Zoom buys Keybase to change perceptions about its security
Zoom has announced it’s acquiring the secure messaging and file-sharing vendor Keybase. Zoom says this is part of its 90-day plan to strengthen the security of its videoconferencing platform (subtly rebadged to ‘video communications’ to make it sound more modern and less corporate).
Announcing the acquisition, Zoom says this is “a key step for Zoom as we attempt to accomplish the creation of a truly private video communications platform that can scale to hundreds of millions of participants, while also having the flexibility to support Zoom’s wide variety of uses. Our goal is to provide the most privacy possible for every use case, while also balancing the needs of our users and our commitment to preventing harmful behavior on our platform”.
Since the beginning of the Coronavirus Crisis, Zoom has become so commonly used for business and consumer applications that like Hoover, Uber, Google, Photoshop and Powerpoint, its name has become a verb. Zoom now means ‘to videoconference’. The resulting exponential growth is what tech firms and their investors dream about, and is so profound that it has reignited the entire sector – with lesser known rival BlueJeans, for example, which is reported to have a mere 15,000 paying customers, being snapped up by Verizon for a cool $500 million.
Zoom is already worth far more than that – at least on paper. But its brand and its value have been challenged by poor security – most notably for obvious security flaws such as ‘zoombombing’ (another neologism). While it has acted swiftly to close security issues – such as placing participants in a ‘lobby’ before admittance – the perception it’s insecure has spread as swiftly as its fame. Resetting that button afterwards can be challenging.
The devil, as they say, is always in the detail. Zoom notes that its audio and video content is already encrypted at each sending client device, to AES-GCM standard with 256-bit keys. These encryption keys are, however, held in the cloud. The change they are proposing is to use public cryptographic identities that are stored in a repository on Zoom’s network. In future, a per-meeting symmetric key will be generated by the meeting host which will be distributed between clients, enveloped with the asymmetric keypairs and rotated when there are significant changes to the list of attendees. The host’s client software will decide which devices are allowed to receive meeting keys, and thereby join the meeting. They say they are also investigating other mechanisms for additional layers of authentication.
In addition, they will enhance the reporting mechanisms available to meeting hosts to report unwanted and disruptive attendees and use automated tools to look for evidence of abusive users based on ‘other data’ (data ‘other’ than monitoring the meeting itself).
They note that they have no means to decrypt live meetings for lawful intercept purposes and cannot insert their staff (or anyone else) into a live meeting without that being reflected in the participant list. In other words, there are no ghost users. It also says there are no cryptographic back doors.
But the Zoom case is notable for a number of reasons. Here’s 7 things we can learn from it.
1. Timing is everything in tech
In 2019 videoconferencing was still a promising technology that had largely failed to take off. The embers still glowed but the fire wasn’t impressing anyone. Six months later it was the right technology at the right time. The question is can it keep that position once lockdown finishes and the New Normal commences? The tech industry is littered with the corpses of great companies that brought tech to market too soon, failed to ignite public interest, or missed the technology boat. In tech, timing is everything.
2. The platform wars aren’t over
This isn’t the first time videoconferencing has been sexy. The less-sexy sibling of video communications was *the* thing back in 2005 when eBay bought Skype for $2.6 billion. Four years later Skype’s value had grown by a mere $250 million when it was resold to Silver Lake et al who did a great job of exciting Microsoft who subsequently paid $8.5 billion for it in 2011. And then *nothing* happened. In fact Skype’s considerable potential was stifled by Microsoft’s inability to make it mobile – enabling Apple and WhatsApp to eat its market.
Lockdown has seen families and teams utilising Zoom via laptops and WiFi because they’re at home, but the platform wars aren’t over. New normal will see mobile device usage over WiFi resurge, because its easier and far better for quick ad hoc meetings. Usability will once again climb up the agenda and mobile applications are usually better for personal access. Zoom is a conferencing app, despite what it says, built for groups of people, and not a communications app built for individual users.
3. Zoom clearly illustrates the importance of UIP
Zoom isn’t an entirely insecure application – communications were already encrypted. But what it clearly illustrates is that users are the weakest link in the security chain. Users were blithely sharing their Zoom meeting link with others (because it was easy) and the wider the link was shared to friends of friends, the greater the risk of misuse that ensued.
