Is Zoom encryption secure enough for counselling? Recently Zoom hit the news for not using end to end encryption.
So is Zoom safe for counsellors to use?
I’m writing a series of short blogs to help you decide. This second one is all about Zoom’s encryption and whether it means client confidentiality is impaired.
This blog refers to Zoom’s standard account, not its HIPAA plan.
What does Zoom say about encryption?
In a recent statement, Zoom said:
“To be clear, in a meeting where all of the participants are using Zoom clients, and the meeting is not being recorded, we encrypt all video, audio, screen sharing, and chat content at the sending client, and do not decrypt it at any point before it reaches the receiving clients” (Zoom Statement on Encryption)
So if Zoom is using encryption, what’s all the fuss about?
What is Encryption?
Computer encryption is where data is translated and can only be read by someone who has a key to the translation. Encryption enables safe communication across the internet.
End To End Encryption
The gold standard of encryption is “end to end”. This means no one can understand the data except the two parties at either end. They are the only ones to hold the key.
So the fuss about Zoom is its encryption. Zoom does encrypt data but, crucially, it also holds the key.
Encryption Strength
Zoom uses a low strength algorithm. Therefore, security experts at CitizenLab extracted some picture information and some sound from Zoom. These are sophisticated, well-resourced professionals and you can read their report here (CitizenLab Zoom Report)
Zoom could change its algorithm quite easily. However there is a trade off between encryption strength and computer processing power.
This means a safer Zoom will probably be a slower and more glitchy Zoom. There will be more screen freezing and disconnections, especially on older phones and computers.
When Is Encryption Not Used?
Also, there are some instances where encryption is not used, as follows:
- Telephone calls to Zoom where the user dials the telephone number stated in the invitation. This is because it is impossible to encrypt traditional telephone calls. Audio usage within the app – “computer audio”- is encrypted
- Calls that are recorded and then stored in the cloud (they are decrypted for storage purposes)
So in order to ensure more privacy, do not record calls to the cloud and do not connect to the call by dialling in by phone.
Use the app instead and connect via computer audio.
Photo by david laws on Unsplash
So Are My Counselling Calls Confidential?
This cannot be guaranteed because:
- Zoom can decrypt them
- This means Zoom or the government can listen in
- Zoom’s encryption algorithm is weak
- Telephone calls cannot be encrypted
CitizenLab security researchers say:
Based on the findings of our April 3 report, we discourage the use of Zoom in cases where strong confidentiality and privacy is required, including:
- Governments worried about espionage
- Businesses concerned about cybercrime and industrial espionage
- Healthcare providers handling sensitive patient information
- Activists, lawyers, and journalists working on sensitive topics (CitizenLab FAQ)
This sounds damning. Can I continue to use Zoom, or should I start to seek alternatives?
In the next section let’s talk about what this means for us as counsellors.
Concerns about Zoom Encryption for Counselling
In computer security, the starting point is deciding what the threat is.
For example, banks will be concerned about financial hacking. Governments will be concerned about hostile states.
What will clients be concerned about?
Likely Concerns for Clients
I think clients are concerned about:
- Friends and relatives
- Employers and work colleagues
- The general public
- Medical and legal authorities
Who do your clients want to protect themselves from?
Encryption for the “Average” Client
For many clients who seek confidentiality, Zoom encryption may be considered sufficient as it is very unlikely that the general public (friends/family/work/healthcare providers) will be able to access their Zoom conversations.
Even with Zoom’s weak encryption algorithm, sophisticated hacking needs to take place for calls to be heard when they are connected via computer audio. (Please see also Previous Blog about observing Zoom meeting security protocols).
For the average client the following is more important than the Zoom algorithm:
- good password discipline
- updating programs
- locking phones/computers to prevent spyware being installed
Encryption for Sensitive Issues
However, where clients are vulnerable to sophisticated eavesdropping, Zoom is not appropriate. Examples include celebrities, people who could be blackmailed due to their work, victims of domestic violence.
Company/State Surveillance
It is possible that Zoom or legal authorities could listen in.
Zoom says:
“Zoom has never built a mechanism to decrypt live meetings for lawful intercept purposes, nor do we have means to insert our employees or others into meetings without being reflected in the participant list” (Zoom Statement on Encryption)
This is reassuring because it is saying that Zoom does not have a system to allow legal authorities to listen.
Furthermore, their employees cannot do so without you knowing they are there.
However, do you believe Zoom?
Will this be a concern to your clients? It depends on what they talk about and their own attitudes to state surveillance. You only know this by asking them.
Client Autonomy
With the understanding gained from this blog, you may wish to have a discussion with your clients about the issues. You may want to include a disclaimer in your contracting that security cannot be guaranteed.
However, it is worth noting that telephone calls cannot be encrypted and both phones and counselling rooms can be bugged. 100% confidentiality can never be guaranteed.
Conclusion
Computer security is never 100% guaranteed. In my opinion, for the vast majority of users, Zoom can be considered sufficient.
There is a trade off between security and usability. One of Zoom’s benefits is it is very stable. Clients have a smoother experience of counselling than with some other platforms. So for many counsellors, it may be that they choose psychological contact over encryption purity.
Another point to note is that, because of its popularity, Zoom has been subjected to scrutiny. It has acted quickly to address security concerns. There is no guarantee that other platforms are safer. They just haven’t hit the news.
In computer security the real weak spot is not the computer program but the users. My next blog looks at the issue of Zoom accounts being available on the dark web.