EXECUTIVE SUMMARY:

The coronavirus pandemic has forced employees to meet on online, often via the popular Zoom video conferencing software. However, the de-facto standard for many organizations across the globe has faced a series of security vulnerabilities.

In May, Zoom came under scrutiny after it was discovered that services advertised as end-to-end encrypted failed to meet encryption standards. “Since at least 2016, Zoom misled users by touting that it offered ‘end-to-end, 256-bit encryption’ to secure users’ communications,” wrote the US Federal Trade Commission (FTC) in a complaint.  “In reality…Zoom maintained the cryptographic keys that could allow Zoom to access the content of its customers’ meetings and secured its Zoom meetings, in part, with a lower level of encryption than promised.”

This is problematic in that healthcare industry groups, for example, believed that their Zoom calls complied with HIPPA requirements, when in fact they did not. 

Preventing further security woes: 

The FTC recently announced that Zoom will be held to new security standards. After the final agreement reached between Zoom and the FTC receives publication, a 30-day public comment period will begin.

The current agreement proposes changes to Zoom’s PR practices, third-party security assessments every other year, and new data storage policies. 

Will the FTC agreement suffice? 

Minority Commissioner Rohit Chopra raised concerns about the utility of third-party assessments, citing past examples where these have failed. Chopra also pointed out that Zoom is likely involved in third-party auditing at present due to demands from contracts and orders. 

In the settlement “Zoom is not required to offer redress, refunds or even notice to its customers that material claims regarding the security of its services were false,” states Commissioner Rebecca Kelly Slaughter. “This failure of the proposed settlement does a disservice…”

What are Zoom’s latest security enhancements?

Zoom has announced a trio of new efforts to respond to the latest wave of cyber security concerns. 

  1. The suspend participant activities feature: In the event of “zoombomber”, meeting hosts and co-hosts now have the option to temporarily suspend the video call and to remove the uninvited participant. Hosts and co-hosts will be able to report the individual to Zoom’s Trust and Safety team. When the team receives the report notification, hosts and co-hosts will be able to resume the meeting. This feature is enabled by default in the platform and available to all users.

  2. Report by participants: Meeting hosts and co-hosts are no longer the only ones who can report a disruptive user. Meeting participants can now click on the security icon at the top left of the screen, and report the disruptive individual themselves. This feature is not enabled by default, and admins/account owners must select this setting for non-hosts.
  3. At-risk meeting notifier: This tool scans public social media posts and other websites for Zoom meeting links. As the tool detects a meeting that appears at high-risk of disruption, the tool automatically alerts the account owner by email and provides helpful security advice. 

The most exciting Zoom news: On Thanksgiving day, Zoom plans to lift the 40 minute time limit for its free users. 

To learn more about potential changes to Zoom’s security and privacy controls, check out this article by SC Media.