NAM'S RESPONSE TO SECURITY CONCERNS ABOUT ZOOM AND ITS IMPLEMENTATION OF ADDITIONAL SECURITY MEASURES

Posted on Apr 07, 2020 |News

Recently, you may have seen or heard about press coverage relating to security questions surrounding the use of Zoom technology.

NAM has conducted conferences/hearings via videoconferencing equipment for the last 25 years and, as such, has a deep knowledge and understanding of this technology. Since NAM started using Zoom technology (which pre-dates the Coronavirus pandemic), we have never had a security issue with respect to any virtual hearings/conferences.

NAM takes security and the security of our clients very seriously. NAM already has multiple security measures in place and is continuing to monitor and implement additional layers of security to protect our clients.


ZOOM BOMBING

What is it?

Many Zoom bombing incidents have amounted to a form of trolling. Hackers gain access to a Zoom meeting and attempt to disrupt the video chat or put disturbing or offensive images in the video feed.

How does it work?

Normally, for most organizations, each Zoom conference is assigned a meeting ID that consists of 9 to 11 digits and, for the sake of simplicity, many times, organizations use what is called a Personal Meeting ID (PMI). Because the majority of meetings start with https://zoom.us/, trolls can write programs to try to figure out the 9 to 11-digit meeting ID. Hackers have figured out they can simply guess or automate the guessing of random IDs within that space of digits.

The majority of Zoom bombing attacks appear not to be the product of flaws in Zoom's code, but rather of users' overall cybersecurity hygiene and their imperfect command of Zoom's privacy settings.

If a Zoom meeting is set to public, it can be accessed by anyone with the correct link. According to a cybersecurity firm, bad actors can find these addresses simply by searching for “zoom.us” on social media sites like Facebook, where public meeting links are often posted.

Per Zoom: Most importantly, Zoom users should not share meeting links publicly. This is perhaps the single most obvious precaution you can take. Rather than posting a meeting link to a Facebook group or in a promotional tweet, distribute information via a more private method, such as email.

Zoom said it now blocks repeated attempts to scan for meeting IDs, and that it will no longer automatically indicate if a meeting ID was valid or invalid.

What is NAM Doing About it?

  1. When scheduling meetings, NAM never uses static Personal Meeting IDs. Each NAM meeting is given its own unique meeting ID that is used only by that meeting's participants and is specific to that scheduled case. So, for example, when NAM has multiple hearings/conferences going on at the same time, or when a neutral has multiple hearings/conferences in one day, every meeting ID number is different. As such, participants in one case cannot enter the hearing room of another case. Additionally, meeting IDs are dynamically generated at the time each conference/hearing is scheduled. Invitations which contain the hearing dial-in information are case-specific and are ONLY sent to the participating parties. This information is NOT made available to the public.
  2. For its hearings, NAM meetings never use the generic https://zoom.us link used by other Zoom users. Because of NAM's security approach and partnership level with Zoom, we have a branded URL that is not listed here for security purposes and is not available to the public.
  3. NAM takes their customers' confidence and the security we provide very seriously. NAM has implemented an additional protective measure to further prevent uninvited guests from entering our meetings. Going forward, for any newly scheduled cases, participants in NAM conferences/hearings will be provided with a link that contains a unique meeting ID and a 33-character encrypted password (that is auto-filled and unique to that meeting) in order to enter the meeting. This double-layer authentication process is an added barrier to any potential intruder. Similarly, NAM requires participants joining by phone to enter a Meeting ID as well as a Password.
  4. Unlike a public meeting, NAM's neutrals serve as the hosts and have total “control” over the session. The neutral has the ability to immediately isolate and remove any unauthorized participants.
  5. The NAM neutral controls the content that is shared on-screen with the other participants, including documents and/or videos.
  6. NAM's IT Department monitors each virtual hearing and is readily available to assist at any time should the need arise. This includes monitoring the meeting rooms to ensure that only authorized participants join.


ZOOM'S DATA COLLECTION AND DATA SHARING

What is it?

According to the company's privacy policy, Zoom collects data on you, including your name, physical address, email address, phone number, job title and employer when you set up an account with Zoom.    

Is information collected when you participate in a NAM conference/hearing?

No. If you enter a NAM conference/hearing by using the instructions and the link provided by NAM rather than using an account that you have set up with Zoom, no information is being collected and stored. NAM does NOT require users to provide personal information nor does NAM provide Zoom with any information and at no time does NAM save this information.



THE ZOOM APP COMPILES “CONTACTS” INFORMATION

What is it?

Zoom organizes contacts by email domain to create a “Company Directory.” That means you can search for anyone and find their user photo and their email address and then start a video call with that person.  

Does NAM use this Group feature?

No. NAM does NOT share client information with Zoom and there is no client information in NAM's directory with Zoom.


NAM MEETING SECURITY OVERVIEW

The following in-meeting security capabilities are available to the meeting host (that is, the NAM neutral):

  • The room is notified every time someone enters or leaves a meeting
  • The neutral is notified if a participant joins the meeting before them
  • The neutral can put attendees on hold
  • The neutral can temporarily remove an attendee from the meeting
  • The neutral can expel a participant or participants. Removed participants are not allowed to rejoin.
  • All group and individual chats are disabled. Only the neutral can chat with a participant.
  • The neutral can mute/unmute a participant or all participants.
  • Only the neutral can turn on/off video
  • There is a temporary pause to screen-sharing when a new window is opened which allows the neutral to preview its content
  • By default, participants cannot share their screen. Only the neutral controls who can present and screenshare.
  • Nonverbal communication using the chat feature among the participants is disabled; the only chat permissible is between the neutral and a particular participant
  • Only the neutral can create and place meeting participants into separate caucus rooms
  • Live streaming of a meeting is disabled
  • Participation in the meeting is only allowed by using the assigned meeting ID and Password. There is no ability to join a meeting by calling a participant.
  • Only the neutral can lock a meeting
  • Only the neutral can end a meeting


SECURITY AND PRIVACY CERTIFICATIONS OF ZOOM

We are available…to answer any of your questions regarding NAM's security measures.

If you, or any member of your IT dept. has any questions, NAM's Director of Information Technology, Angelo Sirigos, can be reached at asirigos@namadr.com or 516-941-3285.

Please stay safe and healthy… together, we will get through this.

Jacqueline Silvey Esq.
General Counsel
NAM (National Arbitration and Mediation)