Category: Data security

Apple to support security keys as a means to protect your Apple ID

Articles

You can use security keys as a second factor for authenticating with Apple ID on your iPhone

iOS 16.3 Lets You Use a Physical Key for Added Security When Logging Into Your Apple Account (gizmodo.com.au)

Apple iOS 16.3 arrives with support for hardware security keys (bleepingcomputer.com)

Security Keys Are Now the Best Way to Protect Your Apple ID (lifehacker.com.au)

From the horse’s mouth

Apple

Apple advances user security with powerful new data protections (Press Release)

About Security Keys for Apple ID (Support article)

Use security keys to sign in to your Apple ID account on iPhone (Support article)

My Comments

Apple is making it feasible to use hardware security keys in iOS as an authentication factor for their Apple ID logon.

This is being desired as a “phish-proof” approach for secondary authentication or sole authentication due to a physical device not being easily coerced or fooled. As well, this “machine-to-machine” approach allows for stronger passkeys.

It is even seen as a preferred secondary authentication factor for online services used by journalists, human-rights defenders, the public service within democracies and others working with high-stakes information. This avoids such users being fooled in to releasing their online accounts to highly-targeted spear-phishing attacks.

Apple supports this on iPhones and iPads through the iOS/iPadOS 16.3 major feature update. This is also being written in to MacOS Ventura 13.2 for the Apple Mac regular computers whereupon you just use the security key as the secondary authentication factor. They primarily implement this as an alternative secondary authentication means to transcribing a six-digit number shown on your iPhone when it comes to two-factor authentication for your Apple ID.

In the context of the Apple Watch, Apple TV and HomePod devices, you use your iPhone that you set up with the security key authentication to provide the secondary authentication factor when you set these up for your Apple ID. Here, this is easier for limited-interface devices because another device is managing some of the authentication work with your Apple ID.

FIDO-compliant hardware security keys are supported with this update but they have to have an MFi Lightning plug or NFC “touch and go” interface to work with the current crop of iPhones in circulation. USB-C is also supported but you would need a USB-C to MFi Lightning adaptor for iOS devices except newer iPads that have this connector. You also may find that newer iPhones that are to come on the market soon will have the USB-C connector due to pressure from the European Union and some other jurisdictions.

There will be a requirement to set up two hardware keys with the same iOS device when you implement this feature. This is so you have a backup key in case the one you lose the one you regularly use or that one is damaged such as being laundered with your clothes.

Add to this that support does exist for app-level or Website-level verification with security keys within iOS. But it may allow Apple to build in and refine the necessary application-programming interfaces for third-party app developers who want to support this form of authentication.

What I see at least is the implementation of hardware security keys in the mobile platform context when it comes to multi-factor or password-free authentication for the user’s primary platform account. Who knows when Google will offer this feature for Android. Could this also be about leading towards the use of hardware security keys as a hardening factor for user account security?

Google to provide privacy-focused object blurring as an open-source tool

Article

Google is making its internal video-blurring privacy tool open source | Engadget

My Comments

There are objects you have to be careful of when you photograph them for the public Web. What I mean by that is public-facing social media accounts, blogs or similar use cases where the general public would see the content; or images being offered as stock photos for anyone to illustrate material with.

Such objects are things like vehicles with their registration (license) plates or documents that lie in the scope of a picture and they can easily be considered personally-identifiable information. Even tattoos on a person could be considered identifiable unless they are a common design.

What Google has done and is publishing as open-source is a software algorithm that follows an object like a vehicle’s number plate and blurs that object. This could happen not just in photos but in videos where that object is moving. Here, it avoids the risk of that kind of information being indexed by a search engine with optical-character-recognition abilities.

This can also come in to its own where an email address, Web link or QR code is part of an image and there is the desire to control the use of this data by people who see the image on the Internet or on TV.

It is being pitched towards creators or journalists who want to blur out personal-identifying information whether that be of themselves, their premises or people they know for content destined for the public Web. Typically this workflow will be in the form of creating and editing a “public copy” of the image they took and using that on the Website or social-media account.

But there may be some use cases where an identifier is required to be visible in the published photo. For example, when a vehicle is put on the market, having a visible registration number in the accompanying images of that vehicle in the online ad is an asset for buyers when it comes to checking that vehicle’s provenance.

What I would like to see with this software is for it to be repackaged as a free plugin for photo and video editing software. Or, better still, more photo/video editing software developer being encouraged to “bake” the privacy-blurring code in to a major version of that software.

Samsung to roll out a “valet key” for your smartphone

Article

Samsung Galaxy A52s 5G Android smartphone

Samsung smartphones will end up with a “maintenance mode” for your data protection when you have them repaired

Samsung rolls out One UI 5 ‘Maintenance Mode’ to keep your data safe during repair (9to5google.com)

New Samsung Maintenance Mode protects your data during phone repairs (bleepingcomputer.com)

My Comments

For a long time, most of the good cars came with a “valet key” arrangement of some sort. This especially benefited sedans (saloons), coupes and similar cars that had a lockable trunk (boot), but also benefited any car that had a lockable glove box.

Here, the car would come with one key that can only open the doors and start the engine but can’t open the boot or glove box. You could still open the boot or glove box with a separate dedicated key or another key that can open everything. This was about allowing you to had over your car to a mechanic’s, a valet-operated car park or a similar facility knowing that the staff at the facility can’t steal valuables from the glove box or boot.

