Room for Zoom? Tips for Securing Online Meetings

What steps can we take to help ensure that our online conversations and personal data are secure, in a period of rapid and unplanned change?

This blog post is a product of ongoing discussions at the RHS about how best to modernise our communications while keeping our online information-sharing secure. By briefly surveying the concerns (in this case with the virtual-conference tool Zoom) that may be most relevant to historians and our colleagues in similarly small organisations, and sharing some simple tips to improve security for both large and small meetings, we hope that some of the information below might prove helpful to others.

At the RHS we began using Zoom several months before the Covid-19 crisis, in an effort both to reduce our expenditure on travel to meetings (and associated carbon footprint) and better to accommodate colleagues’ schedules.  We have found it an effective, intuitive tool to use. However, like many other organisations, in the last few weeks we have rapidly had to adapt our working practices to help manage a rapid, unplanned shift to almost total remote working during the current crisis.

Concerns about Zoom’s security have also been hitting the headlines. Last week, journalists reported that the Ministry of Justice had suspended using Zoom for high-security discussions, even as the Prime Minister was shown holding a cabinet meeting using the software. This week, Zoom has become the subject of a class action lawsuit in the US.

What are the concerns?

Zoom does seem to be paying attention to criticism, and on 29 March clarified its privacy policies in a blog post. But Zoom’s opaque approach to its users’ data privacy is a big concern. For example, in 2019, a security consultant discovered that by installing remote web servers, and bypassing Safari’s security features, Zoom could allow malicious websites to turn on a device’s camera. While this issue has now been fixed, remaining issues include:

• Zoom’s collection of data, including its sharing of personal data with third-parties including Facebook and Google;
• a privacy policy that enables the collection of data from automatically-generated transcripts, shared documents and user details;
• Zoom gives call hosts a lot of power to record or monitor attendees and collect data on calls.

In-Meeting Security is a second area of concern, particularly the kinds of disruption caused by uninvited or unwelcome guests that are known as “Zoombombing”. This can vary from the unwelcome to the criminal, and has included tactics such as verbal abuse or sharing offensive material. Most worryingly, some of these interruptions have been in the form of targeted harassment or racism.

Understandably, in recent days we have seen a number of colleagues express concern at being asked to use Zoom.

What can meeting hosts do to protect their own data?

• Login to Zoom using a Zoom account, not through Facebook or Google;
• Ensure that you have updated to the latest version of the Zoom app installed on your device/computer. You can do this easily by following these instructions;
• Consider using a separate internet browser for virtual meetings if you want to be sure to keep Zoom separate from your regular internet activities and regularly delete cookies and browser history.

How can hosts make meetings more secure?

• Create Meetings using a new Meeting ID rather than your Personal Meeting ID;
• Never share an open meeting link via a public forum such as Facebook or Twitter;
• Set a password for the meeting and only share it with the attendees you want in the meeting, e.g. by using a direct message or email;
• If all your meeting participants are from within an organisation (e.g. a university), you can use authentication with specified domain to ensure that others can’t login. However, this is likely to prevent some people from joining who use a personal email address for their Zoom use.

Control who comes and goes to your meetings

• Disable the Join Before Host setting so that you have control of the meeting from the start.
• Use the Waiting Room option to admit participants.
• You can decide to allow participants to join a meeting straight from their browser. While this can be an inclusive step, acknowledging that people are wary of downloading the app, it perhaps should only be considered when running a small meeting for a defined group.

Utilise the In-Meeting Settings

• If you are using Zoom to deliver content to a large number of people (e.g. a lecture) who may not be personally known to you, make sure that screen-sharing option is disabled for all attendees except the host to prevent the call being disrupted or crashed;
• Use the Manage Participants function to Lock a Meeting to prevent additional participants from joining once the meeting is underway;
• You can also mute individual or all participants (except the host) or disable participants’ video;
• You can remove participants from the meeting . Make sure that “Allow Participants to Rejoin” is disabled;
• Disable In-Meeting Chat options so that attendees can’t send messages either 1:1 or to all participants, or save chat messages.

Security for meeting participants

When screen-sharing is being used during a meeting, Zoom allows meeting hosts to activate an attention tracking feature, that indicates to them when a participant does not have the meeting in “focus” for more than 30 seconds, e.g. because they have switched to a different browser tab.

• If you are concerned that a meeting host may be tracking your attention, consider having a 2^nd browser open, or use a different device altogether (e.g. a phone);
• Do not click on any links shared in the Zoom chat window if a host has left it active. It has been noted that this can be used as a means of maliciously obtaining secure information from your device.

Staying Connected

Many different online products offer to help us stay connected, all with their own attendant difficulties and security issues. Many organisations are using GoToMeeting, Skype, Skype for Business, or Microsoft Teams. Other solutions that may be worth investigating include open-source alternatives like Jitsi. Individual users and organisations should investigate which software works best for them, based on their own assessment of costs, data and personal security, ease of use, and reliability.

Whenever we use online tools, to some extent we accept their terms and conditions for use. User settings do offer control, and there are simple steps that we can take to help keep our meetings, and those who participate in them, secure. Online tools such as Zoom have problems, but they also help to keep organisations running. At the moment, they are providing ways for us to work with colleagues, deliver content, connect to loved ones near and far, and even to organise collectively within our home communities. The RHS Zoom account is being used for all of these purposes as we adapt to this difficult new time.

Katherine Foxhall
RHS Research and Communications Officer