With the ongoing COVID-19 pandemic, many of us have had to make rapid lifestyle adjustments to keep up with social distancing and isolation rules. More of us are working and studying from home, and using telecommunication tools for conferences and lectures is becoming a daily habit for people around the world.
One of these tools in particular, Zoom, has seen a huge increase in use since the COVID-19 outbreak. This is due in part to their clever marketing and support materials they've provided to teachers, students, office workers, and employers. Consumer Reports privacy researcher Bill Fitzgerald has suggested Zoom is using the pandemic as a selling opportunity.
Zoom's Privacy Woes
Of course, everyone is keen to continue work and keep productivity at a steady rate through this crisis, and to many employers Zoom appears to be a great option to do so. And Zoom is happy to take on customers who will likely continue to use their services after the pandemic subsides, where they can continue to mine the personal data of their users.
Many institutions and workplaces did not have preparations in place for a crisis of this scale, requiring them to adopt technology without taking the time to consider the privacy and security implications of the solutions chosen, — of which there are a number — prompting bans from organizations like the United Kingdom's Ministry of Defence and SpaceX. Zoom may not be suitable for you or your organization, as privacy breaches continue to pop up. Just days ago it was revealed that Zoom was leaking email addresses and other profile information to other users with an address on the same domain. More bad news for Gmail users!
Zoom is not the best choice for protecting communications privacy. Zoom falsely claims to support end-to-end encryption (E2EE), when in fact Zoom only uses regular transport layer security (TLS) such as that used when visiting https websites. This means that Zoom can see the contents of your conversations and calls, when this would not be possible with true end-to-end encryption.
If you do have the ability to choose what platform you use, we recommend considering Jitsi or BigBlueButton, two options which can be hosted by your business or institution internally, rather than relying on their cloud offerings. At PrivacyTools, we've also compiled a list of recommendations for Real-Time Communication you can also check out, especially if you need more than just video.
But sometimes we don't have the opportunity to choose the platforms we must use to communicate with our coworkers, students, and friends. If you are required to use Zoom or software like this, that you do so using a Virtual Machine (VM). A VM is a program that works like a completely separate computer inside your computer. The "host" operating system, which is your main system, continues to run everything you might need, while a "guest" operating system also runs completely independently. You can run any programs you want — like Zoom! — inside this guest operating system, and they will be completely isolated from your system and files. It won't even know the host exists!
Using a VM will help with maintaining some security, especially if you need to use a personal device at home to work. Bugs like these recently discovered exploits that allowed malicious websites to enable your webcam, the use your camera without consent and the discovery of a user's Windows username and ability to steal credentials would not have been possible, as Zoom would be completely isolated on your device and would not be able to run at all when your VM was shut down. It's also worth noting that Zoom has decided on a complete feature freeze in an attempt improve security and privacy.
When Zoom is confined in the VM, it cannot see what applications are open outside on your host operating system. We recommend users avoid attaching their webcam, (if they can). However, some users have reported that it is encouraged or required by their school or employer. Fortunately in these cases, you can still attach your webcam as-needed to the guest operating system for full functionality.
Setting Up Zoom in a VM
Creating a Virtual Machine for applications like Zoom is a relatively easy task for most tech-savvy users. We are going to outline the basic steps you need here, but if you need more guidance I've created a separate guide with detailed instructions and screenshots to help you through the process.
What You'll Need
- A computer capable of running a Virtual Machine. Most modern machines should be, but it is worth double-checking.
- A Virtual Machine "hypervisor": This is what actually runs the VM. For most people the free VirtualBox program works well, and it is what we use in our guide. Advanced users may wish to use a solution like Parallels, VMWare Workstation, Hyper-V, or Gnome Boxes, all of which will support this functionality as well.
- VirtualBox users who need webcam support should also download the VirtualBox Extension Pack from their download page.
- A Debian ISO (Linux installer download, torrent)
- Verify your Debian ISO is legitimate. If it's compromised now it might not boot, or you might be inadvertently installing malware!
- Install VirtualBox and the VirtualBox Extension Pack if you haven't already.
- Create a new VM in VirtualBox. Set the type to Linux / Debian, give it a good amount of RAM (30-40% of your total RAM is good for most users), and create a virtual hard disk.
- Open the VM's settings and attach the Debian ISO you've downloaded. You can also adjust the video memory (typically setting this to 128MB or higher is best).
- Start your new Debian VM and complete the Debian installer that should automatically start.
- Install VirtualBox Guest Additions in Debian.
- Attach any devices (like webcams) you might need to use to the VM, and reboot the VM.
Now you can install pretty much any software you'd like in your new Linux VM, and it will be completely isolated from your main machine. Remember if any of this is confusing, I've created a more complete walkthrough you can download that explains these steps in detail. Once you're in, you can use the web browser built into Debian to download Zoom, and you're good to go!