Abstract
One of the most noticeable effects of the Covid-19 pandemic from the technology perspective has been the significant uptake of online meeting platforms, which many have suddenly found to be a necessary alternative to face-to-face meetings in all manner of contexts. From relatively casual meetings that may have taken place among co-workers in the office, through to the staging of full conference events, online platforms have essentially come to the rescue when in-person gatherings were no longer an option.
There has been a significant uptake of online meeting platforms for everything from casual meetings to full conference events. In many cases, this has been driven by a rapid transition to home working.
However, with a significant number of people becoming first-time users, it caught a user population that was unprepared and unaware of what good security looked like. Additionally, with home working, they may have had no easy option to turn to for support. Reinhardt Botha and Steven Furnell examine the challenges that have arisen and how they can be addressed.
Reinhardt Botha
Steven Furnell
Of course, in parallel with essentially being forced to use the tools out of necessity, many have also found that they introduce an element of previously untapped flexibility, enabling and encouraging contact that may not previously have happened (which is not to say that that the option was not there before – the technology would have enabled it, but relatively few were taking advantage of it).
At the same time, the rapid transition to home working left many organisations unprepared from a security perspective, with the use of online meetings representing one of the most notable consequences of working from home.1 With a significant number of people becoming first-time users as a result of the pandemic, it arguably caught a user population that was largely unprepared, unguided and unaware of what good security looked like. Additionally, with home working, they may have had no easy option to turn to for support.
Security challenges
This article spotlights the security and privacy challenges from a number of perspectives. While the infrastructure may present its own challenges to security and privacy, this paper does not consider that. The first order of business here is discussing security and privacy from the perspective imposed by the multitude of online meeting platforms that exist. Thereafter the paper moves to operational concerns, looking at security and privacy along the lifetime of the meetings: first the scheduling of the meeting, then the actual meeting, followed by post-meeting activities. Figure 1 depicts various areas in which security and privacy concerns will come into play (noting that the discussion of the infrastructure layer is out of scope for the discussion in this article).
Figure 1.
Positioning of security issues related to online meetings.
Before proceeding it is worth noting that the increased adoption and use of such tools during the pandemic has led to a rather dynamic environment in terms of new versions and updates, and the technology has arguably evolved somewhat on the fly during the pandemic in response to demand for new features and fixes. As such, while this paper is commenting on the situation at the time of writing, there is a good chance that various aspects will have changed by the point of publication and beyond. Notably, however, given that the sampling period is around a year into the global pandemic, these are still the best features that users will have had during the majority of the home working period.
Multi-platform environment
One of the first challenges in terms of considering the security of online meetings is the sheer range of different platforms available. Among the most prominent examples are Zoom, Microsoft Teams, Cisco Webex, Google Meet and Adobe Connect. However, numerous other options exist (eg, a summary from TechFunnel catalogues a further 22 examples alongside those already listed), and their utility can vary depending upon whether the aim is to support casual discussion, team-based collaboration or speaker-to-audience events.2 For this article we will assume the generic context of a group meeting, which simply seeks to provide a virtual alternative for the sort of pre-pandemic meeting that would typically have taken place face-to-face in a meeting room.
Even if their organisation has settled on a particular platform, many users will have encountered various others as a result of dealings with other people or organisations that have made different choices. For example, in addition to using the five listed above, the authors' experience during the Covid-19 period also included using BigBlueButton, BlueJeans, GotoMeeting, Google Meet and Skype for Business. As such, users may have found themselves installing and configuring a multitude of different tools – often at short notice –when realising that they needed to download an additional client or plug-in in order to join an imminent meeting. Of course, this is exactly the sort of pressured situation in which security considerations tend to get side-lined in order to just get the technology working. And then, after the meeting is over, we commonly overlook or neglect the need to go back and check things further, because the tool is already working by that point.
Practical problems
In practice, the range of different tools may have led users into various practical problems, but two particular examples in terms of security include:
-
•
The inability to download or run a given tool because their configuration is locked down.
