Regarding security and privacy concerns with teleconferencing software

During the voluntary and, since Monday Apr 6 at 12:01 am, state-mandated Stay-at-Home Order, the Alliance Française de St. Louis is committed to making every effort to ensure that our students are able to continue their studies of French language and culture during the COVID-19 pandemic. Further, it is important to us to make certain that we can retain our teachers and continue to pay them as they are the tied-for first-most important asset to the organization: there’s a “convenient but necessary” symbiotic relationship between teachers and students.

Many of you have already engaged in our distance classes, initially via . However, the quality of sound and video suffered when Skype calls included 4 persons or more. This prompted us to look at the four most highly-rated teleconferencing apps including Cisco, Webex, Zoom, and GoToMeeting. Of those, Zoom rated #1 in overall customer reviews.

Zoom also rated highest in all categories:

This includes ease-of-use, quality of support and ease of setup as ranked by the users:

As of Fri afternoon, just 24 days, in 302 meetings with 1419 participants spanning 64589 minutes (>1075 classroom-hours), we have had a much better experience than with Skype and Zoom includes two-way interface tools that are valued highly in educational environments.

Every e-communications company knows that the industry faces the very difficult balancing act of providing for adequate security with user-friendly features in their products. Zoom was built to be feature-rich but also easy to use with little technical expertise to install and operate. The user reviews of Zoom indicate that the product was beating out its competitors.

Zoom has experienced, as the number of people afflicted with COVID-19 explodes, similar exponential growth, going from 10 million users a day in Dec 2019 to well over 200 million a day in April as adults ​ ​ telecommute and students engage in distance-learning all over the world. Any program or app that experiences that kind of success becomes a target for attention-seekers. Over the last 2 weeks, you may have heard and/or read numerous media reports about the safety, privacy, and security of Zoom. As with all crisis-related stories, think “COVID19”, there often is negative hype that pushes to the top what might otherwise be well below our “radar”.

I’m responding to you, teachers, students and members, to reassure you of our concern with those issues and what we are doing to reduce the chance that you and your family will have a troubling experience while on Zoom with us.

That’s the short-and-sweet version of “Here’s what we’re doing to keep you, your data, and your children safe while taking online classes with the Alliance Française de St. Louis using Zoom.” If you just need to know that’s our priority, then the only thing left is to remind you to update your Zoom software whenever it prompts you to do so; that’s YOU protecting YOU. Otherwise, you can stop here. You may scroll to the bottom of this article to find a variety of critical articles as well as published items about Zoom’s largely constructive and responsible reaction to the criticism. Some are very readable but others may be of more interest to those with a geekish bent.

If on the other hand, you’re more curious about the details of how we’re protecting you, please read on for the “semi-geek” version. I want to communicate to you, our students and members, my response as the AF’s (volunteer) IT guy because there are so many changes happening with Zoom. Let me summarize the concerns and provide Zoom’s responses to those in no particular order.

1) Probably the most concerning and most misleading article was published in (a British ​ ​ newspaper) entitled “Zoom is malware”. Issues that some security researchers called “privacy disasters” and ​ ​ “fundamentally corrupt” due to the mishandling of user data (unauthorized sending to and ​ ​ LinkedIn) had already been addressed by Zoom’s CEO Eric Yuan. The privacy and security issues identified in the Guardian article were addressed in a publication authored by three security experts unaffiliated with ​ ​ ​ ​ Zoom that refuted the “malware” designation noting that Zoom isn’t paying lip service to the problems, but had already fixed some, rewriting the software so Zoom no longer violated those privacy concerns by unwarranted user data sharing. The CEO of Zoom has publicly stated that no data has ever been and will ​ ​ never be sold. He attributed security risks to not having anticipated the rapid growth of Zoom. Similar ​ abuses occurred with , and YouTube as their userbase grew. ​

2) On Wednesday April 8, Bloomberg News quoted CEO Yuan as stating “Zoom is safe” compared to its ​ ​ competitors and that the company has never sold user data and never will. He attributed the security risks to not having anticipated the rapid growth of the platform and the broadening of the user base outside the business world even though the same abuse issues occurred with Twitter, Reddit, and YouTube among ​ ​ others.