Security has to protect the user from their own mistakes in a non-intrusive way. We call such a user-centric approach to cybersecurity User Isolation Protection (UIP) and you can read more about this here.
A UIP approach isn’t *just* about encryption and other security techniques – although these are extremely important – it’s about understanding user behaviour so that all the Air Gaps that threat actors exploit are closed. In this case the Air Gap was the human being’s propensity to be social (sharing) and to prefer ease-of-use – but something as simple as changing the meeting link after each meeting would have saved users from themselves and prevented zoombombing to take place.
4. Perception is everything
5G is not Ming the Merciless’s attempt to destroy the world. It doesn’t carry coronavirus, it doesn’t help the virus replicate and it isn’t radioactive (it’s just radio). But that hasn’t stopped some people perceiving 5G to be a very bad thing, much to the mystification of the mobile industry (see Tower Infermo As Conspiracy Theories Get Out of Hand). People are already repeating the mantra that Zoom is insecure due to the extensive publicity given to zoombombing and criticism of its security in the press.
This acquisition is therefore as much about perception, and being seen to visibly do something, as it is about technology. That said, once a fire starts burning in the press it’s hard to press reset. Zoom needs some fast action and some brilliant crisis comms to pull this one around, because as easily as traffic can flow to an application, there’s little loyalty today amongst users and that traffic can quickly flow away. Any rival worth their salt will be quietly shoring up their own security before putting out a campaign to explain why they do the exact same thing as Zoom but a lot more securely.
5. Free clients can destroy your company
Zoom is a business app. But because it’s free to use at a basic level, it’s been adopted for a lot of consumer uses during the coronavirus crisis. On one level that’s great – lots of publicity, lots of people learning to use the tech who might later be converted to paying customers. But we have to remember these are users not customers – they’re using your technology but not paying you for using it. This has become something of a conundrum for US tech firms who are great at making tech everyone wants to use, but not always so great at monetising their user base.
But free clients come with a cost. They are not free to support and they can strain your performance while not compensating you so that you can scale. Free clients expose you to the full range of human fallabilities (such as sharing links) because of their volume and their lack of commercial engagement. At the same time, it’s free clients that will slam you in the press when you don’t meet all their expectations. And it’s free clients that will leave you en masse because they have no loyalty to you.
Building a huge base of free clients is a double edged sword and you cannot assume that simply having eyeballs or users will easily translate into dollars, euros and pounds. That’s why it’s curious that Zoom is initiating its new security features just for paying customers. This might make business sense on one level, but leaving the non-payers less secure could be another PR disaster waiting to happen.
6. Things that aren’t true can kill you
One of the amusing things about life in the tech industry is when educated, rational people encounter the irrational. They quite literally don’t know what to do. I’ve seen brilliant and articulate engineers, scientists and strategists bemused and speechless in the face of conspiracy theories.
Conspiracy theories are an example of two worlds clashing – one built on reason and another built on emotion. 5G at the end of the day is just radio and anyone who’s irrationally afraid of their TV is regarded as a crackpot. Similarly, there’s no evidence of ghost users in Zoom. But that perception is now so strong – that someone is listening in – that Zoom has had to deny it’s possible. But even with denial, the ‘no smoke without fire’ retort nullifies their well-designed and rational correction. Conspiracy theories kill companies and are hard to stamp out.
7. Privacy is as big a concern as security
Privacy and security are often bundled together as though they’re synonyms. They’re not. Even if Zoom was perceived to be robustly secure, that wouldn’t allay fears that it’s not 100% private. Another statement that Zoom has been forced to make is that it doesn’t have any inbuilt mechanism for lawful intercept. This statement was to counteract fears that the government, not criminals or idiots, are snooping on users.
The privacy spectrum ranges from countries where it’s accepted the government will snoop as a matter of course (North Korea and China); to those where it’s accepted that the government will do this only if necessary with controls against misuse (most European countries); and those where the biggest fear of the population is that government is trying to control them (the US). As this is a spectrum, individual countries, as well as individuals within countries, have different expectations of privacy, all of which has to be navigated by tech firms to avoid disastrous PR. The cultural differences in usage of tech are an area that’s often overlooked, with many tech firms assuming that the world is like the country they live in or the people they know, only to later find out it isn’t.
Of course, the next PR disaster in the making will be when it’s reported that Zoom is now so secure that terrorists can use it for both quizzes and real conspiracies. You literally cannot win them all!