The Jakarta Post
Social media analyst Ismail Fahmi was answering questions from participants during a Zoom webinar last Thursday when he noticed something was off.
Certain participants were regularly disrupting the session by hurling racial slurs and even displaying lewd images using Zoom’s screen-sharing feature.
“I wanted to concentrate, but I couldn’t because they were really disturbing,” Ismail said.
What Ismail and the up to 100 participants experienced was an example of "Zoombombing", a type of cyberattack in which unknown users drop in on Zoom sessions, often uninvited, to disturb the meetings.
The webinar in which Ismail participated was organized by the National ICT Council (Wantiknas) to discuss how to handle online hoaxes and disinformation.
Gerry Firmansyah of Wantiknas said the organizer of the webinar had in fact taken security measures from the get-go, including by screening the participants, subscribing to the Zoom premium plan, using a unique password and IDs, as well as employing up to five cohosts to moderate the session.
“Yet, it seems that some of them [Zoombombers] used the ID of other participants when they were leaving the session,” he said.
Much to their surprise, an electronic flyer for the event they posted on social media that included the Zoom meeting ID and password helped the Zoombombers access the session.
Gerry apologized for the inconvenience caused to the participants, saying the Wantiknas would now reach out to Zoom for a review and clarification about the incident.
Teleconferencing platforms such as Zoom have become very popular during the COVID-19 outbreak in Indonesia, with companies implementing work-from-home policies.
Iqbal Dwiharianto, 25, a writer for a private company, has used Slack and Zoom for the past three weeks for videoconferencing to make up for the lack of in-person meetings.
He uses a premium Zoom account paid for by his employer.
“Honestly, I haven’t read about all of that [security risks], or noticed anything weird when using Zoom on my laptop,” Iqbal said. “They [the office] have prepared several security protocols though, and we have been trained to follow them since the beginning.”
Even lawmakers in Indonesia have used Zoom to host virtual hearings.
However, the United States-based platform is not free from security holes, and more and more entities around the world have begun looking for alternatives.
India, for instance, banned last week the use of Zoom for remote government meetings, saying it "is not a safe platform". The New York school system in the United States has also banned the use of the videoconferencing platform because of security concerns, while the FBI has warned of Zoom sessions being hijacked, the AFP reported.
According to a recent report by The Washington Post, up to 15,000 personal Zoom videos have been left viewable on the web.
Zoom videos from teleconferences are not recorded by default, however users who host or initiate a teleconference can choose to record any sessions and save them to Zoom servers or their own computers without the participants’ consent, although they are given a notification if a meeting is recorded. The videos on Zoom’s system might not be easily accessed, but some videos may be stored elsewhere without the participants’ consent, including on YouTube, The Washington Post reported.
Zoom did not respond to The Jakarta Post's email request for comment.
In a blog post from the company dated April 1, Zoom chief executive and founder Eric Yuan said that with usage of Zoom ballooning in recent weeks, the company felt an immense responsibility to it users and was striving to improve its services.
Around 200 million people used Zoom every day in March, up from an average of just 10 million per day in December.
Last week, Zoom rolled out measures to prevent Zoombombing and data hacking, saying it was building systems to "detect whether people are trying out username and password pairings and block them from trying again", AFP reported.
Improvements to Zoom’s security also include a toolbar to easily access features such as locking chats from strangers and making meeting password requirements a default setting as well as a new measure that allows paid account holders to select which regions their data is routed through during their sessions.
Zoom also said it was working with cyber-security firm Luta Security to overhaul processes and its "bug bounty" program, which pays rewards to researchers who find security flaws in its operations, according to AFP.
Unggul Sagena from digital rights group the Southeast Asia Freedom of Expression Network (SAFEnet) said the government had failed to anticipate cybersecurity risks and people’s reliance on technology to work remotely during the COVID-19 outbreak.
As a result, employers and companies have scrambled to find videoconferencing platforms that allow them to continue operating as smoothly as possible.
“When people use applications, they don’t always have enough awareness to ask simple questions about why they are using them in the first place. Not many basic users are aware of how safe the application is,” Unggul said.
Teleconferencing applications typically access a computer's camera and microphone, enabling these applications to access data stored on the computer.
Unggul suggested that users weigh up the pros and cons of different services — such as whether they are made by corporations or by community developers with open source codes — before choosing the one with the best privacy protections.
“[By comparing and scrutinizing the applications] at least we know the background of the company providing the applications,” he said.
He also advised people to use open source applications, as it is easier to audit open codes to check if the programs contain suspicious activities, or opt for paid subscriptions to reduce cybersecurity risks.
Indonesia does not currently have a personal data protection law, with a bill still being deliberated by the House of Representatives.