The coronavirus pandemic has forced a lot of lawyers to use video conferencing to “meet” with coworkers and clients. One of the most popular video conferencing platforms is Zoom. There are others, but we see Zoom as the choice of many lawyers, especially those in solo and small firms. While we can’t cover all the options and settings for Zoom, we’ll try to give our advice on the best ways to use and secure Zoom for your firm.

The growth in Zoom usage has exploded. As of the end of December 2019, there were approximately 10 million free and paid daily meeting participants. In contrast, that number has increased to more than 200 million free and paid daily meeting participants in March 2020. The boom in usage has squarely put the crosshairs on Zoom. Multiple security and privacy issues have been discovered and exposed by security researchers and journalists. Some of the publicity was accurate, and some of the media statements were wrong or overblown.

On April 1, 2020, Zoom CEO Eric Yuan announced there would be a feature freeze for the next 90 days while resources are concentrated on fixing the “biggest trust, safety, and privacy issues.” As a result, we’ve updated our recommendations regarding Zoom, given that the company is currently in damage-control mode fixing some issues. Make no mistake about it, though: Clients and lawyers love Zoom. As Zoom has fixed more and more security defects, we believe it is a good video conferencing solution for lawyers as long as they learn how to use it properly.

Introduction to Zoom

The first question for rookies is, what is this thing called Zoom? According to the website, “Zoom is the leader in modern enterprise video communications, with an easy, reliable cloud platform for video and audio conferencing, collaboration, chat, and webinars across mobile devices, desktops, telephones, and room systems. Zoom Rooms is the original software-based conference room solution used around the world in board, conference, huddle, and training rooms, as well as executive offices and classrooms.”

Zoom is easy to use (for lawyers and clients) and is available across multiple platforms and operating systems. You can use your mobile device with apps available for Android and iOS. There are desktop clients available for macOS, Windows, and a bunch of Linux/Unix versions (for example, Ubuntu, Linux, CentOS, and OpenSUSE).

Tools & Equipment for Using Zoom

You will need some sort of camera to participate in a video conference. Most modern-day laptops are equipped with a webcam for video conferencing. You could even use your iPad or smartphone with Zoom. Another consideration is sound. The built-in microphones for laptops or phones may not provide particularly good sound. Consider using a headset (with microphone) or earbuds. You’ll be able to hear better, and so will the other participants. Besides improving the audio quality, headsets and earbuds help cut down on the ambient noise.

Keep in mind that where you sit during the video conference will have an effect on your appearance. If your back is to an open window, the brightness may make you difficult to see. Light sources (lamps, skylights, and so on) behind you will have the same effect. Objects behind you may be distracting, too. Think about what the person on the other end is seeing.

In general, be aware of people around you. Family members may be able to hear you discussing confidential information even if you are wearing a headset.

Participating in Meetings via Zoom

We’ve participated in a slew of Zoom meetings over the years, but it seems as though we’re now involved in one or two per day instead of one every several months. One thing we’ve learned is that video conferencing participants must be in physical possession of the devices they use to participate in Zoom meetings.

Many people are working from home and may be remotely connecting to their computers at the office. To participate in a Zoom meeting, you will need to not remotely connect and instead use your home computer, smartphone, iPad, or some other device that you physically possess. If you try to participate in a Zoom meeting while remotely connecting to your office machine, the office machine will be visible but you won’t be, nor will other participants be able to hear you. When you remotely connect to your office computer, Zoom uses the microphone and camera of that office machine.

Each participant must have some way to access the meeting invitation details from a physical device within their control and in their possession. If the invitation went to the firm’s email address, access it from a smartphone (assuming you can get to your firm email from your phone); otherwise, forward the message to a personal email account you can access from your home machine or other personal device.

When participating in a Zoom meeting, the video camera must be able to “see” you and the microphone must be able to “hear” you.

Sometimes a participant cannot be heard, although he or she is unmuted in Zoom. The likely cause is that the microphone is muted on the actual device being used or the wrong microphone is selected. Check to make sure the microphone or sound is not muted on your physical device.

