Who argued that privacy should be sacrificed during this global pandemic crisis? The NY Times wrote a great piece on this question last week, with a particular focus on Zoom.
COVID-19 has changed the world over the past two months beyond our expectations. At first, knowing who was a spreader, or even a super spreader, was critical for contact tracing to save lives. We happily gave up our private information when we knew there was a greater good, but this was not to be confused as some sort of general movement to give up the right to privacy altogether.
As the NY Times article states, when a piece of software is free, the running joke is that you pay with your privacy. Recently, the privacy and security revelations about Zoom, the popular videoconferencing software, went from just another tool that enables working from home to being exposed as potentially deprioritizing privacy and security in its development stack in favor of growth. Deprioritizing privacy and security is common for high growth technology startups. Sometimes the service’s pricing page makes the priorities obvious such as when security features are available to those who choose the more expensive payment plans.
For Zoom, who has undoubtedly gone through countless security reviews by its enterprise customers prior to its recent popularity, it’s something of a perfect storm. 10 million daily users in 2019 to 200 million in March 2020 is the sort of growth that leads to more scrutiny.
And the scrutiny resulted in finding discrepancies. Specifically, that Zoom claimed end-to-end encryption in marketing materials, including in a more technical white paper, as reported by The Intercept, when it in fact did not have end-to-end encryption. End-to-end encryption means only the meeting participants can see or view the content, as the communications are encrypted between users. However, it became clear that Zoom was able to access users’ content without a key, meaning there was no encryption on Zoom’s end. It’s a difficult technical hurdle, as Matt Green told The Intercept, but it’s also either encrypted end-to-end, or it’s not. The marketing material and white paper most likely were focusing on transport layer encryption, or TLS. TLS means that the transmission of content between a user’s device and Zoom is encrypted and, therefore, less likely to be intercepted by an unauthorized third party while in transit. Then “Zoombombing” happened.
While the end-to-end encryption debate continues, our focus turned to some of Zoom’s other practices. Behind all encryption is math. Sometimes it’s complex math understood by only a few experts around the globe. Other times, like in your daily newspaper’s anagrams, the math is basic.
If a user’s Zoom meeting ID is nine digits, it’s represented as 9! possibilities for all the meeting IDs. That means 10 x 10 x 10 x 10 x 10 x 10 x 10 x 10 x 10, which is 1,000,000,000, or one billion. We don’t know how many meeting IDs are distributed daily, or if Zoom blanks out the slate each day, or if Zoom just loops the distribution when IDs run out. But if you have 200 million users in, say, 50 million conferences with four users per meeting on average, that means there’s a 0.05% chance of someone picking a meeting ID randomly. If you don’t enable a meeting session password, the barrier to unintended eavesdroppers is pretty low.
A password added to a Zoom meeting is similar to two-factor authentication, which is better security. Think of an ATM card that requires a four digit pin, which is 4! or 10x 10x 10x 10, or 10,000 possibilities, but to use the pin you must also present the card itself. In the boundaries of “factors of authentication,” that means you possess two: what you know (the pin) and what you have (the card).
Now let’s adjust those odds. I don’t see many meeting IDs starting with 0, and I believe you can try and retry meeting IDs without any limits. That increases the odds that an unwanted third party can easily join conferences. And the more the third party succeeds, the more likely that third party is able to obtain very private, confidential information.
Therefore, we recommend you require a password for every Zoom meeting because the odds of protecting your meeting from unauthorized third parties improves if you combine the meeting ID and a password.
We also recommend you follow Techcrunch’s advice and remove screen sharing, or at least do not “allow removed participants to rejoin.”
Zoom is doing the right thing by focusing on privacy and security, but even they cannot promise full protection without a user understanding how to take good measures to protect themselves. Tolerance for disclosing personal information is, well, personal. If you don’t care who hears the contents of your meeting, then by all means, choose settings that are more flexible. A crisis like COVID-19 may shift that tolerance for risk in the short term towards increasing disclosure, but it would be wrong to assume that privacy and security are dead.