-
•
Downloading a multitude of new applications and then having more to maintain and update, which could be introducing vulnerabilities.
The latter aspect is of particular note, especially in cases where updates were needed due to security vulnerabilities having been discovered in the earlier versions.
As a widely recognised example, we can consider the case of Zoom. Having initially been heralded as the salvation for home workers, Zoom unfortunately acquired a bad name for security early on in the pandemic, as a result of lack of end-to-end encryption, concerns over data privacy and other vulnerabilities (perhaps the most notable of which was so-called ‘Zoom bombing’, where uninvited participants were able to enter and disrupt meetings). This subsequently resulted in an order from the US Federal Trade Commission, ordering Zoom to avoid misrepresentation of the data it collects from users and how it is protected, as well as to “establish and implement, and thereafter maintain, a comprehensive information security program”.3
Perhaps unsurprisingly, the negative coverage has somewhat stigmatised Zoom in terms of security and consequently affected many people's willingness to use it. However, it is by no means alone in having had vulnerabilities, and there were also a number of reports relating to other platforms. This is illustrated in Figure 2 , which depicts the number of entries relating to different platforms within the Common Vulnerabilities and Exposures (CVE) database of publicly known cyber security vulnerabilities (see cve.mitre.org).
Figure 2.
2020 CVE entries for online meeting platforms.
The totals shown represent the raw number of 2020 entries that related to the platform in question, and it should be noted that these can vary in terms of specifics such as the operating system involved, as well as the severity of the vulnerability and the potential impact of its exploitation. Linking back to Figure 1, there may also be infrastructure vulnerabilities that impact the meeting platforms, which of course would not be listed as a vulnerability of the online meeting platform itself.
Considerations before meetings
Having considered the underlying platforms, the discussion now highlights further points that may arise during individual meetings. We start at pre-meeting configuration, then look at the measures during the meeting and conclude with observations from an after-meeting perspective.
A fairly immediate observation that can be made in relation to setting up meetings is that various security and privacy-relevant options can be rather hidden away. Indeed, various features will not be encountered in normal day-to-day use, unless the user knows to go looking for them. This highlights the fact that features not only need to be available – they also need to be suitably visible and accessible.
For example, in Teams, options are accessed by a link to set the options at the bottom of the message (see Figure 3 ). Since the link is part of the message, further confusion could be spread since the link is available to everybody, although only the organiser can make changes.
Figure 3.
Teams meeting options.
As a more substantial example, we can look at the security options available for scheduling a meeting in Zoom, comparing those presented directly within the application (Figure 4 ) and the further web-based options available if the user follows a link to change settings (Figure 5 ). The web portal clearly offers a range of further options that could be useful, and which users may wish to configure on a per-meeting basis (particularly around the points that relate to controlling/limiting access). However, the fact that they are in this interface rather than the main one reduces the likelihood of them being seen and remembered. In fact, some users may never see them, as without clicking the link to go looking there is no indication of what further options are there to be found.
Figure 4.
Basic meeting security options from Zoom desktop app.
Figure 5.
Further meeting security options from Zoom web portal.
Controlled access
Controlling access to meetings is critical. The use of passwords adds a perceived layer of security to the meeting. However, it should be noted that in Zoom, for example, passwords are per meeting and not per user. As such, it provides no proof of identity but only adds an extra hurdle. If these ‘passwords’ are advertised through bulk emails or social media, it adds no security or privacy to the meeting.
Zoom has encountered negative coverage as a result of unauthorised users entering unprotected meetings when the pandemic forced online meetings to become the norm. Zoom introduced the option to protect accounts with two-factor authentication.4 However, it should be noted that while two-factor authentication provides assurances to participants regarding their account being used by an unauthorised party, for meeting organisers it adds no additional proof as profile details can be easily spoofed.
