Using Zoom for activism? Think about security!

Published in

#resist!

13 min readApr 3, 2020

Last updated: August 30. Originally published April 2.
Zoombombing remains a problem; see Prof. Anima Anandkumar’s thread about her KDD keynote from late August. If you’re using Zoom, the Global Forum for Media Development’s “Zoom-bombing” prevention & resources guide has some solid recommendations, and so does How to Keep Uninvited Guests Out of Your Zoom Event on Zoom’s blog. Zoom continues to fix security problems, so please make sure you have the latest software — but be careful of malware.

With online organizing as the only short-term option, Zoom has become increasingly popular for activism groups. There’s a lot to like about Zoom: it’s easy to use, it provides phone access as well as video, their free plan allows unlimited meetings, you can use it without an account or sign in and use a pseudonym, it’s got useful functionality like breakout rooms.

Unfortunately, Zoom also has a track record of security and privacy problems — and by March 2020 the company was in the midst of something of a security crisis. A wave of Zoombombing got so severe that the FBI’s issued warnings. Since then, there’s been a steady stream of high priority security bug fixes — which usually means there are a lot more security bug fixes coming. The company’s facing lawsuits and GDPR violations for sharing data with Facebook, Attorneys General from several states looking into their privacy practices, skepticism from cryptographers, bans in New York City and other school districts, campaigns from Color of Change member Dennis Johnson and Fight for the Future … yikes.

With their business at stake, Zoom reacted swiftly — freezing functionality for 90 days as they focused on security, hiring a CSIO, buying Keybase, and bringing in some high-profile consultants. Hopefully they’ll make continue progress — back in the early 2000s, Microsoft was in a similar situation (including freezing Windows development to focus on a “security push”) and over time really turned things around. But it’s not like we can stop organizing while we want for Zoom to clean up their act.

The last section of this post briefly looks at several options, open source and from companies with better reputations for security and privacy than Zoom. For meetings involving highly confidential stuff, and any organizing where you’re concerned about your meetings being targeted by governments, intelligence services, or white supremacists, consider paying attention to Citizen Lab’s April 3 recommendation:

As a result of these troubling security issues, we discourage the use of Zoom at this time for use cases that require strong privacy and confidentiality, including …activists, lawyers, and journalists working on sensitive topics

In fact, some experts who I really respect, for example Eleanor Saitta, recommend not using Zoom at all for activism at this point.

But many meetings don’t require heavy security. Citizen Lab’s report also said:

For those using Zoom to keep in touch with friends, hold social events, or organize courses or lectures that they might otherwise hold in a public or semi-public venue, our findings should not necessarily be concerning.

Most of the experts I’ve talked to about this think that Zoom, properly safeguarded, is still a plausible option for now in many activist situations. It’s important to keep in mind that security isn’t the only consideration. Ease of use, familiarity, and performance with bad network connectivity are also valuable.

Zoombombing is concerning, even with Zoom’s improvements over the last six months. Still, you can reduce the risk substantially by locking down your settings, been careful distributing meeting links and passwords, and have a team of trusted co-hosts in place to limit the disruption by using Zoom’s in-meeting settings to boot people and disable functionality. Often, that’s good enough.

Of course, that’s all easier said than done —and Zoom doesn’t have any thorough tutorials on this that I know of. So if you’re continuing to have meetings on Zoom, here are a few things to think about.

Make sure you’ve got the most current version — and watch out for fake apps and other malware

Update Available! A lot of details, and then two buttons: Update (highlighted in blue), and Later

Like so many other apps, Zoom regularly releases new versions. Just in the last week, they’ve fixed a vulnerability that potentially gave attackers control over the Mac, and removed the code that sent people’s information to Facebook. So you want to make sure you’re running the latest version. At the same time, though, keep in mind that there is malware and adware installers being created that pretend to be Zoom client installers.