Meeting Management by Hosts

Clicking the Participants icon in the bottom menu bar opens a panel to the right that shows all participants for the meeting. Each person can see the status of the users’ microphones (muted or unmuted) and status of their video cameras. (There will not be a camera icon if the participant dialed in with a phone number.) The host can manage and control meeting attendees using the Participants panel. The host can “mute all” or mute participants individually. The host has other options as well, such as changing participants’ names, stopping their video, preventing screen sharing, and requesting a participant to start their video. If enabled, the host can put the participant on hold, send them to the waiting room, and so on.

When you click on a meeting link, you will be prompted to open the Zoom application. The default view shows the participants across the top bar and the speaker in the center panel. If someone else starts talking, the video will shift to that speaker. If there are more than only a few participants, it is difficult to see who is in the meeting. Moving the mouse to the upper right corner of the screen will give the option to change the view to gallery. The gallery view shows all participants in their own “square” with the speaker’s box having a yellow outline. The outline will bounce around to the various speakers and is less annoying than the speaker’s video constantly being switched out. Think of the view as being similar to the introduction of the Brady Bunch TV show or the TV game show Hollywood Squares, where each person was in their own “box.”

One recently released Zoom update will be most visible to those hosting meetings. There is now a Security icon in the lower menu; this replaces the Invite button. The icon allows the host to quickly and easily find and enable or disable security features. When the icon is clicked, hosts and co-hosts can lock the meeting, remove participants, restrict a participant’s ability to perform some actions (rename themselves, share screens, and so on), and enable the Waiting Room even if it’s not already enabled.

Maximizing Zoom’s Features

The primary function of Zoom is to facilitate video conferencing. It supports video and audio transmission for each connected user over the internet. There is also a dial-in number for audio-only connections. Some people use Zoom as an audio conference bridge so that users won’t have to incur potential long-distance phone charges.

Zoom can be configured to allow file transfers and screen sharing. Screen sharing is very common for product demonstrations and webinars. The presenter can mute all attendees and share PowerPoint slides from the presenter’s computer desktop. There is also a whiteboard feature that participants can annotate for all to see.

Several meeting controls are available to the host. For example, the host can control the audio of the participants. All participants can be muted when they first join the meeting. Audible tones can “announce” the joining of a participant. Sessions can be recorded. There used to be a feature to let the host know if a participant is not paying attention, but Zoom has permanently removed that feature in a nod to privacy concerns.

Also helpful, particularly for mediators, is the Breakout Room feature, which is disabled by default. The host creates the rooms and then assigns participants to a specific room. When the host opens the breakout rooms, each participant gets a notice to move to the room. Each room is separate from the others, just as they would be in a mediation held on site in one building. The participants can take advantage of the Zoom features (for example, screen share and chat) among everyone in the room. The host can freely move among the breakout rooms. The co-host must be assigned a room, but the host can move the co-host among the various rooms as needed. 

The mediator should be the host of the mediation. A party should not be the host in a mediation unless separate Zoom meetings are created for the participants, to ensure separation of the parties. The disadvantage with separate meetings is that the mediator can’t easily move among the various rooms as he or she would in a real physical mediation.

Check your settings to make sure passwords are required for all participants, including those using only a telephone.

Zoom meetings can be recorded. The paid subscriptions offer local and cloud recording. The Pro plan includes 1GB of cloud recording storage. More storage space is available for an additional fee. We highly recommend not recording to the cloud. Cloud recording means Zoom stores the recording and manages it. Local recording means the user has control over the distribution of and access to the recording. One downside is that local recording is not available in the iOS or Android app. You must use a computer to be able to record locally. Another concern is that encryption is not possible for the recorded information. The good news is that local recording is only available for the host, unless the host allows participants to record locally.

When configuring Zoom, do not enable the cloud settings or automatically record. It is possible to record without the host, but we recommend against it. Before initiating a local recording, make sure the option is enabled. Log in to your account from a browser and go to Settings and then the Recording tab. Enable the “Allow hosts and participants to record the meeting to a local file.” The host can also allow the participants to record locally.

