Article Detail

News & Knowledge

Video Calling and Coronavirus: Is Zoom Safe?

April 07, 2020

By: Drew Sorrell

The use of Zoom as a meeting platform has exploded corresponding to the explosion of COVID-19. With that explosion have come many questions regarding its security and privacy. Those concerns are usually two-fold: (1) Is it secure; and, (2) are meetings private?

As to the first question, is it secure? That question has a lot of different possible meanings, but for this article let’s assume it means, “Can people intercept and access my communications in a technical sense?” While no encryption set-up is perfect, technical analysts have pointed out—again not being technical in describing it—that Zoom did not take a stock-approach to security and “went their own way”. This is known as “roll your own” in security circles. 

There is nothing per se wrong with this encryption approach, but it may give rise to non-standard issues. Stated differently, if you build your own engine and install it in a vehicle you built, the vehicle may perform better, worse or just differently, than a vehicle that rolled off the assembly line.

Regardless of the encryption/engine/vehicle metaphor, Zoom catches a lot of heat for not being so-called “end-to-end” encrypted. End-to-end encryption, in this sense, is when the video call data is encrypted at all times in transmission and the platform provider is unable to decrypt. As it currently stands, Zoom is somewhat opaque in revealing the details of its encryption.  

Most technical experts seem to agree that the primary issue is that Zoom itself could be capable of decrypting the call data for its own uses, or for the use of the government, or a commercial partner. This last issue has raised the specter of regulatory enforcement, actually, and primarily under the sort of new California Consumer Privacy Act. 

Zoom does have the ability to be “end-to-end”, but that would require hardware installation at your company, for which most companies have no appetite. That said, while I would not use Zoom to plan the overthrow of a country, I probably would not be too worried about the standard business fare with respect to technical security.

Given that security (in this article meaning encryption) and privacy are not the same thing, let’s talk privacy for a moment.  

Zoom has been criticized for being susceptible to trolling and meeting crashing by Internet trolls who obtain meeting IDs and use them to disrupt meetings. From my perspective, this issue results from the user misunderstanding the technology more than a failing of Zoom itself. When you leave the directions to a party out in the open, it is not really surprising that unwanted people are going to crash the party. There are several ways to address this issue, including not posting or broadcasting the meeting ID, requiring a password, creating a “waiting room”, restricting screen-sharing, and locking the meeting. Each of which, you will see, is more a matter of educating the user than a defect in and of itself. 

While this is not to diminish the issues and criticism (especially the lack of clear disclosure which is more or less an industry standard), every tool has its limits. The key is knowing what those limits are. If you don’t think Zoom is for you, there are plenty of alternatives, including FaceTime, WebEx, GoToMeeting, Skype, Slack, Facebook Messenger, and Microsoft Teams. I for one, will still use Zoom… for most things.

For up-to-date news please follow our Coronavirus (COVID-19) Response Team page.

This article is informational only. You should consult an attorney before acting or failing to act. The law may change rapidly and no warranty is given. LOWNDES DISCLAIMS ALL IMPLIED WARRANTIES AND WITHOUT LIMITATION, ANY WARRANTY OF FITNESS FOR A PARTICULAR PURPOSE. ALL ARTICLES ARE PROVIDED AS IS AND WITH ALL FAULTS. Consult a Lowndes attorney if you wish to establish an attorney/client relationship.

Drew Sorrell is a seasoned business lawyer with particular expertise in technology, cybersecurity and privacy issues. With an MBA in marketing and finance, he approaches clients’ legal issues with both a practical business bent and a self-described geeky love of technology.

Drew enjoys working with CLO’s, CIO’s, CTO’s and technology owners at businesses of all sizes in every phase of their legal needs. He assists them on the front end, drafting and negotiating software licenses, Internet service provider agreements, data privacy/breach policies and procedures, and employment/services agreements as well as the indemnity and insurance coverage related to those agreements. He advises clients on the GDPR and state-specific regulations, penetration testing and security audits. He also has years of experience handling matters when things go wrong, including data breaches, privacy issues and other technology or software problems.

A founding member of the Sedona Conference Group 11 (Privacy/Data Security), Drew is frequently asked to speak and write on legal and ethical issues arising from technology, including unfair and deceptive trade practices, data breach, privacy, data governance, and technology contract drafting. He is chair of the firm’s multi-disciplinary Data Governance Group as well as the past chair of the Orange County Bar Association’s Intellectual Property, Business Law and Technology Committees. Drew is also the past president of the Orlando Chapter of the Federal Bar Association.

Outside the technology arena, Drew has substantial expertise in both contracts and commercial litigation. In addition, he has experience assisting clients with government contracting. Drew began his legal career as a judicial clerk to Senior United States District Judge John H. Moore II, in Jacksonville, Florida, and then practiced with an AmLaw top 10 firm in Manhattan. After a stint as an assistant county attorney responsible for day-to-day legal advice and litigating civil issues for the county, Drew returned to Lowndes. Drew is admitted to practice in Florida, New York and the District of Columbia.

Born in Florida, Drew roots for his adopted football team—the FSU Seminoles (because neither Rollins nor George Washington has a football team). He is the proud father of two sons who wrestle and play the euphonium, make great grades and generally keep him on his toes.

Meritas Law Firms Worldwide logo