3) On Wednesday, April 8, I attended an online webinar with Zoom’s CEO, in which he reiterated the issues that were being addressed. On the same day, a new release of Zoom dropped and everyone is encouraged to download and install it by launching Zoom and following the prompts about 5 minutes before ​ ​ your next class. Please make sure it’s on all your devices with which you connect to your classes.

4) On Thursday I attended, and will continue to attend in the future, the teleconference meetings on updates to the Zoom software.

5) Additionally, the Guardian piece pointed out the most well-known issue, that of video hijacking, ​ ​ nicknamed “Zoom-bombing”, in which an intruder, usually unknown, infiltrates a legitimate meeting with varying degrees of malicious intent aiming to disrupt the event. This kind of disturbance can be automatically prevented by several already-available security tools built into Zoom. Most of the “security lapses” which allow a malicious/mischievous individual to intrude in a Zoom session are block-able from the administrator’s global settings for hosts (our teachers) as well as host-selectable invite settings. In order to reduce the potential for a Zoom-bomb during AF classes, we have instituted (on Sunday April 5th) the use of a “password challenge”. Many of you will need to enter a password. You will see this new window after clicking “join a meeting” but some classes are still using the previous links that do not require passwords:

Beginning next session, ALL classes and private lessons will require passwords. You will see in your Zoom invitation:

6) The responsibility also falls on the users; you should NEVER share a meeting link (and password) with ANYONE, even a classmate and especially not over . Teachers will set up Zoom classes once per session, using the same meeting link and password for every class until the next session, so retain the invite ​ and password in your email. ​

7) In addressing the Zoom-bombing vulnerability, the FBI offered the following advice to hosts and participants in a press release: ​ ​ a. Hosts should not make meetings or classrooms public but should require a password. (We are ​ doing this for all new meetings as of April 5. 100% implementation starting Session #4, June 6). b. Implement the “waiting room” feature preventing new participants from joining until admitted by the host who admits only guests recognized as having been invited. (We have always implemented ​ “waiting room”). c. Hosts and guests should never share the meeting ID, link, or password on social media or unsecured media but only by direct email to the invitee. (This is the cause of most Zoom-bombing ​ incidents, whether “innocently deliberate”, malicious, or inadvertent). d. Host should not allow screensharing by others until inside the meeting. (This is now a default ​ setting since April 5). ​ e. Update both host and user software whenever updates are released. (As of this message, April 11, ​ ​ the latest update was released on Apr 8).

8) Other security measures suggested both by Zoom and various security experts include: a. Disable the “one-click join” feature and use randomly-generated meeting IDs. (The AF global ​ settings implemented this as of April 5). ​ b. Enable two-factor authentication for secure entry. (At this point in time, we are not implementing ​ two-factor authentication but should it become necessary, we will turn this feature on globally). c. Host (teacher) should take active measures to control participants (students) by using “mute mic” and camera control options. (Our teachers have been trained to use this feature as of April 5). ​ d. Once all guests are admitted, engage the “Lock Meeting” session. (This feature will be included in ​ the next round of one-on-one teacher training). e. Disallow file transfer by participants. (This feature was implemented on April 5). ​ f. Prevent “booted” bad actors from rejoining by disabling the rejoin meeting option. (This feature ​ will be included in the next round of one-on-one teacher training). g. Do not enable video recording unless essential. (This feature has been disabled globally as of April ​ 11). h. Employ the virtual background option or engage the “blur screen” feature to keep private information from being gleaned from your surroundings or shared computer screen. (This feature ​ will be included in the next round of one-on-one teacher training). i. Disable private chat. (We have allowed teachers to do this at their own discretion). ​ j. Turn off shared screen annotation. (We have allowed teachers to do this at their own discretion). ​ k. Put attendee on-hold. (This feature will be included in the next round of one-on-one teacher ​ training). l. Disable participant’s video. (This feature has been disabled as of April 11). ​ ​ m. Prevent meeting recordings. (We have prevented this in the admin global settings but the topic will ​ ​ be discussed with AF Exec Director). n. Prevent video from being uploaded to cloud storage. (This feature has been disabled as of April 11). ​ o. Disable live-streaming. (This feature has been disabled as of April 11). ​ p. Remote camera control by participants. (This feature has never been implemented.) ​

