Zoom Improves Privacy and Security

Given the level of concern many users have had with Zoom’s security and privacy, the company has been hard at work during the first two weeks of April to bring better control to its video conferencing software. The first changes transformed the safety profile of using its service, albeit with additional overhead for hosts and people joining meetings. On April 8, Zoom’s CEO, Eric Yuan, told NPR, “When it comes to a conflict between usability and privacy and security, privacy and security [are] more important–even at the cost of multiple clicks.”

Here is a synopsis of the recent changes.

Passwords required. All free-tier accounts, free upgraded education accounts, and single-host paid accounts now need a password. It’s generated automatically and may be changed but cannot be removed. This blocks access by those who obtain the meeting ID but not the password, and it prevents access through bots trying to join randomly generated meeting IDs in the reasonable hope of connecting to a password-free session.

Meeting ID hidden. The meeting ID no longer appears in the title bar of Zoom apps to prevent it from appearing in screen captures posted on social media or elsewhere.

Waiting Room enabled. By default, the Waiting Room feature is now enabled for all accounts, even those that previously had the option turned off. The Waiting Room puts participants who attempt to join the meeting into a holding position. The host must admit them. It’s fussy, and if it’s unnecessary in your environment, you can override the default on a per-meeting or per-host basis.

Meeting locks. With a click of the new Security button, hosts can lock a meeting at any point to prevent new participants from being added to the Waiting Room or joining directly. Another click unlocks the meeting.

Name change prevention. Hosts can prevent participants from changing the name that appears when they join or request to join a meeting. Some people—both unwanted visitors and students who thought it was funny—were changing their names to derogatory or abusive forms during meetings.

Domain contacts visibility. Zoom no longer treats every user with the same domain in their email address as belonging to the same organization. Previously, anyone with a given address could view account information or add everyone to their contacts who had the same domain, excluding some significant ISPs and mail hosts, like Gmail and iCloud. That feature is now disabled for free tier and paid single-host accounts, and must be enabled on higher-tier paid accounts.

Traffic routed through China. The paths that data travels is a political, regulatory, and business question, not just a technical one. Citizen Lab’s report revealed that Zoom was routing some traffic that didn’t involve any participants in China through servers in that country. Zoom explained that it was an error in load balancing, which seemed plausible given the quick scaling of operations it needed to have. The company said it made permanent changes to prevent data passing through Chinese servers from outside the country. A new feature for paid users starts April 18, and those users will be able to select which of several regions data may pass through. Free users are locked to data centers in the region from which they subscribed. Apart from concerns about China, some people outside the United States don’t trust the National Security Agency or other US intelligence groups.

Subscribe to Technology This Week