Because in-person mediations and arbitrations have become a public health risk due to COVID-19, the National Academy of Distinguished Neutrals (“NADN”) has taken measures to ensure that members of the Academy are able to serve firms with online mediation sessions using the latest video conferencing platforms. In this guest blog post, Darren A. Lee, Executive Director of the NADN, has graciously agreed to share his perspective regarding how to safely and effectively hold video meetings using what is currently the most popular video conference platform, Zoom:
I’ve heard from a few dozen members over the last week now, concerning the media stories about Zoom’s “security flaws”. Firstly, I have to say that it’s pretty clear that this sudden avalanche of scary headlines appears to have been orchestrated (or at least, encouraged) by big tech/media corporations, who are understandably annoyed that Zoom has literally exploded in marketshare over the last month (from 10M users in January to over 200M and counting today!). It’s worth noting that ALL other video platforms have had security issues, just in recent months (See: WebEx, GoToMeeting) but that reporting was confined to IT/software blogs, not the pages of tabloids and evening news broadcasts.
Let’s deal with the “Zoom Bombing” story that’s gotten most of the headlines and even had the FBI issue an advisory. Bored teenagers (and there are many of those around at present!) were gatecrashing public Zoom meetings; in most cases, these appear to have been meetings where the actual invite link had been TWEETED out for *anyone* to click on. If you invite the entire internet to attend a house party, it really shouldn’t be headline news when some unwanted guests behave badly(!)
This is a classic case of “user error” – as advised during our Zoom webinar in March, if you’re going to use Zoom for mediations (or any business purpose) you should ALWAYS ENABLE WAITING ROOMS functionality and ALWAYS PASSWORD PROTECT your meetings. Once mediations start, you can also LOCK those meetings. Those steps alone make it impossible for unwanted guests to crash your meeting – period. And, on Apr 5, Zoom changed DEFAULT settings so waiting rooms + password requirement are the norm across all paid accounts now. (I’d also recommend NOT recording any meetings – but if you must, be sure to save the file to your local device, not in Zoom’s cloud.)
There’s also been an awful lot of fuss among IT folks over Zoom’s use of a technical term – “End-To-End encryption” or “E2E”. That term is reserved for messaging services like WhatsApp, Signal that are (in theory!) quite unbreakable. Zoom’s marketing folks played fast and loose, using the sacred E2E description when in fact the audio/video data encryption is tight, but not strictly end-to-end. Due to the complicated nature of the transmitted audio-visual data, Zoom’s servers need to ‘interpret’ who is speaking at any moment, so as to highlight that speaker’s window in realtime and improve their bandwidth. In short, Zoom’s encryption is “only” as good as that employed by many major websites (including Google, Amazon, EBay, and a million others using 128-bit SSL-standard encryption). Still, and I can’t stress this enough – in real life, there’s never been an example where a scheduled and password-protected live Zoom meeting was ever hacked into. If any hacker HAD ever done so, you can be certain that “trophy video” would have been shared far and wide within the community for bragging rights.
That said, Zoom took the E2E criticism on the chin last week and their CEO published an open-letter making it clear that they’re tripling down on efforts to ensure that their security is the best in the industry and *genuinely* E2E, thus (in theory) unbreakable. They’re smartly inviting outside “white hat” hacker groups, paying them to identify vulnerabilities which can then immediately be patched. So, does Zoom currently have “military-grade” encryption? No. Do any of us NEED military-grade encryption?! Well, no. BUT – ironically enough – in another 2-3 months, the coders I’ve spoken with believe that Zoom will likely have the tightest and most hacker-proof security in the entire industry, all the better for this wave of criticism.
The fact remains that Zoom has been used by some of the Academy’s most experienced mediators & arbitrators for several years now – and not one has ever had a problem. Zoom’s interface (as most of you know by now!) is by far the most intuitive, allowing us to *painlessly* move parties into caucus via the Breakout Rooms tool, which is an absolute necessity for our work. If Zoom remains good enough for use by most of the governments of Europe, currently meeting remotely, I think we’ll all be just fine!
I’m not alone in this analysis, good security analyst write-up here:
Btw, if you’re with a firm or have eager IT folks at the ready, there is a way to increase security right now, at a cost – by having the actual meetings run on your OWN server – further reading here and here.
All that said, there are other options. If you’ve clients that have been spooked by the tabloid headlines and insist on (military grade!) E2E security right-here-right-now, Cisco’s WebEx is an option. Members that have experience with WebEx and Zoom tell me they much prefer using Zoom, but WebEx does have its own version of the BreakOut room function, and within the settings is an option to remove ‘realtime video’ features and enable strict End-to-End data transfer.
Right, well – that’s quite enough tech talk for one day! I do hope this might be useful in reassuring your own clients as we continue relying on video meetings for the next while. I’ve posted a copy of this up on the Academy News blog, along with more links and ideas that might prove useful – just log into your account to read that.
Keep Calm and Carry On!
You may contact Darren A. Lee at email@example.com.