When the above is considered in the context of organisations, a bigger burden of proof can be required. For example, Teams could restrict meetings to the internal organisation, thus requiring users to authenticate to the domain. Similarly, in Zoom, users can choose to require that a user is signed into Zoom with a specified domain, or even require authentication to an external single sign on (SSO) provider. Since this may not always be plausible to implement, there are other mechanisms to support security and privacy efforts in relation to controlling access to meetings:
Lobbies or waiting rooms can require the user to be approved and let in by the host. Within MS Teams, this can be bypassed for people that are part of the organisation and thus already authenticated within the organisation, removing an additional burden on the administrator. Users from outside the organisation are then authenticated based on information displayed from their current authentication to Teams. Zoom also provides a waiting room that can be customised. In small meetings, administrators could clear the waiting room quickly as participants may be known or quickly confirmed. However, in large meetings, this can add a considerable overhead to the administrator who needs to ‘authenticate’ a user with minimal proof (eg, based on a user's screen name). However, if someone has been admitted to the meeting in error, or a certain portion of discussion needs to remain confidential from certain participants, then they can also be placed back into the waiting room. However, this option is not fully available on the fly, as the waiting room facility typically needs to be enabled by the host when setting up the meeting.
Country-level locks can be used in Zoom to limit the attendees to a specific country. This may assist in the administrative burden if the administrator can be confident that meeting participants are only from certain countries. However, this requirement may conflict with other security and privacy mechanism used by participants. Most notably, VPNs may make it appear that a user is in a different country than they really are. The corollary to this is that attackers can make it look like they are in a country when they are not.
Join before host options may lead to people joining the meeting before determining whether they belong there. If the participants are not aware of who belongs in the meeting, it could cause privacy and confidentiality concerns. While this may not be relevant in public meetings, in private business meetings, this could be problematic. In both cases, unwanted participants could be disruptive.
Auto-mute on entry options serve to prevent interruptions of that nature and prevent people joining the meeting late from being unintentionally disruptive.
Pre-meeting configuration
There are also further pre-meeting configuration options that can have an impact upon the privacy of the subsequent meeting content. Again, using Zoom's settings as a point of reference, two relevant examples are as follows:
-
•
Meeting convenors also have the option to auto-record the meeting from the start. While this is indeed convenient for the organiser, who may need the recording to create minutes of the meeting, auto-recording takes away the opportunity to warn and receive consent from participants for recording verbally. Recording of meetings creates potential concern throughout the meeting's lifecycle and is further discussed below in the in-meeting and post-meeting contexts.
-
•
While both public and private chat channels are generally available within the meeting platforms, organisations might wish to give more consideration as to whether they allow it. Aside from the distraction of the side-line conversations that can arise, the chat represents data generated by the meeting. Thus, an artefact that could be saved and become privacy-relevant is created. These settings need to be configured before the meeting takes place. Another interesting aspect to consider is the interaction between features. In Zoom, for example, users who are recording the meeting also save any private chats that they participated in as part of the meeting transcript.5
All of this serves to show that the configuration options available to convenors during meeting setup provide some control over the resulting security and privacy aspects of a meeting. However, other attendees do not have any control at this stage, including the visibility of the meeting configuration. For example, privacy-sensitive participants cannot determine whether meeting recordings will be allowed before the recording. With this in mind, the next section proceeds to examine the options that convenors and attendees have once meetings have started.
Considerations during meetings
Once meetings are underway, it is fair to say that attendees have limited control over things. Unless prevented by the host's prior settings, they can elect whether to be visible on camera and whether to participate via microphone or chat. However, there are a couple of notable aspects in which they may have some further decisions or considerations to be faced.