To start a recording, click on the Record button in the bottom menu. Select the “Record on this computer” choice. The host and participants will see a visual indicator in the upper left to indicate that recording is in progress. There will be an audio notification, too, if you have configured it. You can stop or pause the recording at any time during the meeting. Once the meeting is over, the recording will be converted and downloaded to your computer. The host must stay connected to the internet during the entire download process. The default location to save the recording is in the Zoom folder in the host user’s Documents folder.

Once all the intended participants have joined, close the meeting: Select the “Manage Participants” icon in the bottom menu and then click “More” at the bottom of the panel or click the Security icon. Select “Lock Meeting” to prevent anyone else from joining. As you can see, the intent is to create as many barriers as possible to prevent unintended attendants at the meeting. Trolls sometimes join meetings for mischievous reasons, including Zoom-bombing with inappropriate content, without those barriers.

Cost of Zoom Accounts

When using the free version of Zoom, meetings of three or more participants are limited in length to 40 minutes. The Pro version is the most popular for solo and small-firm attorneys. The cost is $14.99 per month per host account. Each session is limited to 24 hours and to 100 participants. There are additional administrative controls as well. If you pay annually, the cost is $149.90 ($12.49 per month). The next level is the Business subscription, which is $19.99 per month per host and requires a minimum of 10 hosts. The Business plan includes several enterprise features, such as a vanity URL and the ability for on-premise deployment.

We’re confident the Pro plan is adequate for most law firms. If you need more than one host, purchase an additional Pro plan subscription.

Configuration Settings

Here are some suggestions for configuring and using Zoom in a more secure fashion. First, make sure you are using the most up-to-date version of Zoom. If you have previously used Zoom, you probably already have Zoom installed. To manually download the latest version, launch the Zoom application, log in to Zoom, and click on your user icon in the upper right (it probably has your initials). Select “Check for Updates” and follow the instructions.

Consider changing some of the default settings before scheduling a meeting. The first one is screen sharing. The default is to allow all participants to screen share. That means anyone can share their screen, including ones with inappropriate content. The host should change the default and allow only the host to screen share.

Another setting is to require a meeting password. You can configure Zoom to include the password in the meeting invitation or you can distribute the password separately. A related default password setting is to also require a password for those joining by phone. As a security measure, passwords are now required for all meetings including those using your Personal Meeting ID (PMI). Even though it is now the default, check your settings to make sure passwords are required for all participants, including those using only a telephone.

Some participants might not want their cameras turned on or might call in using a telephone. Another Zoom setting prevents participants from changing their display name to indicate they are someone else. When in a meeting as the host, go to the managing participants panel and click on “More.” Make sure that “Allow Participants to Rename Themselves” is unchecked.

An additional step to prevent the display of inappropriate content is by disabling virtual backgrounds. Go to the “Setting” section in Zoom and select the “In Meeting (Advanced)” choice. Disable the “Virtual Background” option. Allowing participants to use virtual backgrounds can be helpful, to “hide” the clutter of surroundings or to show a pleasant scene. We suggest leaving virtual backgrounds enabled unless you experience abuse.

Control when the meeting starts. Don’t let the participants join the meeting before the host does. In the “Schedule Meeting” section of “Settings,” turn off the “Join Before Host” option. An alternative control mechanism is the Waiting Room feature. Participants connecting before the host are held in the waiting room. The host then admits the participants individually or all at once. Enabling the Waiting Room feature automatically disables the “Join Before Host” option. While some individuals and entities recommend using the Waiting Room feature, an independent research entity, Citizen Lab, does not. Citizen Lab has found a serious security issue with Zoom’s Waiting Room feature and is working with Zoom to fix the issue. Until a patch is released, don’t use the Waiting Room feature and make sure you have a password for every meeting, which is now the default setting.

If you are particularly concerned about what someone might allow to appear or write on a screen, turn off annotations and whiteboard in the “In Meeting (Basic)” section.

Consider turning on “Allow Host To Put Attendee On Hold” in the “In Meeting (Basic)” section. This will allow the host to remove people from the meeting if necessary.

