Zoom has become one of the de facto tools of choice as we’re now all working from home during the COVID-19 pandemic. As usage has surged over the past few weeks, more people are asking questions about its confidentiality and security practices. In this blog, I outline some of the main risks, and give advice for guests, hosts or administrators of a Zoom meeting to improve privacy and security.

Privacy and security risks with Zoom

Zoom Video Communications is an American remote conferencing services company whose app provides video conferencing, online meetings, chat, and mobile collaboration. Despite claims to the contrary, Zoom video meetings do not have end-to-end encryption.

Each Zoom call has a randomly generated ID number between 9 and 11 digits long that’s used by participants to gain access to a meeting. Researchers have found that these meeting IDs are easy to guess and even brute forceable, allowing anyone to get into meetings.

If the meeting host fails to set screen-sharing to ‘host only’ or to disable ‘file transfer’ for the call, malware (malicious software) or other nefarious documents or images may be shared.

Other invasive ‘features’ have been noted that let the call host check in on their colleagues. They may be used to monitor communications and chats conducted during a conference call. Zoom software was configured to share personal data of those attending calls with external third parties, such as social media sites and online advertising companies.

What to do if you’re invited to a Zoom meeting

• Each time you are invited to a Zoom meeting via a link in an email or document, check it before clicking to make sure it is a legitimate link
• Be cautious with all emails and files from unknown senders
• Keep your laptop or device camera blocked and only open it when you choose to permit the video to be used
• Do not take screenshots of the meeting unless you have made people aware that you are doing so
• Be aware that all chats, including private messaging, during a call are recorded and are available to the meeting host and the administrator.

If you’re the meeting host:

• Don’t share the meeting ID publicly; restrict sharing it only to those you wish to attend the call
• Avoid using your Personal Meeting ID (PMI) to host public events, as this may be hijacked by others
• Add a meeting password to your Zoom meeting and only share that password with those you wish to join the call
• Allow only signed-in users to join
• Add a lobby to your Zoom meeting and only admit those you wish to join your meeting from the lobby
• Put each participant on a temporary hold until you’re ready to have them join. This allows the host to screen who’s trying to enter the event and keep unwanted guests out
• As the meeting host, you can mute or unmute individual participants, or all of them at once. You can also enable the ‘mute upon entry’ feature in your settings to keep the noise down in large meetings
• Lock the meeting after it has started, so no new participants can join
• Don’t give up control of your screen. Should you give control of your screen to another person, they can then manage the call.
• Where possible, do not discuss confidential or sensitive information on a Zoom conference call
• Where possible, do not record calls unless you absolutely must. If you wish to record a call, make sure all those attending the meeting are aware you are doing so
• Assume all chats may become public. You have little or no control over one of the participants taking screenshots or other types of recordings
• You may want to disable video to block unwanted, distracting, or inappropriate images on video
• You may want to turn off file transfer to prevent the chat from getting unwanted content
• You may want to turn off or control annotation during screen share
• You may want to disable private chat to stop participants from messaging each other privately and restrict participants’ ability to chat with each another during your meeting
• Remove unwanted or disruptive participants. There is a function to allow removed participants to rejoin in case you remove the wrong person.

If you’re the Zoom administrator

If you’re subscribing to use Zoom on a regular basis, it has a lot of security features that just need enabling, and you should familiarise yourself with the security functions and additional options available:

• Enable Multi-Factor Authentication to add additional protection to your account
• Ensure the administrator account uses a strong password. Anyone with access to this account can download any recorded videos, add themselves to sessions and control the security of the entire system.

We need to remember that companies are using Zoom, and other conferencing platforms, to enable them to survive through the COVID-19 pandemic and companies need to do a risk assessment that suits them. For many companies, the warnings from the FBI and The Citizen Lab will be an acceptable risk for them, while others who may be discussing sensitive data it may not.