Virtual backgrounds or background blur: This allows participants the option to have some privacy of their surroundings when on camera, which can be particularly relevant for home working if they do not wish to give others a view into their domestic environment. Support for this aspect is still quite varied between platforms. For example, Zoom had offered the option for custom backgrounds from the outset of the pandemic, whereas Teams initially supported only background blurring or a few pre-set images but was offering fully custom backgrounds by June 2020.6 Meanwhile, Adobe Connect does not offer any background privacy features, and Google Meet only supports them if the user is accessing the meeting via the Google Chrome browser (and has suitable hardware to support the use of the video effect).7
Recording the meeting: Various platforms allow for the recording of meetings. What is potentially problematic is the control given to the participants. As an example, we can consider the recording of meetings in Microsoft Teams. While participants are told that the meeting is being recorded, they are offered no warning or option to opt out before it starts. Teams tries to remind the host to exercise courtesy by telling the participants that are being recorded (see Figure 6a ), but ultimately there is nothing that requires participants to have received any consent confirmation. Meanwhile, what the other participants get to see is presented in Figure 6b, and the message presented to them seems rather disingenuous. It is clear that the recipient is not getting a complete opportunity to opt out (eg, if he was already in vision at the time the host started to record, then even if he disables his camera at this point, he will be visible for a brief portion of the final recording).
Figure 6.
Teams recording notifications for (a) host and (b) participants.
Considerations after meetings
The main issue after meetings tends to arise if the session has been recorded, as this introduces issues around the storage and distribution of recordings and/or associated text transcripts.
Distributing recordings of meetings: Some platforms, for example MS Teams, do not allow sharing of the recording outside of organisational boundaries, which leads to downloads and distribution through other channels. While you give consent to be recorded (albeit without an option to opt-out and still be part of the meeting), the basic message says nothing about the distribution/use of the recording. To reflect on the implications of this, think of a time when online meetings were not as pervasive. People might have felt very comfortable with the meeting secretary making a recording for use in the compilation of minutes, but not for other purposes. Those recordings were generally voice-only and access to them was strictly controlled. People might assume the same about the recording of online meetings, but this may not reflect what is happening. First, a video recording differs significantly in privacy terms from a voice recording. It represents the person's likeness, and if background blurring is not used, the person's surroundings. Second, the recordings are often available to all participants of the meeting. While this may not seem like a problem, it would allow for easy distribution, possibly resulting in confidentiality and privacy concerns. The problem lies in the lack of control by the participant who was recorded.
Automatic transcripts: The ability of platforms to create automatic transcriptions of recorded meetings introduces another artefact that must be managed securely. As with the recordings themselves, the transcript puts people more ‘on the record’ throughout a meeting than they might previously have been. Casual or even indelicate comments (that may have been overlooked or omitted from formal minutes) are no longer ephemeral. Thus, the transcripts need to be considered as having at least the same level of sensitivity as minutes from a meeting.
Variations and complications
Another dimension to the challenge is that some of the platforms can be used via web browsers or locally installed applications, and the features and control available to users can vary as a result (eg, in Adobe Connect, screen sharing and offline recording are not available to users via the browser and can only be done using the desktop application).8
Additionally, while the discussion has looked at desktop versions, there are further variations to be found in the mobile apps. As observed in prior work over a decade ago, desktop and mobile contexts can often differ in the security options that they offer.9 Figure 7 illustrates elements of the desktop and mobile interfaces for Zoom, from macOS and iOS versions respectively, and (aside from the layout) the range of key options is ostensibly the same. However, there is a notable difference insofar as opening the option in the desktop version offers the user a pop-up window with a link to their ‘Default settings’ (from which the various other security and privacy-related meeting settings are available.
Figure 7.
Schedule Meeting options in Zoom (a) on desktop and (b) on mobile.
The Zoom app usefully reports that it has synchronised settings from the web portal, but offers no link to get to them. Similarly, there is no option to reach them from within any of the other settings within the app, whereas the desktop version provides a link as part of the General settings. This is arguably significant when this interface is the only route to accessing some of the security-related settings (eg, the option to require a passcode for participants joining by phone). While mobile users could login separately via a web interface in their browser, this clearly breaks the user experience (and they need to know/remember that such settings are there in the first place – having the link as part of the app interface flags it for possible exploration, which is especially useful if users are looking around to answer the question ‘is there a way to do XYZ?’).
