I’ll admit I’m a bit late in writing this blog post – classes have been going for three and a half weeks, we’re almost at the midterm point, and we’ve been on Zoom the entire time. But better late than never, I suppose.
Zoom’s fixed some stuff. There’s other things they need to look at. But what does this all mean for Carleton?
What’s in the Past
Meeting rooms have a number associated with them that people can use to join those rooms. If you have the number, you can use it. This is a problem if the number gets out, especially if you use the same number for every meeting of a certain type (which happens a lot for repeatedly scheduled meetings).
There’s not a ton that can be done to stop this, since it’s the core concept, and people do need to know the number sometimes — but Zoom did fix a previous issue, where the meeting room number was displayed prominently in the video screen. This meant that any screenshot of the video chat would contain it, which made it way easier to get out. That’s over now. You can find the meeting number if you try, but it’s not visible by default anymore.
The controversial attention tracker is also gone. Basically, Zoom had a feature where, when enabled, if the Zoom window was not your primary window for more than 30 seconds, it would alert the meeting’s host. This was bad from a general privacy standpoint, but also not particularly accurate for people who have multiple windows open at a time — say, to take notes during a work meeting.
They’ve also included a note in the banner that says when a video call is being recorded by the host. It’s a small red light in the top right corner, next to the word “Recording” (though as far as I know, the only current ways to opt out of being recorded are to mute your audio and video, or to leave the call).
Two new features introduced specifically to combat ‘Zoombombing’ (the sudden entrance of bad actors into a Zoom call through a leaked meeting ID or link) are automatic waiting rooms and the ability to prevent banned users from rejoining. Zoom waiting rooms make people wait to be admitted to the meeting, rather than letting them join whenever, and if a user is kicked out for bad behavior, there’s an option to prevent them rejoining entirely.
Concerns about data being shared with Facebook are now addressed as well. Previously, Zoom sent analytics data to Facebook, even for users who had not logged in using their Facebook account. They made a comment addressing this, saying, “Zoom takes its users’ privacy extremely seriously. We originally implemented the ‘Login with Facebook’ feature using the Facebook SDK in order to provide our users with another convenient way to access our platform. However, we were recently made aware that the Facebook SDK was collecting unnecessary device data.” Since I can’t find updates about this in the past month, when other concerns such as the ones above have arisen, I’m going to give Zoom the benefit of the doubt and assume they’ve fixed the issue.
At present, there are other issues. Some are my personal concerns, others could be major red flags.
Personally, I don’t love the fact that hosts get to keep full logs of each meeting’s chat by default. There was misinformation going around that saved chatlogs include all private chats as well as public ones, but Politifact debunked that, saying, “If you send a private message to the person recording the meeting, it could end up on a transcript. If you send a private message to another person in the meeting — someone who isn’t able to record the meeting — those messages won’t end up in the transcript.” Still, while I get that it’s practical, it feels like something that should be opt-in rather than opt-out, and something which people should be notified about while in the call.
Similarly, the notification Zoom has added to indicate when a call is being recorded is small and easy to miss. Since it’s part of the top bar (next to the encryption lock, sound controls and information button), it blends in with other settings if you’re not looking for it, and it fades away after a few seconds without moving the mouse or interacting with the screen.
The biggest issue, though, is encryption. In its marketing campaigns, Zoom claimed its calls were all end-to-end encrypted. What that means, practically speaking, is that the information from your call is encoded, passed from you to Zoom, passed from Zoom to the other parties on the line, and then de-encoded. Zoom has no way of decrypting your messages or finding out what you’re saying — in theory.
In practice, Zoom does not use end-to-end encryption, and its own custom encryption software has been criticized for not being up to industry standards. This means Zoom could decrypt your calls and, theoretically, so could other parties. Additionally, they’ve been taken to task for using insecure servers overseas in China to route personal call data, making it possible for foreign governments to access the Zoom meetings.
These security issues are among the many reasons why Zoom is no longer used by companies such as SpaceX and Google (which hosts a competitor, Hangouts), and governing bodies like the New York Department of Education, all Taiwanese government agencies, Singapore’s Ministry of Education, and the German Ministry of Foreign Affairs. The United States Senate and Pentagon have restricted or cautioned against the use of Zoom, though not banned it outright. The United Kingdom Parliament has elected to keep using Zoom to pass legislation (though only bills that are expected to receive near-unanimous support).
