Campbells LLP clients and many others including members of the legal profession have expressed concerns as to using Zoom, Facebook Messenger, Skype, Webex, Microsoft Teams or other platforms for meetings during the active Pandemic controls, especially the “stay in place” orders which have us all working from home. We would like to explain our thinking in using Zoom, and assure you we have given your privacy careful consideration – as indeed we must, lawyer-client confidentiality is one of the hallmarks of the relationship.
There is a good deal of information floating around about Zoom.
There have been security breaches due to an exploit in the Zoom Client for MacOS. This was fixed over a week ago.
There have been instances where individual camera settings or software allowed DoS or other exploits or attacks. This has been fixed according to Zoom. This should not happen on our systems with our security and each lawyer’s home setup has been vetted by our IT consulting firm. In addition, each of our lawyers has been advised to procure a slider for any camera lens connected to their computers. We recommend that all of our clients do the same.
The slider can be opened and uncovered for each meeting then closed again. We also recommend taking any add-on camera off or away from the computer when not in use and placing it facing away from your work area to reduce/eliminate audio pick-up. Audio pickup of both sides of an actual meeting should be more difficult if you are using a headset and not the built-in mic on your laptop, or at least require full access to your system and not just the camera feed. The sliders are really all you can do if you’re using the built-in camera in most laptops.
They can be purchased cheaply and easily at Amazon. A link to an example of this type of product is below. We do not endorse any one product over another.
Webcam Cover Slider, Laptop Camera Cover fits Echo Spot Smartphones Tablets Macbooks Computers Desktops with Strong Adhesive, Protecting Privacy and Securtiy (6 Pack) by NKOMAX CO., LTD. Learn more: https://www.amazon.ca/dp/B07VQ7RK35/ref=cm_sw_em_r_mt_dp_U_wWpIEb39SFMPJ
“Zoombomb” Safeguards
There is a lot of talk about being “Zoombombed” – people entering meetings to which they were not invited and doing or saying profane or offensive things before being removed. The fix for this is basic common sense. If you set up the Zoom client properly your meetings are not public chatrooms and not accessible. The auto-generated passcode for your meeting (not the same as your meeting ID) is included in the invitation link generated for a scheduled meeting. Client confidentiality is not at risk. Zoom theoretically accommodates up to 100 people on a conference, and so much Zoombombing occurs due to individuals posting the invitation publicly, which negates the whole point of the above. Zoombombing occurs mostly when meeting invites are posted on social media or unsecured platforms, such as for school classrooms and shared.
UPDATE APRIL 5th, 2020
On April 4th, 2020, Zoom announced that as of sometime today, the default Zoom settings will be adjusted to include the above protocol – password-generation and meeting admission and screening will not have to be selected but will be preset. Zoom cannot implement a change that will help people who post private meeting invitations in public places of course.
CAUTION: There is a proliferation of short blog posts that seem like news articles all over the internet. Most have disclosures somewhere that they are paid a fee for products sold and should be taken with a grain of salt. For example, Grunge posted an article dated today detailing Zoombombing called “Why You Shouldn’t Use Zoom”. It is dated AFTER the fix had been announced and implemented. To my mind the article could be called “why you should not read Grunge’s click-bait ‘articles'”. There is far more advertising on the page than content. We do not get our information or make our decisions based on this type of “analysis”.
Client Confidentiality & Zoom
Campbells LLP has always had a significant clientele consisting of tech startups and we are very familiar with the types of decisions Zoom has had to make. In our judgment client confidentiality is not at risk. Certainly much less so than entrusting anything confidential to Facebook. Zoom does not encrypt peer-to-peer with dual encryption but uses an encryption standard that reflects that data passes through Zoom’s servers in order to facilitate the calls and maintain connectivity. What this means is that Zoom itself can theoretically access meetings between people using its network. This is directly related to the reasons the platform has been so simple and easy to use and is not fixable at this time. Zoom has assured US federal regulators it does not intrude, record or save meetings and this has been the subject of ongoing scrutiny.
Zoom Issues You May Hear About
Zoom was also making data from user meetings (collated as metadata) accessible to or sharing it with Facebook. This process has ceased according to statements from Zoom’s CEO.
An Israeli cyber-security firm reported that Zoom was internally tracking users’ emails and matching them to LinkedIn profiles, an obvious breach of privacy without specific consent and disclosure. This has been stopped.
Zoom also stated for many months that they were, in fact, using dual encryption peer-to-peer and are now saying that they interpreted the term differently.
Zoom’s Responses to Issues
Having taken steps to fix these issues and announcing it was stopping work on new features to focus exclusively on security for the next 3 months, Zoom has responded appropriately in our view. The company was a startup fighting for market share while developing a fledgling product a month ago. It is suddenly the most popular meeting software in the world as of today’s date. The reason for this is ease-of-use.
It is not required that anyone but the host be a licensee of zoom. Parts of meetings can be easily recorded and stored in our secure Campbells LLP cloud locations. This feature is necessary for lawyers verifying identification, commissioning affidavits, notarizing documents or witnessing important documents for example.
We are satisfied that the measures taken and announced by Zoom to date show the ability and willingness to balance ease-of-use and security and make it the right product to use with our clients.
For corporate, bank and tech clients desiring use of an older or enterprise platform with verified dual encryption, such as Webex, Go-To-Meeting or Microsoft Teams (just a few examples), this can be arranged. Internal enterprise systems are not easily used by most individual clients and much harder to configure. Companies with competent IT departments can use their own software with our Corporate/Commercial and Commercial Litigation groups only.
Firm Wide Safety Measures Implemented
The point is, Zoom is the simplest, easiest-to-use software for clients we have found, one-click access if we send the invitation and no download required for the client. HOWEVER, for safety and privacy concerns, Campbells LLP is adhering to the following guidelines:
- Each off-site lawyer or clerk working from home must have Zoom configured properly, generating a meeting-specific passcode for every meeting ID. Participants must have received an invitation, and the lawyer/clerk must manually permit entrance from the virtual waiting room for each participant. We have obtained each lawyer’s written confirmation that these safeguards are in place prior to permitting Zoom meetings.
- We will ONLY participate in meetings that WE initiate and issue invitations to, to be sure the above is implemented properly. Certain high-tech clients well-known to us have either secure internal platforms or more robust software which we will use on a case-by-case basis. These clients are all leaders in their fields.
- Clients should be warned not to use their children’s gaming computers (or theirs if applicable). If they have no choice, then an independent security program should be downloaded which updates all settings from Twitch and other platforms permitting use of the camera, sharing of the client’s screen and access to the microphone.
Steps YOU Can Take to be Secure
We found the following articles useful as a starting point but do not endorse the contents or any recommend any product.
https://www.tenforums.com/tutorials/102647-allow-deny-os-apps-access-microphone-windows-10-a.html
https://support.microsoft.com/en-us/help/4468232/windows-10-camera-microphone-and-privacy
https://support.apple.com/en-ca/guide/mac-help/mchlf6d108da/mac
Campbells LLP will closely monitor Zoom developments
Over the coming weeks and months, we will be monitoring Zoom’s public statements and those from regulators about Zoom. The nature of the issues with Zoom suggests they have in the past been reactive to privacy concerns once pointed out publicly. While perhaps understandable with a small user base and software under development, Zoom have not obviously proactively prioritized privacy and security like Cisco, Apple and some others. Zoom have said they are spending the next few months on a dedicated effort to bring security up to the standards and scale of use required for widespread business adoption due to Covid-19. We will ensure they do so to our satisfaction and provided they do so, we would continue to use this user-friendly platform.
Laughlin Campbell
Managing Partner, Campbells LLP