Conclusions
There is no denying that online meeting platforms have been a lifeline for many activities during the pandemic. As such, it may even feel unpleasant to be negative about them. Moreover, the discussion may ultimately seem to be suggesting a catalogue of criticisms and finding faults without offering any solutions.
However, part of the point is that a solution should not need to be found in the first place – various of the issues highlight further examples showing that there is a lack of security by design, alongside an apparent lack of consideration or prioritisation of security and privacy aspects in the user interface and experience. Many of the issues are likely to be resolved over time as the tools evolve, but it would be nice to imagine that we will one day reach a point where such gradual nudging towards effective security is no longer needed because it will be there from the outset.
Biographies
About the authors
Reinhardt Botha is a professor of information technology and director of the Centre for Research in Information and Cyber Security (CRICS) at Nelson Mandela University, South Africa. His research interests include information security and privacy, security management and access control. He has authored around 100 papers in refereed international journals and conference proceedings.
Steven Furnell is a professor of cyber security at the University of Nottingham. He is also an honorary professor with Nelson Mandela University and an adjunct professor with Edith Cowan University in Western Australia. His research interests include usability of security and privacy, security management and culture, and technologies for user authentication and intrusion detection. He has authored over 330 papers in refereed international journals and conference proceedings, as well as books including Cybercrime: Vandalizing the Information Society and Computer Insecurity: Risking the System. Furnell is the chair of Technical Committee 11 (security and privacy) within the International Federation for Information Processing, and a board member of the Chartered Institute of Information Security.
References
- 1.Furnell S, Shah JN. ‘Home working and cyber security – an outbreak of unpreparedness?’. Computer Fraud & Security. Aug 2020:6–12. www.sciencedirect.com/science/article/abs/pii/S1361372320300841 [Google Scholar]
- 2.‘Top Online Meeting Software to Know’. TechFunnel. 31 Jul 2020 www.techfunnel.com/information-technology/11-best-virtual-meeting-platforms-for-business/ [Google Scholar]
- 3.US Federal Trade Commission; 19 Jan 2021. ‘In the Matter of Zoom Video Communications, Inc., a corporation, d/b/a Zoom’. Decision and Order Docket No. C-4731.www.ftc.gov/enforcement/cases-proceedings/192-3167/zoom-video-communications-inc-matter [Google Scholar]
- 4.Lee E. ‘Secure your Zoom account with two-factor authentication’. Zoom Blog. 10 Sep 2020 https://blog.zoom.us/secure-your-zoom-account-with-two-factor-authentication/ [Google Scholar]
- 5.Hoffman C. How-To Geek; 26 Aug 2020. ‘Can Zoom hosts really see all your private messages?’.www.howtogeek.com/687148/can-zoom-hosts-really-see-all-your-private-messages/ [Google Scholar]
- 6.Spataro J. Microsoft; 12 Jun 2020. ‘Custom backgrounds in Microsoft Teams make video meetings more fun, comfortable, and personal’.www.microsoft.com/en-us/microsoft-365/blog/2020/06/12/custom-backgrounds-microsoft-teams-video-meetings-fun-comfortable-personal/ [Google Scholar]
- 7.‘Change your background in Google Meet’. Google Meet Help. https://support.google.com/meet/answer/10058482
- 8.‘Adobe Connect application for desktop’. Adobe Connect User Guide. https://helpx.adobe.com/adobe-connect/using/user-guide.html/adobe-connect/using/adobe-connect-application-for-desktop.ug.html
- 9.Botha RA, Furnell SM, Clarke NL. ‘From desktop to mobile: Examining the security experience’. Computers & Security. 2009;28(3-4):130–137. www.sciencedirect.com/science/article/pii/S0167404808001089 [Google Scholar]