Zoom is supposed to automatically checks for updates (usually when a meeting winds up) and shows you an alert when a new version is available. It’s also a good idea to double-check manually from time to time. On an iPhone or iPad, the best bet is to check the App Store and update from there if needed. On a Mac or PC, there’s a “Check for Updates” option in the main menu of a meeting. Here’s what it looks like on the Mac.

zoom.us menu, with several menu items and then “Check for Updates …” highlighted

If you have never installed Zoom before, the Zoom Download Center at https://zoom.us/download is the place to start.

Be careful about embedding links or passcode in posts or emails that a lot of people will see!

The easiest way for somebody to zoombomb a meeting is to get either a link to the meeting, or the meeting ID and passcode. That’s also the easiest way for an infiltrator to silently eavesdropping in a meeting, potentially taking screenshots or recording, another threat activism groups should think about. So it’s very important to be careful about sending out the link, meeting ID, and passcode.

This is always a good thing to do no matter what software you use. Because of all the Zoombombing, it’s especially true right now with Zoom.

Here’s some approaches that can work well:

If the meeting is fairly small, and you have contact information for everybody who’s going to be there, the easiest and safest approach is to send them with the link, passcode, and dialin info individually — and ask that them not to forward it. One easy way to do this is copy the invitation for the meeting, which includes the link as well as call-in numbers, and send it to the specific people you want to invite via email, text, Signal, WhatsApp, or whatever messenger you use.
You can also create a calendar event when you’re scheduling a meeting (although make sure not to choose the Google calendar option, which can hijack your camera and mic; you want the “other calendars” option instead, even if you’re using Google). Once you‘ve got it on your calendar, you can simply invite people to it the way you would any other event.

Calendar: unselected buttons labeled “iCal” and “Google calendar” followed by a selected button labeled “Other calendars”

You can also select an option when you’re creating the meeting to have people register for the meeting by providing their name and email address. This can work well if you know the email addresses of likely attendees (although for semi-public meetings, that often isn’t the case)

Registration, followed by a checkbox labeled “Required”, checked

If you don’t have have a specific list of people you want to invite, you can send invitation to an email list, share it in a Facebook or messenger group, or make it into a private Facebook event. One thing to keep in mind is that the larger the list or group is, the greater the chances that the link will eventually get to somebody who wants to disrupt the meeting — or just listen in on what you’re saying. Still, there are times when it’s worth taking the risk of posting the info to a large mailing list or group.

In any case, it’s worth putting additional protections in place — and thinking in advance about what you’ll do if somebody starts acting disruptive.

Understand Zoom waiting rooms, passcodes, and registration

One excellent change Zoom made in April that noticeably improved security is to enable passcodes and waiting rooms by default. Starting in late September, they’re going to go further and require that every meeting has at least one or the other. Both of these are useful; neither is a magic bullet.

A “waiting room” prevents attendees from joining a meeting until a host admits them individually from the waiting room. Zoom’s got a lot more information on this in How to Manage Your Waiting Room and Secure Your Meetings with Virtual Waiting Rooms. But it’s not always easy to know whether or not somebody should be admitted; I’ve seen several reports of classes and other meetings that got disrupted by people impersonating the real attendees.
A passcode provides valuable additional protection against Zoombombing and eavesdropping by stopping people from “Wardialing” and guessing a meeting ID. That’s good! But if people who want to Zoombomb you get ahold of the passcode, then it doesn’t actually give you any additional protection.

Once you have a meeting passcode, then you have to get it to people. The easiest way to do this to embed the meeting passcode in the link. Zoom calls this a “one-click join”: attendees just have to click on the link. It’s incredibly convenient — but it also means that anybody with the link also has the passcode.

Embed password in meeting link for one-click join, followed by a slider set to “on”

If you have a secure way to get the passcode to everybody who wants to attend the meeting, consider disabling this option to add an additional level of defense. If you do this, also be careful about sending out the Zoom meeting invitation, which also includes the passcode.

