Zoom, Zoombombing, and the Security and Confidentiality of Your Communications

Like so many organizations, when COVID-19 sent employees home in early 2020, UOTech.co adopted Zoom for online meetings and collaboration. However, within weeks, the company began reassessing the platform due to emerging security and business practice concerns. This article examines why Zoom became the default conferencing choice during the pandemic and how organizations worldwide have addressed its significant security challenges.

Zoom’s History

Founder Eric Yuan established Zoom in 2011. By 2020, Yuan’s net worth reached $5.5 billion as the platform experienced explosive growth during the coronavirus outbreak. Before the pandemic, Zoom encountered multiple security incidents: Mac users’ cameras could be accessed by exploits, the iOS app transmitted data to Facebook even for non-Facebook users, and the platform automatically designated users sharing company email domains as trusted colleagues, enabling unsolicited video calls.

Coronavirus and Market Position

Zoom occupied a unique position when 2020 began. It had established corporate presence, user familiarity, and intuitive design that made adoption across age groups effortless. Competing platforms like WebEx and GoToMeeting seemed outdated, while newer options like Teams and BlueJeans lacked market penetration. When global lockdowns occurred, Zoom’s cross-platform compatibility made it the obvious choice for workplace and personal connections.

Zoom responded generously by offering educators free platform access. Schools embraced the platform widely, but widespread exposure quickly revealed security vulnerabilities.

Zoom’s Security Vulnerabilities

By early March 2020, disturbing reports emerged: individuals disrupted educational sessions with lewd conduct, trolls interrupted therapy sessions, and other reprehensible incidents occurred. TechCrunch published configuration guidance to prevent such problems, and Zoom responded by introducing security features.

However, fundamental transparency issues remained. The platform has historically misrepresented its capabilities. Zoom’s “don’t ask permission, ask forgiveness” approach became evident on April 1, 2020, when the company issued an apology:

“In light of recent interest in our encryption practices, we want to start by apologizing for the confusion we have caused by incorrectly suggesting that Zoom meetings were capable of using end-to-end encryption.”

Zoom had advertised end-to-end encryption support, implying complete confidentiality between participants only. True end-to-end encryption proves technically challenging in group calls with hundreds of participants. Zoom implemented a hub-and-spoke architecture where all participants connected to Zoom servers rather than directly to each other. While this protects communications from network eavesdropping, it creates a critical vulnerability: Zoom employees and datacenter personnel could access unencrypted meeting content without user awareness.

The core problem wasn’t Zoom’s technical architecture, it was misrepresenting how that architecture functioned. Users believed their communications were fully confidential based on Zoom’s marketing claims, yet the company permitted this fundamental misconception to persist.

For most common uses, Zoom’s security remains acceptable with proper configuration. However, users must understand their actual privacy level. People modify their behavior and sharing when aware that platform employees might eavesdrop. Zoom needed transparency about what its offering included and excluded.

Zoombombing

The term “Zoombombing” emerged alongside intense scrutiny of the platform. Zoom prioritized ease of use and feature richness to facilitate adoption in corporate environments. Default meeting settings allowed anyone possessing a Meeting ID to join without passwords or host approval, eliminating barriers to seamless communication.

Zoombombing exploited this accessibility: pranks disrupted educational sessions, trolls infiltrated substance abuse support meetings to harass participants, and public fear about platform security intensified. Zoom responded by enabling pre-existing features, including meeting passwords, waiting rooms, and randomized meeting IDs, and made interface improvements such as hiding Meeting IDs from prominent display and providing hosts quick access controls. Many protective configuration options already existed but remained underutilized to preserve access ease.

Evaluating Zoom for Your Organization

Zoom’s robust capabilities and ubiquity ensure survival of this crisis. The platform remains competent for collaboration and grows increasingly security-conscious due to public pressure and corporate accountability. However, UOTech.co will avoid Zoom for confidential, personal, or non-public communications.

While avoiding bans implemented by Disney, Google, New York’s public school system, and NASA, UOTech.co reserves Zoom exclusively for non-confidential, public-facing communications.

Alternatives exist. Microsoft Teams and BlueJeans provide excellent options. Each organization should thoroughly research platforms under consideration. UOTech.co offers current guidance on security, usability, configurability, and stability across communication and collaboration platforms.