John Shier | Senior Security Advisor | Sophos | mail me |
Zoom has claimed that it is actively trying to make changes and make the application more secure.
The privacy and security issues escalated in recent times, and there are alternatives one can follow.
Can Zoom ever be fully trusted again?
Whether Zoom can be trusted or not depends on how it responds to the various privacy and security issues that have been brought forward in the past few weeks.
While they’ve certainly made some major mistakes, it does seem that the company is responding appropriately. They’ve made some changes to improve default settings for privacy and security for all accounts and have gone further for specific use cases, such as education.
They’ve also enlisted the help of prominent figures in the security industry and established a CISO council to help them find and mitigate the remaining privacy and security issues.
All the while, they have been attempting to communicate proactively and transparently. This doesn’t mean that every issue will be quickly fixed but it does help with regaining our trust.
The other side of this conversation is what’s the alternative? There’s no guarantee that if everyone were to move to another platform they wouldn’t experience similar or worse issues.
Enterprises versus consumers
There is some truth to Zoom’s founder’s claims that the app was meant for enterprise use, and wasn’t built with consumer privacy as there are different privacy requirements for enterprises versus consumers.
For example, a boardroom meeting where confidential information is being discussed has different privacy requirements than say a book club meeting.
That said, Zoom unfortunately wasn’t starting from a very strong position overall. Part of the problem stems from the fact that Zoom went from about 10 million daily sessions to over 200 million daily sessions in a very short period of time.
The platform is meant to be extremely easy to use and friction-less which often times means trade offs between security and privacy are made. In this case, some of the trade offs were how the default settings were implemented.
In free use accounts, the users were left to configure the security and privacy settings themselves whereas in an enterprise environment the IT organisation would have had the ability to apply strict policy settings centrally.
Thankfully, Zoom has since made some needed changes to their defaults that has made all Zoom sessions more secure and private.
The best ways forward for live video conferences
Signal has a proven track record when it comes to security and privacy. This is by design since Signal specifically has been built with security and privacy principles in mind.
That doesn’t mean, however, that apps and services like Signal are free from vulnerabilities or unintended security issues.
For example, while the Signal protocol itself is very secure and reliable, the desktop version of the Signal app is an Electron application. This means that there’s more code, in addition to Signal’s native code, that can potentially introduce bugs. The bottom line is that whatever service you use has the potential for vulnerabilities.
What matters is that the companies that are producing these services treat security and privacy as an integral part of the design and build process, as Signal and others have. To that end, for any company to be successful in this space they have to start with a well defined security program in place.
This means that all parts of the business will have security in mind: from initial concept, to design, testing and implementation.
As we’ve seen with Zoom they are now just starting to integrate security thinking into their business and while we commend these efforts, it should have been there from the beginning.