Disruptive and offensive as they may be, so-called “Zoom bombings” are the least of your worries when it comes to using the videoconferencing software.
Once a little-known videotelephony and online chat service, Zoom Video Communications Inc. has become a household name since the onset of COVID-19, used by companies, school districts, government bodies and groups of friends and families to connect in a virtual world.
The company reached roughly 300 million daily participants by mid-April, roughly 30 times the 10 million daily users in December, according to a company spokesperson.
However, increased reliance on the app to replace in-person meetings and events has brought to light a host of privacy and security concerns, forcing users to rethink the way they use Zoom and the information they share.
Perhaps the most worrisome aspect of Zoom in the eyes of Joe Devine, executive director for Tech Collective in Providence, is what happens with the user data and recorded meetings stored through the company’s cloud storage space. Over the last several months, various news stories have revealed security holes and leaks of stored user data and video recordings to third parties.
While Zoom has said it does not access or sell this information, the risks posed by such valuable and personal data falling into the wrong hands are significant, especially at a time when cybercrime is at an all-time high.
“Anytime anybody can get access to you or your system, there is a risk of worming their way through to more-valuable data,” Devine said.
Indeed, the security risks posed by Zoom are such that The Washington Trust Co. has opted to avoid it entirely, even blocking it from company systems, said James Mignone, senior vice president and chief information officer.
Particularly in banking, a highly regulated industry, Mignone said he did not think the software would pass muster with regulators, though to his knowledge there were no specific guidelines prohibiting banks from using Zoom.
Washington Trust has instead relied primarily on Cisco Webex for remote meetings among its workers, as well as those with clients and vendors. Unlike Zoom, which Mignone described as “built for a fun, quick conference more than a robust business operation,” Webex offers a fully encrypted software specifically designed for corporate needs.
Devine, too, recommended Webex and Microsoft Teams, another video-conferencing platform, over Zoom from a security standpoint, though he acknowledged that certain features of Zoom make it more user-friendly.
Zoom is also more conducive to large groups, which is why the city of Providence continues to use Zoom for public meetings despite a recent Zoom bombing at the City Council’s public hearing on the fiscal 2021 budget. The incident has not led to any major changes in city policy or protocol regarding Zoom, according to Chief Information Officer Jim Silveria, who said the city already put guidelines in place to help secure Zoom meetings, including using the webinar feature and creating a separate link for public attendees.
Silveria was unconcerned with whether Zoom keeps recordings of these meetings; the information discussed in these meetings is public and often recorded and shared on the city website and YouTube channel, as well as by various news outlets.
‘Anytime anybody can get access, there is a risk of worming their way ... to more-valuable data.’
JOE DEVINE, Tech Collective executive director
While certain security issues with Zoom remain, the company has addressed many of the initial causes for concern. In a message on the company website on July 1, CEO Eric Yuan named AES 256 encryption – the industry standard for data security – along with waiting rooms and passcodes as examples of the 100-plus new features the company has added since April 1 to improve security and privacy.
Zoom also touted upgrades to its platform designed specifically for educators, promoting features such as whiteboards and breakout rooms, as well as partnering with popular education software company Clever Inc. to integrate the two platforms. More importantly for the Bristol Warren Regional School District, Zoom signed a compliance agreement with the district, negotiated through the Rhode Island Student Privacy Alliance, allowing educators to take advantage of the platform just as distance learning began, according to Superintendent Jonathan Brice.
While the school district has relied primarily on Google and remote-learning platform Seesaw to teach students, educators have the option of using Zoom or Google for remote meetings, Brice said.
He characterized the district’s experience with Zoom as positive, adding that its initial offerings were more user-friendly than other platforms, though other companies have since upgraded their software such that these differences now seem negligible.
While Brice was not worried about breaches in privacy over Zoom due to the compliance agreement, he acknowledged that continued reliance on remote work will necessitate broader policy discussions about the best platforms and technology to keep sensitive student information private and secure.
“I foresee that the standards are going to increase with the proliferation of students utilizing technology tools as part of their normal, day-to-day school lives,” he said.
Regardless of Zoom’s level of security, a single platform can only go so far in protecting data. Devine emphasized the importance of other infrastructure and technology investments such as multifactor authentication and endpoint protection.
Nancy Lavin is a PBN staff writer. Contact her at Lavin@PBN.com.