9) In response to future development, Yuan made several promises to current, former, and future clients. a. Commitment to resolve reported security issues; b. Implement security constraints by default on certain users; c. Ceased all work on new features, committing 100% of software engineering resources to resolving security issues for the next 90 days; d. Expand Zoom’s third-party security audits and penetration tests, bounty program (pay outsiders rewards to find security holes), prepare a transparency report on requests for data sharing from outside entities (governmentt and law enforcement); e. Removed Facebook and LinkedIn feature to prevent unnecessary data disclosure previously; ​ ​ f. Provide live weekly web conferences to disseminate updates and take up concerns about further security/privacy issues; g. Resolving the practical disconnect between the industry’s use of the term “end-to-end encryption” and the compromised version presently utilized by Zoom; h. The biggest change the establishment of a collaboration of security and privacy consultants to advise him on the path forward to better meet the demands of the customer base. In addition, Yuan hired one of the world’s most-respected and -qualified digital security consultants, Alex ​ Stamos, currently on faculty at Stanford, having been involved in various advisory capacities with ​ ​ ​ Facebook (Chief Security Officer), Harvard’s Defending Digital Democracy Project, UCal Berkeley’s Center for Long-Term Cybersecurity, the Council on Foreign Relations, and NATO’s Collective Cybersecurity Center of Excellence.

As the administrator of the AF Zoom account, I will be attending weekly tele-conferences with the Eric Yuan in which privacy and security issues will be discussed. Additionally, when new versions of the software are introduced, I will attend the webinars addressing the improvements and pushing a message out to teachers, students and members about the update via the AF newsletter. Finally, I will be implementing the appropriate software settings on the host side of the meeting scheduling tool for the best ongoing experience and security of our students, making sure our teachers understand the changes, and providing helpful information to our students by issuing notices when Zoom software is updated and providing the link to the most recent version for each device (PC, Mac, iPad, iPhone, and Android tablets and phones).

Below is a Strategic Plan Action Grid for each area of concern and how each stakeholder (Account Administrator [Dave]; Teachers, and Students) can safeguard their security, privacy, and safety to maximize the benefit of the learning environment not just for themselves but also for other students.

If you have any concerns or questions, please don’t hesitate to contact Dave Mount, IT Director for the AF: [email protected]. For urgent connection issues, please call Dave Mount: 806.236.7323. ​

Here is Zoom’s FAQ page: https://support.zoom.us/hc/en-us/articles/206175806-Top-Questions ​

Area of Problem Zoom Account Teachers’ Students’ Concern Administrator’s* Responsibilities Responsibilities Responsibilities Security Data sharing Lock default settings for Set up meetings w/ Proper set-up of Zoom all hosts (teachers) passwords preferences Contact Alliance IT* if concerned about security compliance awareness

Privacy Sale of user data by Implement updates as Inform students of Update Zoom as soon as Zoom (CEO claims it released and notify need to update Zoom advised never was sold; teachers inadvertently shared) End-to-end Implement updates as Inform students of Update Zoom as soon as encryption released and notify need to update Zoom advised teachers

Safety Sharing Meeting ID Implement updates as Properly label course Do NOT circulate meeting released and notify info on meeting title URL (link) on social media teachers and students (teacher name, day, time, session) Do not “advertise” Retain email invites with meeting details on meeting link for entire social media session Do not “advertise” meeting details on social media Attend Zoom CEO Attend host training Seek training for Zoom if webinars for security on new Zoom needed updates features Attend Zoom software update webinars Provide training for If training needed, If training needed, contact teachers contact Dave Mount* Dave Mount* Install all updates on Keep device OS account management updated on all Zoom tool devices Encourage students Keep device OS updated to install Zoom on all Zoom devices updates Restart device at Restart device before class beginning of the day Implement waiting room feature Do not admit anyone Ensure that name is whose name does identified when logged in not appear on their account screen Properly manage attendees

*Alliance Française IT: Dave Mount 806.236.7323 or [email protected] to set appointment or for help ​ ​

Reference Bibliography for Zoom Security Message 2020 April 10

Zoom Download Center: https://zoom.us/download?zcid=1231 ​ ​ FBI Warning (FBI Boston): https://www.fb​ i.gov/contact-​ us/field-offices/boston/news/press-releases/fbi-warns-of-teleconferencing-and-online -classroom-hijacking-during-covid-19-pandemic

Zoom Frequently Asked Questions (FAQs): https://support.zoom.us/hc/en-us/articles/206175806-Top-Questions