Two other settings the host might want to disable deal with the user experience at the end of the meeting. We find it particularly annoying to have survey questions or ratings appear after visiting a site or at the end of a webinar. If you feel the same, consider turning off the Feedback to Zoom and Display end-of-meeting experience feedback survey settings.

Scheduling Meetings

We recommend against using a PMI when scheduling meetings. A user’s PMI is a constant value and never changes. A person who knows the PMI can connect to a meeting scheduled with it, whether or not the person is invited to the meeting. Requiring a password for PMI meetings will help, but our recommendation is to not use the PMI at all. Allowing Zoom to automatically generate the meeting ID is much more secure. This means that each scheduled meeting will have a unique meeting ID.

Another way to enhance security when scheduling a meeting is to require registration. You must have a paid Zoom subscription to require registration. Meeting registration means the participants provide their email address and name and they answer questions. There are some predefined questions, such as ones asking for the participants’ phone number, industry, job title, and address. You can also create your own custom questions. The registration option is not available in the Zoom app when scheduling meetings. You must schedule your meeting using a web browser in order to select the Registration Required option.

The default is to automatically approve all participants after they complete the registration. You may want to change the setting to manually approve participants for the meeting. After registration is approved (manually or automatically), the participant will receive information on how to join the meeting. Meeting registration is another good way to further restrict meeting participants and help prevent Zoom-bombing.

General Account Security

As with the password for any other service, your password to login to your Zoom account should be strong (that is, not easy to guess or hack). In addition, two-factor authentication (2FA) should be enabled. You enable 2FA for your Zoom account by selecting “Security” in the “Admin” section, under “Advanced.” Turn on the “Sign in with Two-Factor Authentication” option.

Video Conferencing Etiquette

When participating in a Zoom meeting, mute yourself so that other participants don’t hear all your background noise and potential disruptions. The sounds of barking dogs, ringing doorbells, or family members talking to spouses do not leave a very professional impression. Unmute yourself when you have something to say. A very fast way to temporarily unmute yourself is to press the space bar. Just like the old-style push-to-talk microphones, holding down the space bar unmutes and allows you to be heard. Releasing the space bar mutes you again.

Become familiar with hotkeys and keyboard shortcuts for Zoom. There are a lot of them. Zoom has a help article that discusses hotkeys and keyboard shortcuts for the various operating systems.

Another etiquette consideration is positioning of the video camera. If you have a separate USB webcam, position it at face level pointed directly at you. If you use the webcam in your laptop, make sure the laptop is elevated to have a straight view of your face. Set your laptop on a few books if necessary.

Privacy Protections and Hazards

Zoom is regularly criticized for its collection of data. Few people actually read Zoom’s Terms of Service, Acceptable Use, or Privacy Policy (updated on March 18, 2020) documents. 

Zoom collects a lot of data from users about their devices, activities, and shared or transferred data. Consumer Reports has pointed out that advertising campaigns could be developed from the videos and chat messages. Like Facebook, Zoom could apply facial-recognition technology to all recorded videos. 

Zoom has clarified and changed some of its past practices. As an example, Zoom removed the Facebook SDK (Software Development Kit) in the iOS client and reconfigured it to prevent unnecessary collection of device information. Previously, Zoom sent data about participants and used LinkedIn to match people. If a participant had a LinkedIn Sale Navigator account, they could access the other participants’ LinkedIn details without the other participants knowing. Zoom has since disabled the feature.

A major difference between Facebook and Zoom is the amount of control Zoom hosts have over participants and their activities. Justin Brookman, director of privacy and technology policy at Consumer Reports, said, “Zoom puts a lot of power in the hands of the meeting hosts. The host has more power to record and monitor the call than you might realize if you’re just a participant, especially if he or she has a corporate account.”

