That said, I think their security/privacy track record is pretty spotty. Last year, someone discovered that the Zoom client for Mac (maybe PC, too?) quietly installed a local web server without the user’s explicit consent. When it was exposed, Zoom explained that it was “the easiest way to ensure that users would be able to reliably connect to find and connect to their meetings.” Fine, but not explicitly telling users that or why it was happening also potentially exposed a lot of systems to outside intrusion.
Recently, they’ve waded into even hotter water for sharing data with Facebook without users’ consent and for not providing true end-to-end encryption to ensure security on their calls.
True, some of these issues only affect free accounts. Remember, when you’re using your Facebook or Google account credentials to access a free service, then you’re not the customer. You’re the product. But it’s still concerning, because without paying for a Zoom account, there’s no other way to use the service. And while it’s equally true that meeting invitees who choose to eschew the actual Zoom client can just call in using the dial-in number, if the contents of any call are leaked or disclosed due to a flaw in the Zoom platform, then their private data is still potentially exposed.
If you’re not paying for it, then you’re not the customer. You’re the product.Bruce Schneier (and many, many others)
Many of the other “flaws” in Zoom that the media have been quick to point out recently really just come down to poor user education. For example, a lot of people have inadvertently exposed their colleagues’ Zoom account data to the public by posting screenshots to social media that clearly show the meeting’s Zoom ID. The fact is that meeting owners can password-protect any Zoom meeting, choose unique meeting IDs, or use lobbies to prevent randos from just wandering in, but people tend not to do any of that, because it’s an additional barrier to entry.
Look, most people just want to use Zoom, because that’s what everyone else is using this week. It has those cool virtual backgrounds. Perhaps they can come up with a really novel use-case to stay connected with friends and colleagues. Maybe the recorded meeting they post on social media will end up going viral. Wait, are we even allowed to say that anymore?
The security stuff is just extra clicks. Plus, some people are going to misuse any technology platform, no matter how secure. But in my experience, the more they strive to hip-ify a product by packing in every requested feature that comes along, the more likely that someone will make these kinds of mistakes. That’s why I was glad to learn that Zoom has voluntarily implemented a three-month freeze on building new features, giving them time to address some of the underlying platform security concerns.
I don’t think any of this is necessarily malicious, and in my experience using and supporting the platform, they generally get things fixed pretty quickly, but I think they have a “move fast and break things” startup mentality that’s more than a little dangerous in the enterprise sphere. But it’s fairly telling that they only acknowledge these fundamental problems after they’re busted. I also think it’s a little disingenuous that Zoom tends to thump their chests about the superior quality of their service, because, let’s face it…it’s rather easy to outperform your competition, when you’re cutting corners to do so.
I think one of the key advantages to using Microsoft Teams (or Google Meet or whatever) is that it’s usually tied to your company’s productivity platform, and so there’s a kind of governance that goes hand-in-hand with that. Granted, Zoom can also be locked down with single sign-on, address book/calendar integration, corporate room scheduling, and other related features, but that also requires a lot more investment from your IT team to make sure it’s implemented properly. Whereas something like Teams, Meet, etc., is already managed as part of your organization, so it’s inherently aware of your organization’s sign-on, your corporate address book, rooms, calendar, file storage, etc.
Plus, I figure if your company is already paying for Microsoft 365, G Suite, etc., then you should be using that platform’s tools, unless Zoom provides a key advantage or you just like spending more money than you need. In that case, you should be paying for proper Zoom accounts in order to receive proper feature parity and support.
Oh, and don’t take your web conferencing device into the bathroom. Like, ever.