As a Cybersecurity professional, this is a question I am asked on many occasions. The short answer to this question is; It depends.
But I know you would like a definitive answer to this question, so I will give you one; No. Zoom is not secure enough for what you do.
Now, before the Zoom ‘fans’ attack me, allow me to say that there is no such thing as 100% secure. This means nothing is absolutely secure. There is risk in the use of any online platform, including Zoom.
Zoom in context
Zoom experienced a surge in usage due to the COVID-19 pandemic, which caught it unawares, exposing a number of security flaws it had not anticipated. Including “Zoom-bombing” where unauthorized participants were able to join meetings. Other issues related to data privacy concerns, and vulnerabilities in the application.
But who is, ‘Zoom’?
Founded in 2011, Zoom Video Communications Ltd, is headquartered in San Jose, California, USA and launched its software in 2013. They have offices in 150 countries and have over 500 million active users world-wide. They are a commercial company, and their platform allows users to connect with video, audio, phone, and chat. They are a communications company – and security and communication are often at odds.
So, how secure is Zoom?
In the past, Zoom has come under fire for its security capabilities, but since 2020, it has done a lot to improve the underlying technical infrastructure to address the issues it once had.
Some of the security features it now boasts include;
- End-to-end encryption (E2EE): Meaning only the attendees of meetings will have access to the video content. Even Zoom itself cannot access this information.
- Waiting room: This allows the host of a meeting to approve or deny participants before they can join.
- Authenticate Uses: Only authenticated users can join meetings, which prevents unauthorized users from joining meetings by requiring them to enter a meeting ID and password.
On the face-of-it, Zoom looks secure, and they have certainly done a lot to try and address the security concerns many people have.
Not everything is as it seems
Let us take a quick look at one of the features that many people point to, when they say that Zoom is secure – Encrypted meetings.
On Zooms own support page, they state “Enabling end-to-end encryption for meetings requires all meeting participants to join from the Zoom desktop client, mobile app, or Zoom Rooms.”
This means encrypted meetings are impossible when anyone uses the browser version of Zoom. On the same support page, it states that enabling encrypted calls will disable a number of other features that many people have come to rely on. This means that users have to balance security with some of the other features Zoom provides.
How confident are you that your clients are using the desktop client for Zoom?
Zoom and Privacy
Zoom is a commercial product. They need to improve their services continually, which means they need to be confident that their products are of sufficient quality and improving.
In their privacy policy they make the following statement; “Zoom may use technology that analyzes the meeting’s audio recording to distinguish one speaker from another in order to create an accurate transcript. The audio analysis is not retained after the transcript is generated.”
They make the statement that the transcript is not retained. However, how confident can you be that this is the case? However, the latest twist in the tale is the announcement that Zoom is using AI.
Zoom and AI
It should come as no surprise that a platform like Zoom is going to use AI to improve its services. Almost every large technical company (like Google and Microsoft) do.
How is Zoom using AI?
Zoom has released a full statement that should dispel any fears about the use of AI, and the fact that they are using recordings to ‘teach’ the AI, and improve its functionality. In the Zoom statement, they state, “For AI, we do not use audio, video, or chat content for training our models without customer consent”.
They repeat this statement in the terms of business, in section 10.4 (Customer Licence Grant). However, they also state that;
“You agree to grant and hereby grant Zoom a perpetual, worldwide, non-exclusive, royalty-free, sublicensable, and transferable license and all other rights required or necessary to redistribute, publish, import, access, use, store, transmit, review, disclose, preserve, extract, modify, reproduce, share, use, display, copy, distribute, translate, transcribe, create derivative works, and process Customer Content and to perform all acts with respect to the Customer Content” (10.4 Customer Licence Grant)
My question to you is; When tools like Zoom ask for you to ‘Accept’ or ‘Decline’ their terms of business; How often do you read them? And what happens when you do NOT accept them?
Conclusion
On the face-of-it, the question “Is Zoom Secure” isn’t easy to answer, but I would say, no, not for your industry. Despite Zooms claims that they are secure, the real question is; Are they keeping your information private?
Zoom is a commercial tool, and it was never really intended to be used by people offering therapy.
I’m sure this is a debate that will rage on, but ultimately the question to answer, isn’t “Is Zoom Secure?” It’s, “How much can we trust ‘Big Tech’ with our personal information?”
Gary is the co-founder of ‘Consultants Like Us’, a Cybersecurity and Information Governance Consultancy dedicated to helping organisations improve their security. He is a Cybersecurity and Data Protection specialist with over 25 years of experience in Information Security. He is a published author, regular blogger, and international speaker on Cybersecurity best practices and security frameworks like ISO27001.
