Zoom has been making headlines recently, both good and bad.  Since we’ve been using Zoom for at least five years, I’ve had a lot of questions from our clients regarding what they’ve seen in the news recently. Before I go into the details of why, I will state that Spectrum trusts and will continue to use the Zoom platform.

Zoombombing

What is Zoombombing?  Zoombombing is when unauthorized people access your meeting and share inappropriate content.

Does this affect other platforms?  Yes.  Any platform that has a meeting link to join can fall prey to this same attack.

How is it happening?  One student thought it would be funny to share the meeting link information to someone who would disrupt his class and others followed suit.  There are now dedicated groups that you can give your meeting ID to for purposes of bombing your meeting.  In all instances in the news, this was the vector of attack.

Can it be prevented?  Yes.  We use a combination of the following methods:

• Enabling a waiting room that separates participants from one another until admitted to the meeting room.  I liken this more to when you’re put in an exam room and you’re waiting for the doctor than being the waiting room itself.  No one in the waiting room can see or hear each other or the host.  The host can see the list of participants and admit them one by one or en masse.  If someone maliciously joins the meeting, they cannot see or hear anything if not admitted by the host.
• Locking the meeting to prevent new participants from joining.  Once the proceeding is underway, we lock the meeting so no one else can get in.
• Password protecting the meeting.  This actually acts on another less likely attack vector: someone “guessing” the meeting ID of the meeting using an automated script.  Unlikely as it may be, meetings are now password protected by default to prevent this.
• Disabling sharing by default.  If you trust the people in your meeting and you’ve taken the other precautions, you shouldn’t have to do this.  But we’ve done it anyway as an extra precaution.  If you need to share exhibits, we can easily enable the feature on the fly.

Lack of end-to-end encryption

What is end-to-end encryption?  End-to-end encryption (E2E) simply means that the communications cannot be intercepted by anyone except the sender or the recipient.

Does it affect other platforms?  As I recently shared with a client who was concerned about sensitive privileged communications, most other communication platforms he’s using lacks E2E.  His text messages, emails, and phone calls all lack E2E.  So do the stacks of medical records laying around his office.  Same with the traditional videoconferencing we did for the past 20 years with Polycom units (E2E was possible but rarely used).  WebEx, which argues it is E2E encrypted, is giving only a partial truth.  See Why doesn’t Zoom just enable E2E? below.

Does lack of E2E put me at risk?  I would argue for most meetings, no.  Zoom, like WebEx and GoToMeeting, is encrypted between the service provider and each client.  But, since Zoom holds the encryption keys, technically it has the capability of decrypting (i.e. listening in on) your meeting.  This is used to enable a whole array of useful features listed in the next section.  Zoom has published that if, and that’s a big IF, a Zoom employee were to join your meeting in progress, they would be listed as a participant (not invisibly listening in).  If you are dealing with national-security level of information and cannot afford that risk, only E2E will do.  Zoom cannot access any uploaded meeting materials as of a previous security update.

Why doesn’t Zoom just enable E2E?  I imagine this is coming.  They hired the former Facebook Security Chief and froze all new feature development for the next 90 days so that they can focus on implementing security and privacy changes.  What’s important to note, though, is functionality is sacrificed when you enable E2E.  Look at WebEx, for instance.  In order to enable E2E, you must disable: Join before Host, Polycom/Lifesize (traditional videoconferencing) clients, Linux clients, cloud recording, saving meeting notes, sharing files, remote screen sharing, AND telephone participants.  I expect this will be the same list when Zoom offers E2E.

Chinese servers, hacked accounts, and other concerns

Is my information being stored on servers in China?  No.  Zoom does have servers in China used for Chinese Zoom meetings.  It was discovered that during heavy usage recently in North America that some information was being routed through Chinese servers (including encryption keys).  This was by design to provide seamless and fast meetings but has been changed so that North American traffic will never route through Chinese servers.

I read thousands of Zoom accounts have been hacked.  True?  Sort of.  Hackers are taking email addresses and passwords from previous leaks, such as the huge LinkedIn breach in 2012, and trying them in Zoom.  Zoom itself has not been breached. There are thousands of accounts for sale that were previously breached and that match current Zoom credentials.

Is Zoom using their own encryption scheme?  Yes, which is frowned upon because it hasn’t been peer reviewed for weaknesses.  I expect we’ll see this change in the coming months.

I read that my Zoom recordings can be found on the internet because of the naming scheme.  Is that true?  No.  Not unless you download them and then upload them to a public server.  Then, in that case, yes.  Any Zoom recordings you have are private and not searchable when hosted on Zoom’s servers.

Is Zoom malware?  No.  This comment stemmed from a “creative” solution that made joining Zoom meetings very easy on iOS devices.  Problem was that it was sidestepping baked-in security protocols on iOS and possibly putting the device at risk.  This has been changed.

Is Zoom HIPAA compliant?  According to five-page guide just published by Zoom in April of this year, yes.

Can someone send me viruses through Zoom? There was an exploit that could be used to run remote software that was fixed immediately after it was discovered. Since then, there have been no other exploits discovered that allow viruses to be sent.

Takeaways

Zoom is scaling at a blistering pace to keep up with a demand that it had no way to predict.  It has made some mistakes and will likely make others, just like any company does.  Their acknowledgement of issues and their prompt fixes give me even more confidence in their service.  Until something better comes along, I will continue recommending Zoom for your deposition and mediation needs.

About the author

Sam Mattern is the Operations Manager of Spectrum Reporting LLC. He holds a Bachelors in Computer Engineering Technology and has 15 years of experience in videoconferencing, network security, and related technologies.

At Spectrum Reporting, our court reporters are employees, not independent contractors.  You may not be aware of the employment status of your court reporter.  Most court reporting firms prefer to use independent contractors because the cost of doing business is less … tax savings and savings on employee benefits, to mention a few.  Spectrum prefers our court reporters to be employees even though we spend a substantial amount on supporting our reporter-employees through payroll taxes, employee benefits, equipment, tech support, training, etc.  There are also many intangible benefits to hiring employees, such as building ongoing, working relationships.

So, why does Spectrum Reporting employ their court reporters and how does it benefit our clients? Your case files are available to you anytime you need them. 

1. Your case files are available to you anytime you need them.

Spectrum Reporting retains your case files because we employ our staff.  On the other hand, an independent contractor controls your case files, not the company you hired.  You may need to order a transcript months or years after a deposition took place.  If an independent contractor was used and that court reporter is on vacation or has left the company, then it may be difficult or impossible to retrieve your files.  At Spectrum Reporting, we maintain your case files and can make them available whenever you need them.

2. We will preserve your files and keep them safe.

We maintain a backup of all your files, both on-site and off-site for added security.  You won’t ever have to track down a court reporter or worry about losing your transcript or exhibit files because a court reporter moved, changed employment, had their computer crash, or a basement flood.  You can rest assured that your case files are safe with us.

3. Company culture matters.

Spectrum Reporting provides its employees with benefits, training, equipment and support.  Trust and loyalty are built when people know their company is investing time and money in their future.  Employees that trust their company feel a sense of security and satisfaction in their work.  And happy employees make for accomplished professionals that do great work for our clients.

We are a company, but more importantly, we are a team.  We rely on each other.  Court reporting is at the heart of what we do.  Employing our court reporters and ensuring our product is protected enables us to operate as a successful team, developing trusting relationships with one another and our clients.

P.S.  The same is true for our videographers and office staff.