Zoom’s privacy and security issues have been in the headlines for a number of weeks now, causing concern for lots of users. But many people have no option but to use the software after it has been selected by the company they work for.
If you find that you have to use Zoom, there are steps you can take to ensure your experience is as safe as possible.
Zoom has already taken some steps to address concerns that have been raised in recent weeks, and the company says that it will continue to make improvements to the video conferencing software. But even when this happens, there is a lot you can do to lock things down.
Protect your account
A Zoom account is just another account, and in setting yours up, you should apply the basics of account protection. Use a strong and unique password, and protect your account with two-factor authentication, as this makes your account harder to hack and means it is better protected, even if your account data leaks.
There’s at least one more Zoom-specific catch: After you register, in addition to your login and password you get a Personal Meeting ID (PMI) – avoid making it public. As Zoom offers an option to create public meetings with your Personal Meeting ID, it’s quite easy for that ID to be leaked. If you do, anyone who knows your PMI can join any meeting you host, so look to share this information prudently.
If possible use your council e-mail to register with Zoom
A weird glitch in Zoom (which at the time of this writing wasn’t yet fixed) causes the service to consider e-mails of the same domain — unless it’s a really common domain such as @gmail.com or @yahoo.com — as belonging to one company, and it then shares their contact details with each member of that group. For example, users who registered Zoom accounts using e-mails ending with @yandex.kz, which is a public e-mail service in Kazakhstan experienced this. It may happen again with e-mail addresses belonging to smaller public e-mail providers.
So, to register with Zoom, use your council e-mail.
Don’t fall for fake Zoom apps
The number of malicious files incorporating the names of popular video conference services (Webex, GoToMeeting, Zoom, and others) in their filenames has roughly tripled in comparison with the numbers he found month by month over the previous year. That most likely means malefactors are ramping up their abuse based on the popularity of Zoom and other apps of its kind, trying to disguise malware as video conference clients.
Don’t fall for it! Use Zoom’s official website — zoom.us — to download Zoom safely for Mac and PC, and go to the App Store or Google Play for your mobile devices.
Don’t use social media to share conference links
Sometimes you want to host public events, and in many places online events are the only option available these days, which means Zoom is attracting more and more people. Even if your event is truly open to everyone, you should avoid sharing the link on social media.
If you knew anything about Zoom before reading this post, you’ve probably heard about so-called Zoombombing. This is a term to describe trolls disrupting Zoom meetings with offensive content.
Where do the trolls get information about upcoming events? That’s right, they find them on social media. So, avoid publicly posting links to Zoom meetings. If for some reason you still want to, make sure you don’t enable the Use Personal Meeting ID option.
Protect every meeting with a password
Setting up a password for your meeting remains the best means of ensuring that only the people you want in your meeting can attend it. Recently Zoom turned password protection on by default — a good move. That said, don’t confuse the meeting password with your Zoom account password. And like meeting links, meeting passwords should never appear on social media or other public channels, or your efforts to protect your call from trolls will be in vain.
Enable Waiting Room
Another setting that gives you more control over the meeting, Waiting Room — recently enabled by default — makes participants wait in a “waiting room” until the host approves each one. That gives you the ability to control who joins your meeting, even if someone who wasn’t supposed to participate somehow got the password for it. It also lets you kick an unwanted person out of the meeting — and into the waiting room. We recommend leaving this box ticked.
Pay attention to screen-sharing features
Every normal videoconference app offers screen-sharing — the ability of one participant to show their screen to the others — and Zoom is no exception. Some settings that are worth keeping an eye on:
- Limiting screen-sharing ability to the host or extending it to everyone on the call. If you don’t need other people to show their screens, you know which option to choose
- Letting multiple participants share screens simultaneously. If you can’t immediately see why your meetings would need this capability, you’ll probably never need it; just keep it in mind in case you ever need to enable it.
Stick with the Web client if possible
The various Zoom client apps have demonstrated a variety of flaws. Some versions let hackers access the device’s camera and microphone; others let websites add users to calls without their consent. Zoom was quick to fix the aforementioned problems, as well as other, similar ones, and it stopped sharing user data with Facebook and LinkedIn. However, given the absence of a proper security assessment, Zoom apps are likely to remain vulnerable, and they may still employ shady practices such as data sharing with third parties.
For this reason, we recommend using Zoom’s Web interface instead of installing the app on your device, if possible. The Web version sits in a sandbox in the browser and doesn’t have the permissions an installed app has, limiting the amount of harm it can potentially cause.
In some cases, however, even if you want to use the Web interface, you may find that Zoom has gone ahead and downloaded the installer, and there’s just no other option to connect to the meeting but to install the client. In that case, you can at least limit the number of devices on which Zoom is installed to just one. Let it be your secondary smartphone or, say, a spare laptop. Choose a device with next to no personal information. We know that sounds somewhat paranoid, but it’s better to be safe than sorry.