sg/zoom-sued-shareholder-security-flaws-2020-4?r=US&IR=T
https://en.wiktionary.org/wiki/Ratner_moment