Let’s start off with the obvious: Carleton is not a governing body. It is, however, an educational institute. Most of the concerns surrounding education have not come from questions of data privacy, but issues like Zoombombing, where people have joined virtual classrooms in order to expose themselves to children and teens, or shout and display racist or hateful messages.
I have no idea how I would begin to assess the risk that this might happen to Carleton classrooms, particularly since the public reaction has sent Zoom scrambling to keep this from happening again. Additionally, Zoom has a number of features that make it very well-suited for Carleton’s usage: a Licensed account (available to all Carleton community members) can host meetings with up to 100 people for an unlimited length of time, customize meeting IDs or links, and other perks. This would suit pretty much any class Carleton offers, and allow for some more specific security options.
The biggest question to ask (as a number of articles point out) is: is what I am doing over Zoom worth hacking? Government bodies, which deal in state secrets, are right to be worried, as are major corporations; educational departments dealing with minors are reacting to threats that have already been demonstrated. Telehealth and medical information is not advisable to be transmitted over Zoom, though many (including SHAC!) are doing it already. But for personal meetings or college classes, it would be better to ask, why would someone try this? Would it be worth the effort?
So, basically: if any of what you’ve read above worries you, try investigating some alternatives (available in the sources). If you don’t think what you’re doing would tempt any bad actors, then it’s your call.
Sources & Resources
“Zoom Security: Here’s What Zoom Is Doing To Make Its Service Safer”, O’Flaherty, Katie. Forbes, 4/10/2020. https://www.forbes.com/sites/kateoflahertyuk/2020/04/10/zoom-security-heres-what-zoom-is-doing-to-make-its-service-safer/#6329003630fc
“Private messages sent to Zoom meeting hosts could appear in their transcript”, O’Rourke, Ciara. Politifact, 4/13/2020. https://www.politifact.com/factchecks/2020/apr/13/viral-image/private-messages-sent-zoom-meeting-hosts-could-app/
“Is It Safe to Use Zoom?”, Feldman, Brian. New York Magazine, 4/9/2020. https://nymag.com/intelligencer/2020/04/the-zoom-app-has-a-lot-of-security-problems.html
“Zoom privacy and security issues: Here’s everything that’s wrong (so far)”, Wagenseil, Paul. Tom’s Guide, 4/28/2020. https://www.tomsguide.com/news/zoom-security-privacy-woes
“10 free Zoom alternative apps for video chats”, CNet, 4/6/2020. https://www.cnet.com/news/10-free-zoom-alternative-apps-for-video-chats/
“Top 5 video conferencing services to use with remote employees”, Reese, Hope. Tech Republic, 2/19/2020. https://www.techrepublic.com/article/top-5-video-conferencing-services-to-use-with-remote-employees/
“Zoom security issues: Zoom could be vulnerable to foreign surveillance, intel report says”, Hodge, Rae. CNet, 4/28/2020. https://www.cnet.com/news/zoom-security-issues-zoom-could-be-vulnerable-to-foreign-surveillance-intel-report-says/
“Using Zoom while working from home? Here are the privacy risks to watch out for”, Hodge, Rae. CNet, 4/2/2020. https://www.cnet.com/news/using-zoom-while-working-from-home-here-are-the-privacy-risks-to-watch-out-for/
“Worried about Zoom’s privacy problems? A guide to your video-conferencing options”, Paul, Kari. The Guardian, 4/9/2020. https://www.theguardian.com/technology/2020/apr/08/zoom-privacy-video-chat-alternatives
“How to Keep Your Zoom Chats Private and Secure”, Nield, David. Wired, 4/5/2020. https://www.wired.com/story/keep-zoom-chats-private-secure/
“Is Zoom Safe and Is Your Privacy at Risk? Video Calling App Explained After Hacking Vulnerabilities Exposed”, Murdock, Jason. Newsweek, 4/2/20. https://www.newsweek.com/zoom-safe-privacy-risks-explained-video-calling-app-hacking-vulnerabilities-coronavirus-1495728
“Is Zoom safe to use? Here’s what you need to know”, Hussain, Suhauna. The Los Angeles Times, 4/13/2020. https://www.latimes.com/business/technology/story/2020-04-13/is-zoom-safe-to-use-heres-what-you-need-to-know
“Ethics Week 3: What’s the CCPA?”, Irwin, Pilot. Carleton DS Interns, 1/24/2020. https://ds.interns.sites.carleton.edu/digital-ethics/ethics-week-3-whats-the-ccpa/