Lilly Gibson-Dougall | Cyber Security Fellow
The mindset of ‘create first, fix later’, which has become increasingly prevalent amongst app designers needs to change. In the haste to create a convenient and desirable platform, app designers are sacrificing adequate safety and privacy checks.
Companies are aiming to minimise the ‘friction’ of their services, making their products as easy to use as possible. This is becoming an obsession within the design of technology, with major companies like Facebook, Uber, and Airbnb, openly advocating for ‘seamless’ technology that allows users to store more of their data while allowing the apps to do the heavy lifting.
Yet the more users on a platform and the more personal data collected, the more the chance of an incidental or targeted data breach increases. A balance is needed between convenience and security.
If you had asked a group of people in January what they knew about the video-conferencing app Zoom, you probably wouldn’t have gotten a very detailed answer.
Now most of us are using Zoom multiple times a week—if not a day—for work and study. It’s an incredibly accessible platform that can be used for simple team meetings or classes, as well as webinars for large groups of people. It fosters connection during a time when many of us have been in isolation, allowing us to continue engaging face-to-face.
But the convenience of Zoom is exactly what makes it dangerous.
The use of Zoom as a platform has gone from around 10 million daily users at the end of December 2019, to between 200-300 million by April 2020. The massive rise in online meetings has also seen the phenomenon of ‘Zoom bombing’ emerge; a form of online harassment where a group call is hijacked by someone who shares offensive or unexpected material.
An online Alcoholics Anonymous meeting was ‘Zoom bombed’ by an individual who shouted misogynistic and anti-Semitic slurs, as well as mocking attendees about alcohol use. An associate professor of African American studies from Princeton University was hosting a story time for children when a male hijacked the call, sharing inappropriate pictures and shouting racial slurs. These are two examples of a widespread method of trolling and harassment that has expanded across the platform.
There have also been reports of Windows and MacOS vulnerabilities being sold on underground markets for $500,000, as well as concerns that Zoom is susceptible to foreign interference. Zoom has responded to the complaints and privacy concerns raised by a number of users, admitting that they were unprepared for the security issues that a significant increase in users would cause.
While Zoom is one of the most recent examples of an app failing to consider security concerns, it is by no means the only one. Uber, Microsoft, Google, Twitter and Facebook have all had to settle federal charges in the US concerning consumer privacy and security.
In sum, new online platforms and greater numbers of users inevitably bring the possibility of increasing cyber-attacks and data breaches, attracting trolls and hackers engaged either on behalf of foreign organisations or for individual motivations, who will seek to exploit their vulnerabilities.
But the wider problem of social media and app creators choosing to prioritise the design and accessibility of an app over its user security protections will only increase the likelihood of these cyber-attacks succeeding.
In an age where our lives are increasingly being lived online, which has been exacerbated by the COVID-19 pandemic, app creators need to be more concerned with user’s security and privacy.
Dropbox, a key partner of Zoom, have been offering rewards since 2018 for top hackers to exploit the vulnerabilities in the Zoom software. This strategy was twofold; not only did it help to diagnose gaps in Zoom’s security, but it also assisted Dropbox programmers in learning how to better address vulnerabilities before a major security breach.
This system of both internally and externally reviewing security systems is an innovative way of exposing vulnerabilities within the system from those who possess hacking skills, while also allowing programmers to focus on security during the design phase.
However, at the end of the day, these solutions still need to be approved and implemented by those in key decision-making positions; and Zoom was a prime example of leaving this too late.
Lilly Gibson-Dougall is the Cyber Security Fellow for Young Australians in International Affairs.