Events last Friday have resulted in a harrowing few days for we mediators forced to move our practice online as a result of the COVID-19 pandemic. We’ve all been using Zoom. Zoom immediately emerged as the “go-to” platform for video mediation for the simple reason it offered “break-out rooms”, a function inexplicably absent in FaceTime, Skype, Teams, GoToMeeting, Hangouts and even HouseParty. Mediators, lawyers, and parties have been merrily participating in Zoom mediations routinely over the past few weeks to the satisfaction of all. Cases were being resolved. Even the Superior Court of Ontario directed the use of Zoom as the platform for certain pre-trial matters.
Then, on Friday, April 3rd, The Citizen Lab, an interdisciplinary laboratory based at the Munk School of Global Affairs & Public Policy, University of Toronto released this Report providing “a quick look at the confidentiality of Zoom meetings”.
Their verdict: not so good.
More specifically, the report concluded:
“As a result of these troubling security issues, we discourage the use of Zoom at this time for use cases that require strong privacy and confidentiality, including:
-
-
-
-
-
-
- Governments worried about espionage
- Businesses concerned about cybercrime and industrial espionage
- Healthcare providers handling sensitive patient information
- Activists, lawyers, and journalists working on sensitive topics
-
-
-
-
-
For those using Zoom to keep in touch with friends, hold social events, or organize courses or lectures that they might otherwise hold in a public or semi-public venue, our findings should not necessarily be concerning.
For those who have no choice but to use Zoom, including in contexts where secrets may be shared, we speculate that the browser plugin may have some marginally better security properties, as data transmission occurs over TLS.”
Unsurprisingly Zoom responded virtually immediately with this post. While Zoom’s response was reassuring, this line caught the attention of those of us who. for weeks had been assuring lawyers and parties that Zoom provided “end-to-end” encryption:
“We recognize that we can do better with our encryption design.”
It will be understandable if these developments cause parties such as banks, insurers, governments, and public corporations as well as their lawyers to question whether Zoom is truly enterprise-ready. Some have already done so and taken the position they will no participate in Zoom mediations at this time.
So where does that leave we mediators? We can obviously mediate by teleconference or some hybrid of one of the other online video services and teleconference.
For me though, having read all I can get my hands on and discussing the issues with others, I have come to the conclusion that, properly used, Zoom is safe enough – not perfect – but safe enough for use in the vast majority of commercial mediations.
I suggest that “proper use” includes the following:
-
-
- Using a unique and private meeting number for each mediation.
- Requiring participants to use a password to enter the meeting.
- Warning participants to keep their meeting link and password secure.
- For the time being avoid the use of the Waiting Room function in light of The Citizen Lab’s claim of a serious security issue related to that function.
- Locking the mediation meeting once all participants have joined using the “lock” function available to the meeting host.
- Advising participants against accessing the meeting via a public network and to satisfy themselves as to the security of the private network they’re using.
- Requiring participants to access the meeting using the latest version of the Zoom client software and not use a web browser for that purpose. This point is necessarily provisional given The Citizen Lab speculation that the browser plugin may have some marginally better security properties, as data transmission occurs over TLS.
- Amend our Mediation Agreements to cover points uniquely related to video mediation. The following are the relevant paragraphs from my current iteration (all comments welcome).
- Parties have requested the use of the online dispute resolution technology known as Zoom Video Platform (“Zoom”) in the mediation. The Mediator shall host the mediation using his Zoom Pro account without additional cost to the parties. The following terms are agreed to with respect to the conduct of the mediation via Zoom:
- The Parties agree that the mediation shall be a ‘mediation’ for the purposes of all applicable legislation, regulations, and rules.
- The Parties acknowledge that they have made their own inquiries as to the suitability and adequacy of Zoom for its proposed use in the mediation and of any risks in using Zoom, including any risks in relation to its security, privacy or confidentiality and request the mediator to proceed with the use of Zoom.
- The Parties agree that they will inform the Mediator and each other in advance of the mediation of the names of all persons attending, participating or who are able to hear any communications in the mediation using Zoom and agree that no persons will attend, participate or be allowed to listen in on the hearing without the prior consent of all Parties and the Mediator
- The Parties agree that they will not record or permit the recording of all or any part of the mediation without the consent of all Parties and the Mediator. The Parties will ensure that each additional attendee at the mediation for which that Party is responsible also acknowledges and agrees to this.
- The Parties and the Mediator acknowledge and agree for all purposes that their communications at the hearing can be and will be listened to by each other. The Parties will ensure that each additional attendee at the hearing for which that Party is responsible also acknowledges and agrees to this.
- Parties have requested the use of the online dispute resolution technology known as Zoom Video Platform (“Zoom”) in the mediation. The Mediator shall host the mediation using his Zoom Pro account without additional cost to the parties. The following terms are agreed to with respect to the conduct of the mediation via Zoom:
-
It will be interesting to see how this issue will evolve in the coming days and weeks. Plaintiffs and defendants have a mutual interest in getting cases resolved sooner rather than later. Mediators have an interest in helping them do just that. Zoom, to date, has proven to be a reliable and robust tool to help everyone achieve these interests. Privacy and confidentiality are integral to the mediation process but proportionality needs to factor in as well. Not every mediation requires “Manhattan Project” level security.
