Zoom, the world’s leading video conferencing platform, has taken recent steps to improve its security but journalists who value their privacy should still remain cautious when using the app. In Part 2 of this series on video conferencing for Reporters Without Borders (RSF), tech security expert Bence Kócsi explains the risks to be aware of, and the security precautions journalists should take when using Zoom.
Zoom rose to popularity at the beginning of the COVID-19 pandemic, and is an accessible alternative to in-person meetings which may be too expensive, time-consuming, or unsafe for journalists to undertake. However, Zoom is a valuable target for hackers and has a history of concerning data-handling practices. Journalists should take steps to protect their privacy if they are communicating sensitive information, meeting with contacts, or trying to operate anonymously on the platform.
Risks of using Zoom
- “Zoom-bombing” can disrupt meetings. This is a form of trolling where unwanted participants gain access to a Zoom meeting mostly for the purpose of being disruptive and annoying, but it can also be more malicious. Unwanted guests may have found a meeting link, or guessed or uncovered a password. Private government conferences, and media staff meetings have been infiltrated on Zoom.
- Zoom has a history of concerning data-handling practices. In 2021, Zoom settled an 86 million USD class action suit for sharing data with Facebook, LinkedIn, and Google, without informing its users. In 2020, a Zoom employee sympathetic to the Chinese government was able to monitor and disrupt meetings commemorating the Tiananmen Square Massacre.
- Zoom has provided user data to the Chinese regime. In 2020, it was reported that Zoom was routing user data from the US through Chinese servers. The FBI found that Zoom had agreed to provide China with “special access” to user data, including encryption keys to meetings.
- Screen-sharing can reveal more than intended. In 2021, a glitch on Zoom meant that when a participant screenshared a single window on their computer, their whole screen would be briefly shown.
Zoom’s in-built security features
- End-to-end encryption (E2EE) is available. Zoom meetings are partially encrypted by default, but to hide the content of the meeting from Zoom itself, users have to enable E2EE in settings.
- Password-protection is available, meaning that, with the feature on, participants cannot access the meeting with the link alone and must enter a passcode.
- Virtual waiting rooms are also available, which allow participants to be manually identified before being granted access by the host in order to join the meeting.
- Meetings can be locked to prevent new participants from joining, or limited only to specific accounts to which an invitation has been sent.
- Reporting features and host privileges allow hosts to suspend chats, mute or even remove disruptive participants.
Recommendations when using Zoom
- Always set a password and enable virtual waiting rooms, allowing the host to positively identify every participant before they join.
- Sanitise before screen-sharing, by closing any sensitive or private content to prevent the possibility of accidentally revealing the wrong window.
- Enable end-to-end encryption when discussing sensitive information, and ensure all participants see the same security numbers before continuing.
- Rename saved meeting clips, because Zoom’s automatic naming conventions make the files very easy to search for should a hacker gain access to where they are saved.
- Update Zoom regularly. Due to its popularity, and value as a target for spying and data collection, security updates and bug fixes are constantly being rolled out. The best way to keep the app secure is to keep it up-to-date.
← Read Part 1: Common security risks
→ Read Part 3: Google Meet
Bence Kócsi is an experienced freelance editor, writer, and researcher. He has been focusing on a wide range of topics including digital security, technology, historical linguistics, politics, and medicine.