Alex Stamos biography (Stanford University): https://cisac.fsi.stanford.edu/people/alex-stamos-0 ​ ​ ​ Preventing Zoom-bombing: https://blog.zoom.us/wordpress/2020/03/20/keep-uninvited-guests-out-of-your-zoom-event/

Keep Zoom Chats Private and Secure (WIRED.com): https://www.wired.com/story/keep-zoom-c​ hats-private-se​cure/?bxid=5cec247d3f92a45b30e5ac12&cndid=4816720 9&esrc=AUTO_OTHER&source=EDT_WIR_NEWSLETTER_0_DAILY_ZZ&utm_brand=wired&utm_campaign=aud-dev& utm_mailing=WIR_Daily_040620&utm_medium=email&utm_source=nl&utm_term=list1_p2

How to protect your Zoom calls (Washington Post): https://www.washingtonpost.com/te​ chnology/2020/04/03​/zoom-video-set-up/

The Zoom Privacy Backlash is Only Getting Started (WIRED.com): https://www.wired.com/story/zoom-backlash-zero-days/ ​ ​

Update on Zoom’s 90-Day Plan to Bolster Key Privacy and Security Initiatives (Zoom Blog): https://blog.zoom.us/wordpress/2020/04/08/update-on-zoom-90-day-plan-to-bolster-key​ -privacy-and-s​ ecurity-initi atives/

Use Zoom? Here Are 7 Essential Steps You Can Take To Secure It (Forbes.com): https://www.forbes.com/sites/kateoflahertyuk/2020/04/03/use-zoom-here​ -are-7-essentia​l-steps-you-can-take-to-s ecure-it/#2f3cc8cd7ae1

Working on Security and Safety with Zoom – Alex Stamos (Medium.com): https://medium.com/@alexstamos/working-on-security-and-safety​ -with-zoom-2f61f1​ 97cb34

Zoom adds new security and privacy measures to prevent Zoombombing (TheVerge.com): https://www.theverge.com/2020/4/3/21207643/zoom-security-privacy-zoombombin​g-passwords-waitin​ g-rooms-d efault

Zoom boss apologizes for security issues and promises fixes (BBC.com): https://www.bbc.com/news/technology-52133349 ​ ​

Zoom Has A Dark Side – And An FBI Warning (NPR.org): https://www.npr.org/2020/04/03/826129520/a-mus​ t-for-million​ s-zoom-has-a-dark-side-and-an-fbi-warning

Zoom is showing how to respond to criticism the right way (TheVerge.com): https://www.theverge.com/interface/2020/4/3/21203720/zoom-bac​ klash-apology-zoom​ -bombings-eric-yuan

Zoom isn’t Malware – Amit Serper (Medium.com): https://medium.com/@0xamit/zoom-isn​ t-malware-ae0161​ 8e2046

Zoom privacy and security issues – Here’s everything that’s wrong (so far) (TomsGuide.com): ​ ​ https://www.tomsguide.com/news/zoom-security-privacy-woes

Zoom Product Updates – New Security Toolbar Icon for Hosts, Meeting ID No Longer Displayed (Zoom Blog): https://blog.zo​ om.us/wordpress/2020/04/08/zoom-product-updates-new-security-toolbar-icon-for-hosts-meeting-i d-hidden/

Zoom Says Platform Is as Safe as Peers, Boosts Privacy Tools (Bloomberg.com): https://www.bloomberg.com/news/articles/2020-04-08/zoom-ceo-say​ s-platform-is-as-safe​-as-peers-boosts-privacy -tools

Zoom video meetings have become the way to deal with social distancing mandates. But it still come with risks. (WashingtonPost.com): https://www.washingtonpost.com/ ​ ​ ​ Zoom videos exposed online, highlighting privacy risks (WashingtonPost.com): https://www.washingtonpost.com/technology/2020/04/03/tho​usands-zoom-video-calls-lef​ t-exposed-open-web/

Zoom-Zoom – We Are Watching You (CheckPoint.com): https://research.checkpoint.com/2020/zoo​m-zoom-we-are-watc​ hing-you/

Zoom’s Big Security Problems, Summarized (Forbes.com): https://www.forbes.com/sites/marleycoyne/2020/​ 04/03/zooms-b​ig-security-problems-summarized/#291c6b29464 1