Zoom out

How quickly the ground shifted on Zoom. Since March 30th the video conferencing app has been exposed by gaping security and privacy vulnerabilities. The impact on higher education is immense and must be addressed swiftly.

Zoom’s security and privacy vulnerabilities are deal breakers for higher education. Why? The online journal Inside Higher Ed shared shocking news: Dissertation Defense on Zoom Interrupted by Racist Attack. Yes, the ’N word’ was zoombombed at Cal State Long Beach during a dissertation defense. Educause links to multiple zoombombing articles.

Stunningly, multiple campus zoombombings quickly followed prompting the FBI to issue this warning: Teleconferencing and Online Classroom Hijacking During COVID-19 Pandemic addressing concerns across higher education. Yet, The Chronicle of Higher Education returns NO articles about Zoombombing.

These two events instantly change any campus conversation that all is well using Zoom. A Zoom cool factor was going viral just as Coronavirus closed down all higher education colleges. Students can sway easily via online trends.

Look at Zoom’s March 18th Collection of your Personal Data privacy statement:

Zoom gathers and sells to data brokers very personal information of your students and colleagues. Add the orange hi-lighted scraping of your campus network data and asset information.

Remember when an app is free many times you become the product. Zoom (NASDAQ) has been operating for nine years.

I know what you are thinking — how did this happened?
Many colleges had no idea Zoom was reckless with the data security and privacy of our students. Prior to coronavirus Zoom had about 12 million users. By late March this jumped to over 100 million. Instant capacity issues.

While some faculty teach one online course, Coronavirus moved all teaching online. Campus labs and studios are somehow moving virtual. There is much more work to be accomplished as students expect this delivered the current semester.

Enter the perfect storm.
Colleges had to magically figure out how to move all teaching online. Worse, the solution has to be in production under two weeks. While some Colleges benefitted from a spring break buffer, others were forced to make quick decisions without a security review. Faculty may have opted for Zoom without campus guidance.

With the above campus incidents now public (and continuing) this moves wider across campus. Protecting our students and colleagues from security and privacy vulnerabilities now requires input from the campus offices of Legal Counsel and Risk Management.

Faculty (and support staff) are justly protective of their students. The pandemic forced a lot of immediate change (and stress levels) around campus. This is also not about a college switching video conferencing platforms during regular business operations.

Look, acknowledge Coronavirus forced rapid changes to existing campus technology services never witnessed before, including the 9/11 attacks. During the rush to protect our students and colleagues you cannot look for a quick fix. Zoom was the free, quick fix.

Allow me be frank.
Zoom has repeatedly lied about data security and privacy. Has Zoom learned their lesson? Consider the following impact to your campus:

1. Zoom does not use end to end encryption
   1. Zoom falsely displays an encryption message on their app.
      The Munk School of Global Affairs & Public Policy, University of Toronto
      
   2. Wired article about Zoom’s lack of truthfulness: So Wait, How Encrypted Are Zoom Meetings Really?
      
2. HIPAA compliance
   The free, consumer version of Zoom is not HIPAA compliant. To protect college students (and staff) health data information:
   1. Zoom requires a separate HIPAA/PIPEDA plan with pricing starting at $200 per month/per account.
      
   2. Campus IT must configuration h.323/SIP endpoints to secure encryption.
      
   3. Campus Office of Compliance or Legal Affairs must establish a HIPAA BAA.
      
3. Zooms sells user data to Facebook
   Zoom lied about selling user data to Facebook. They did not even acknowledge this in their March 18th privacy update. They permit Facebook to track user data.
   1. Zoom iOS App Sends Data to Facebook Even if You Don’t Have a Facebook Account
      
   2. Zoom acknowledge the Facebook data sharing
      
   3. Responding to backlash, Zoom stops sharing user data with Facebook
      
   4. Zoom CEO apologizes for having ‘fallen short’ on privacy and security
      
4. Zoom snoops user data from LinkedIn profiles
   This may not be an important issue across all colleges:
   1. A Feature on Zoom Secretly Displayed Data From People’s LinkedIn Profiles
      
5. Government Zoombombing
   1. U.S. Senate tells members to avoid Zoom over data security concerns
      
   2. US Senate tells members not to use Zoom
      
   3. US House Oversight Committee meeting was zoombombed three times.
      
6. Hackers….
   The information security community knows very well once an app becomes popular, hackers begin exploiting code vulnerabilities:
   1. Interest in Zoom Zero-Day Hacks Is ‘Sky-High’ as Meetings Move Online
      
   2. Zoom Vulnerability Lets Hackers Hijack Your Webcam
      
   3. Zoom’s A Lifeline During COVID-19: This Is Why It’s Also A Privacy Risk
      
   4. Zoom Zero Day: 4+ Million Webcams & maybe an RCE? Just get them to visit your website!
      
   5. Login details of verified Zoom accounts posted on Dark Web
      
   6. Hackers are posting verified Zoom accounts on the dark web
      
   7. Zoom Credentials Database Available on Dark Web
      
   8. Stolen Zoom passwords and meeting IDs are already being shared on the dark web
      
7. China
   Chinese ownership or involvement by itself isn’t necessarily problematic. However regarding encryption (above) there can be no wiggle-room. As reported by the University of Toronto the Chinese government reserves the right under local law to compel access to Zoom’s servers otherwise encrypted sessions.
   1. Zoom admits some calls were being routed through servers in mainland China
   2. Zoom sends some encryption keys to China
      Legally Zoom is obligated to disclose keys. Maybe campus institutional research keys as well.
   3. Zoom’s response

No company writes perfect code. Face it, nation state actors Russia, North Korea, and Iran are just warming up to Zoom code flaws. Seriously.

Just imagine a racist zoombombing during your next online class, campus event, Dean’s meeting, or public art performance. And the damage to your College brand…

And the obvious pledge from Zoom to fix it all? No kidding…the Attorney Generals of Connecticut, New York and Florida have opened probes into Zoom with the AG of Connecticut himself a victim of zoombombing. Fast Company’s position: Here’s when you can trust Zoom, and when you shouldn’t.

Higher Education must protect the security and privacy of our students and colleagues during this pandemic.

UPDATE April 13th:
Wisconsin’s hotly debated election last week during the pandemic resulted in a City of Milwaukee election commission zoombombing: ‘Zoombombing’: Outsiders hack city Election Commission videoconference on absentee ballots