Zoom’s help pages for waiting rooms and passcodes go into a lot more detail on lots of other settings related to this functionality, including the ability to customize your waiting room.

With a paid account, you can also turn on registration, requiring people to sign up in advance. You can ask potential attendees for information; you based on their answers, you decide whether or not to send them a link. A couple things to keep in mind about registration:

It can work well when it’s easy to decide whether or not you to send a link to somebody based on their answers; that’s not always the case.
Once you send somebody a link, they can share it with other people who can also use it to get into the meeting. Sometimes this is very helpful, but it also opens up possibilities for attackers.
Make sure to watch for new registrations during the meeting; sometimes people can’t find their link and so need to re-register. You can also automatically accept new registrations but that also means that any potential Zoombombers or infiltrators can get in.

Get familiar with Zoom’s settings and in-meeting security options

In April, Zoom added a new security toolbar icon, which makes it much easier to get at functionality you can use during the meeting to deal with Zoombombing and other issues. Options include locking the meeting (useful once everybody has shown up), disabling or enabling chat and screen-sharing, and removing participants. In-meeting security options has the details. It’s best to have multiple co-hosts so that the speaker and facilitator don’t have to distract themselves dealing with any problems that come up.

Zoom also has zillions of additional settings, and many can be useful from a security perspective. Some provide useful “defense in depth” to limit the disruption attackers can cause if they get into the meeting. As of August 2020, best practices include disabling screen sharing for anybody but the host (which prevents people from showing everybody offensive memes or videos); turning off “annotations” (which keeps people from drawing on everybody’s screen), turning off participant chat (to reduce opportunities for harassment), and disabling file-transfer (to keep people from sending nasty images or videos or audios to other chatters), and providing better protection for clould recordings.

Here’s a few pages cover this information in detail (although note that none of them have everything, and it may them a while to get updated to reflect Zoom’s latest releases):

Global Forum for Media Development’s “Zoom-bombing” prevention & resources guide
Zoom’s How to Keep Uninvited Guests Out of Your Zoom Event (from March 20)
EFF’s Harden Your Zoom Settings to Protect Your Privacy and Avoid Trolls (last updated April 10)
Indiana University’s Prevent Zoombombing using Zoom privacy and security features, UC Berkeley’s Settings for Preventing Zoom-Bombing, and UW’s Protect your Zoom meeting space and class sessions. They all seem to be updated fairly often.
Frame Shift Consulting‘s Tips for Safer Zoom Meetings (April 2) has good thoughts about roles within the meeting.

Of course, a lot of this functionality is also useful for running effective and inclusive meetings! So in some situations it may make sense to leave some of this functionality enabled as long as you’ve taken other precautions. Back in April I was on a webinar that was (unsurprisngly) targeted by Zoombombers; the panelists shrugged it off, booted the miscreants, and continued on without missing a beat. As moderator Kimberlé Crenshaw said, Black civil rights protestors responded to the Klan surrounding and screaming at them by raising their voices and singing about freedom at the top of their lungs … so we can respond to Zoombombing by talking about freedom at the top of our lungs.

Think about alternatives

Zoom’s not the only game in town. Even if you continue to use Zoom for many of your meetings, it’s worth thinking about more security-conscious options for situations where confidentiality is important. Web Conferencing Security from the Australian Cyber Security Centre has some solid guidance on both how to select a web conferencing solution and how to use it securely; EFF’s What You Should Know About Online Tools During the COVID-19 Crisis is also important reading (for tools in general, not just Zoom).

End-to-end encryption (E2EE) is one important consideration here. Cryptographer Matthew Green’s Does Zoom use end-to-end encryption? has a good short explainer of why it matters, and how Zoom falls short.