Citizen Lab discovered that some participant traffic was being rerouted through servers in China. Zoom uses geofencing to control traffic flow. Participants outside China do not route through China, and those in China stay within servers in China. When network traffic started to increase significantly, additional servers were added to Zoom’s network. Unfortunately, a mistake was made and servers in China were improperly added. Therefore, some traffic was routed through China when it shouldn’t have. After the report by Citizen Lab, Zoom removed the errant servers from the traffic flow.

Sufficiency of Zoom’s Encryption

Security of Zoom meetings is a major concern. Some companies and agencies have banned the use of Zoom. Some companies ask their employees not to use Zoom but haven’t banned it outright. Some think that competing products are more secure and should be used instead. We take a middle-of-the-road approach.

Recently, Zoom clarified its architecture and encryption schemes. Zoom explained its encryption in a blog post on April 1, 2020. “To be clear, in a meeting where all of the participants are using Zoom clients, and the meeting is not being recorded, we encrypt all video, audio, screen sharing, and chat content at the sending client, and do not decrypt it at any point before it reaches the receiving clients.”

Zoom clients include participants’ computers running the Zoom app, smartphones running the Zoom app, and Zoom Rooms, which typically are used only by large firms and enterprises. Essentially, traffic is encrypted if all participants are using the app on a computer or smartphone. In that case, the user content is inaccessible to Zoom’s servers or its employees.

The exposure for most people is when someone participates via a telephone call and not with the app or if the meeting is being recorded. Zoom cannot guarantee full encryption in those cases. There are other situations in which full encryption might not be possible, but they are not commonly experienced by most lawyers. If you are concerned about ensuring maximum security for a Zoom meeting, require all participants to use the computer audio and do not allow telephone participation.

Some people are worried that Zoom can “tap” a session like a traditional communication channel. Zoom’s response is the following: “Zoom has never built a mechanism to decrypt live meetings for lawful intercept purposes, nor do we have means to insert our employees or others into meetings without being reflected in the participant list.”

Zoom did not clarify the technical details for its encryption implementation. A simple explanation, however, is that Zoom’s encryption methods are not nearly as good as they should be. A single AES-128 key is shared among all participants. Zoom also uses AES in ECB mode (this is the password to login to your Zoom account), rather than a stronger industry standard. Certainly, using AES-256 in a more secure industry standard mode would be preferred. Recent actions by Zoom would indicate they are working on improving the security of Zoom to include improving encryption. We hope to see true end-to-end encryption using AES‑256 soon.

Ethics of Using Zoom

Zoom’s shortcomings are diminishing day by day as security measures and privacy safeguards are implemented. We believe that a lawyer’s duty of competence (Model Rule 1.1) and duty of confidentiality (Model Rule 1.6) are met if the lawyer has taken the time to understand the basic features of Zoom, including all security features.

Despite the concerns with Zoom’s privacy and security, lawyers might have ethical obligations to use technology in their law practices. Although it is desirable to control the encryption keys, the reality is that lawyer-users can’t always do that today. Many technology providers, including Dropbox and iCloud, hold a master decryption key and could technically decrypt users’ data. Another reality is that users can’t really control what they cannot see at the other end of communications, whether with Zoom, Webex, GoToMeeting, or an iPhone. Users have no control over what the person on the other end is doing. They could have software installed that is recording the entire conversation and capturing video. More old school is to record with a separate device such as a voice recorder or even taking a video with your smartphone. The bottom line is that nothing is 100 percent secure. (For a related ethics article, please see “Videoconferencing and COVID-19: Zooming in on Our Ethical Obligations.” by Aviva Meridian Kaiser, State Bar of Wisconsin Ethics Counsel, InsideTrack (April 4, 2020).)

Conclusion

Zoom has become very popular and is relatively easy to use even for people who lack technological skills. Zoom performs well and has many features. There are also features that can go awry.

The jury is still out as to whether Zoom can be trusted. There have been major improvements in the platform. We would like to see an improvement in the encryption, and we need more time to assess Zoom’s transparency promises.

For now, we don’t see any problem using Zoom for video conferencing needs as long as the subject matter is not extremely sensitive. Be smart in how and when you use it. Become familiar with the capabilities of Zoom, especially if you are the one hosting the meetings.