One can only hope that this won’t be another example of “the perfect being the enemy of the good”. For me, aware of these issues, I will continue to offer Zoom mediations.
________________________
To make sure you do not miss out on regular updates from the Kluwer Mediation Blog, please subscribe here.
Thanks Rick. Useful and practical. I had just set up a waiting room and will unset it up!
Abdelhamid Darwish
Thanks Rick.A very helpful tool but needs more in-depth study and feedback from users to set out institutional standard . My queries :is it fit for all mediation cases ,construction cases appraisals of simple cases ,etc
Thanks there seems to be some conflicting information about waiting rooms and whether they add or reduce security
Thanks Nancy. The CitizenLab report said, “As part of our research, we identified what we believe to be a serious security issue with Zoom’s Waiting Room feature. We have initiated a responsible disclosure process with Zoom, which is currently being responsive. We hope that the company will quickly act to patch and provide an advisory. In the meantime, we advise Zoom users who desire confidentiality to not use Zoom Waiting Rooms. Instead, we encourage users to use Zoom’s password feature, which appears to offer a higher level of confidentiality than waiting rooms.” I have not seen any announcement that this issue has been fixed.
The waiting room is a very useful function for a number of reasons. Essential perhaps, to enable a managed start to the process. Let’s hope the problem is fixed soon
Indeed, has the weekend security fix by Zoom addressed the waiting room issue Rick?
John, thanks for this. I have not seen a specific announcement that Zoom has fixed the security issue relating to the Waiting Room function that was mentioned in the CitizenLab report. In the meantime I am not using this function.
Would you like to share please what alternatives you are using?
Yemi
This is excellent. Thank you. One thing I would ask: is it possible to send the password by some other medium, instead of the same one sending the link for the conference? I observe that most “invitations” include both link, ID, and password on same message. Perhaps like me, they don’t know how to do it differently? Can you advise on this?
One other hurdle we face in this part of the world (Lagos, Nigeria), is sufficient bandwidth. Fortunately, some of the internet service providers are willing, but at great cost, to provide custom increase of bandwidth. Groups of mediators may wish to link up together to pay for this together and share costs. Now, Richard, in such a case, would it still be advisable not to pass at least a fraction (moderately) of this cost to the mediation service users? I am referring to the recommended provision in the draft you have kindly shared, viz: “The Mediator shall host the mediation using his Zoom Pro account without additional cost to the parties. The following terms are agreed to with respect to the conduct of the mediation via Zoom .. etc.” I would appreciate your thoughts on this.
Thank you once again.
Yemi, thank you for this and your subsequent post. Like you, I’m no expert but I do note that the password is embedded in the link to the Zoom session so it is important to advise participants not to share the link with others. Another approach, as you suggest is to send the meeting information (not the link) and the password in two separate emails. Regarding the cost, I acknowledge that it would be appropriate to pass along some of the cost to users in the circumstances you describe. As for alternatives, today I am conducting a mediation using Cisco WebEx. It’s a bit more cumbersome that Zoom in my opinion but some institutional defendants are insisting on it due to persistent security concerns about Zoom. Another option is MS Teams, part of the Office 365 package. Teams has functionality far beyond what is required for simple “frictionless” video conferencing but, again, is required by some enterprises due to security concerns with Zoom.
Zoom have just issued an update (Version 5.0) available from Monday , that they say is a security update. The fixes include true end to end encryption (not the non-E2E they previously claimed) and the waiting room and password requirement being applied by default.
“I am proud to reach this step in our 90-day plan, but this is just the beginning,” said Eric S. Yuan, CEO of Zoom.
If this is just ‘the beginning’ then, since the 90 days in which Zoom agreed to stop all development in order to fix the security problems, commenced less than 3 weeks ago, one must assume that there is still a lot more work to be done.
As so many mediators are resorting to web based video conferencing during lockdown , I have made free of charge access (without enrolment) to one of the modules in my distance training course on ODR (“How to adapt your mediaton techniques to the online environement”) . You will also find a new addition being 15 practical tips when using video conferencing for mediation and 10 tips to reduce the risk when using Zoom. Go to http://www.ODRtraining.com for the link to the free access.
Video conferencing is a very small part of ODR . In fact the discussion right now within ODR circles is that, since it does not contain tools to assist and faciitate resolution it is not ODR at all. I would,therefore, be interested to hear from anyone using other platforms and tools to interview for my mediation podcast “See You Out Of Court”.
Rick, a question on point 5 of your blog which is one of your recommendations for elements of a Video Mediation Agreement:
“The Parties and the Mediator acknowledge and agree for all purposes that their communications at the hearing can be and will be listened to by each other. The Parties will ensure that each additional attendee at the hearing for which that Party is responsible also acknowledges and agrees to this.”
Question: Zoom provides breakout rooms for parties to have private communications (I’m not sure if MS Teams has them). Don’t the virtual breakout rooms, if functioning properly, appear inconsistent with the wording of item 5 above?