Here’s a short list of potential alternatives:

Signal is the gold standard for security. Its functionality is very limited compared to Zoom (group chat, 1–1 video and voice calls, but no videoconferencing), so it’s not really a replacement, but it’s a good choice for any information that’s so secret that you would be badly harmed if it got out.
Wire, from the UK, is a collaboration platform built with a strong focus on security, including E2EE, open-source code, and several published security audits. Their Pro plan supports videoconferences with up to four people, and has a 30-day free trial.
Tixeo, from France, has Zoom-like functionality and a strong focus on security, also including E2EE. They have a 30-day free trial, but no free option.
Jitsi Meet is an open-source solution with rich functionality that works directly in the browser; they’re working on E2EE. Then again, it has major accessibility issues; I’ve also seen reports of problems with Firefox (especially if there are 10 or more users) and Safari. meet.jitsi.org is an easy way to try it out, although bear in mind that without E2EE the people running the site (or anybody who’s hacked in) have access to all meetings hosted there. You can also download the software and host your own server.
Cisco’s WebEx has just introduced a much richer free offering and also has end-to-end encryption option. Their chat is also much better than Zoom’s.
Microsoft’s Teams is a relatively new player, and organizations that have Office 365 don’t have to pay extra for it. Teams works best if everybody has accounts in the same domain (they’ve announced a new “friends and family” version, but it’s not yet available), which isn’t necessarily a great match for activism use cases, but on the positive side it has a lot more collaboration functionality than Zoom. Similarly, Google Meet might be an option if you have G Suite.
Google’s Duo has end-to-end encryption, so might also be worth considering for smaller meetings. Microsoft’s Skype (which now makes it easy to set up video meetings) is also be an option, although it lacks key activism functionality like the ability to pre-schedule meetings.
And sometimes you don’t need spiffy video functionality. Will an old-fashioned conference call work for you?

There’s lots of other choices out there as well — the responses to Eleanor Saitta’s thread include suggestions like Vidyo, Amazon Chime, and Webinar Jam, and here’s a crowdsourced spreadsheet with several dozen video options. As you’ve probably figured out by now, they all have challenges. And it’s not like Zoom’s the only software that has security and privacy issues! Which is riskier, a crufty old code base like WebEx (where the original development team has long since left) or a newer code base like Zoom where a lot of stuff is being discovered and fixed? And, as noyb’s recent Interrupted Transmission report highlights, everybody has a ways to go on the privacy side.

In software, as in life, there aren’t any magic bullets. Still, there might well be better options than Zoom for at least some your group’s meetings.

If you do wind up using something else, the kinds of thinking I discuss here still applies. No matter what solution you’re using:

You want to be running the most recent software and following best practices for configuration
You need to be careful about distributing links and meeting IDs
Passcodes and passwords are helpful but not a panacea
There are lots of settings and tradeoffs to get familiar with.

….

Thanks to Aaron, Jesse, Kathy, Livio, Emily, Tara, Barbara, Angyl, Dragos, Tim, Kristen, and Cynthia for feedback on previous drafts. Thanks also to Larry, Claude, Amy, Kat, Jeff, George, Matt, Eleanor, Tarso, Ilya, and Lynwen for the useful info and links, and to Livio for the screenshot of the update dialog.

Change log

April 3: emphasize checklist at the top, strengthening recommendations to look at alternatives for confidential stuff, clarifying waiting room situation, adding links.

April 4: including link to Zoom announcement of April 5 changes, screenshot for “require registration”, other minor cleanups.

April 6: edits reflect Zoom’s latest updates, which turned passwords and waiting rooms on by default; add link to school systems banning Zoom; tighten discussion of Teams; other minor cleanups.

April 7–8: Updated guidance on waiting rooms, added Eleanor Saitta’s perspective, tweaked the Teams discussion again, added a few more links.

April 9: update with security toolbar info, new Citizen Lab post, and Microsoft Teams link

April 10: update with EFF and Matthew Green links

April 18: include Jitsi E2EE, Australian Cyber Security Centre, and EFF links, along with other minor cleanups.

April 19: include Global Forum for Media Development link

August 30: include links to a couple more overview pages, renaming password to passcode, upcoming changes, other minor tweaks.