Samsung is introducing the “Maintenance Mode” as part of its One UI 5 / Android 13 update for their recent Android smartphones. Here, it is to achieve this same goal by locking your personal data in a separate account not available to technicians who repair or service your phone. These technicians then have access to an account specifically created for testing and repairing the phone.

White Jaguar XJ6 Series 2

.. just like cars such as this Jaguar XJ6 did to limit access to the boot (trunk) and glove box when the vehicles were repaired or at valet parking

As well, they can install utility software on your phone as part of the maintenance work but once you log in to your phone again with your normal account, this software is removed. A question that can come up here is what happens if the repair requires the installation of software updates or patches, perhaps to provide driver support for replacement hardware and this has to operate with your own normal account.

Samsung are initially offering this to selected Galaxy phones sold within the USA as part of a beta-test for One UI 5 but are wanting to roll this out across the world through 2023.

Most of us would find this of benefit as we use our smartphones as the digital equivalent of our wallets, photo albums and keyrings. The well-founded fear we have with this is technicians taking advantage of our personal data especially if they see value in it for them.

I would see the “Maintenance Mode” feature being of interest to computing-device vendors and operating-system developers as something to add as a significant feature for an operating system. Here it may be offered during a major feature update cycle for the operating system or as part of a security package.

Such a feature could give all of us peace of mind when we relinquish a smartphone, tablet or laptop computer to technicians that we don’t know for repair.

European Union to establish own DNS infrastructure

Article Map of Europe By User:mjchael by using preliminary work of maix¿? [CC-BY-SA-2.5 (http://creativecommons.org/licenses/by-sa/2.5)], via Wikimedia Commons

EU wants to build its own DNS infrastructure with built-in filtering capabilities – The Record by Recorded Future

My Comments

Europe is working on another Internet-focused effort to maintain some sovereignty over its online affairs.

The DNS is the Internet’s equivalent of the traditional White Pages telephone book where when you would look up someone’s name in that book to find their phone number. Here, it is about looking up the domain name part of a Web address like “homenetworking01.info” and identifying the IP address of the Webserver that hosts the Website. This process is very similar for looking up the IP address for the email server that is listed after the “@” part of an email address.

Here, the European DNS4EU effort is about creating a network of DNS servers that are based in Europe. It is essentially about European data sovereignty where this Internet-essential function is in European hands and fully subject to European laws and norms rather than in the hands of a few non-European companies.

For example, this DNS effort is run compliant to the European Union GDPR user-privacy directive and avoids issues to do with the USA’s CLOUD Act which can place online data use subject to US authorities’ investigative requirements even if it is used overseas as long as the servers are owned by a company based in the USA.

The DNS4EU DNS service will also have powerful filtering abilities to work against cyber attacks. This can include blocking DNS name resolution for domains associated with malware or phishing sites. But there are questions about which kind of Internet user this would be mandatory for like the public sector, financial services or essential services or whether EU-based or all European based ISPs will be required to take advantage of this new DNS4EU infrastructure.

This same project also assures compliance with court orders against access to prohibited content like child-sexual-abuse imagery or pirated content. But this kind of protection may be limited to the European Union or a wider area like the Euripean Single Market or even the countries under the Council Of Europe’s scope.

Another benefit often seen with this is increased speed for European DNS queries due to the proximity of the DNS4EU servers to European citizens and businesses. It is also a way that Europe can carve out its own online identity amongst their own citizens rather than relying on other areas for its IT needs.

As I have said before, there could be questions raised about the kind of geopolitical reach that the European Union’s new DNS infrastructure would have. But it could be seen as one of many attempts for Europe to have its own IT infrastructure and work in a manner independent of countries like the USA.

FIDO Alliance closer to password-free authentication

Article

Facebook login page

FIDO Alliance could be having us move off passwords when we use online services

FIDO Alliance says it has finally killed the password • The Register

From the horse’s mouth

FIDO Alliance

Charting an Accelerated Path Forward for Passwordless Authentication Adoption – FIDO Alliance

My Comments

The FIDO Alliance and WebAuthN groups are moving towards a password-free authentication approach for online services. This is based around a device-local private authentication key associated with your username for that online service that is only released when you enter your device PIN / screen-unlock code or scan your fingerprint or face where your device supports it. A corresponding public key is stored in the user’s account record on the online service’s servers and used to “test” the private key to complete the user-verification process.

Samsung Galaxy Tab Active 8" business tablet press picture courtesy of Samsung

The smartphone will end up as a key authentication device especially if you sign in with your fingerprint or face

But there is a problem associated with the reality that most of us own multiple computing devices. This can typically manifest in us owning a smartphone, a mobile-platform tablet like an iPad and/or a regular desktop or laptop computer. There is also the fact that most of us will end up owning “connected-TV” equipment be it a smart TV, set-top device or games console that is a gateway to online video services. Or we may even end up using various smart-home platforms including Amazon Echo or Google Home.

The problem also includes lifecycle issues associated with today’s devices such as acquiring a new device or replacing a broken, lost or stolen device. Or it could include where one is using another device on a temporary basis like using a friend’s computer or a computer at a hotel business centre.

Then there is the issue of phishing even with multifactor authentication because there is no way of identifying whether a user is signing in to the real online service or not.

Solutions

Bluetooth as a means for authentication

Logitech MX Anywhere 3 mouse on glass table near laptop

Or you could authenticate online services from a laptop’s fingerprint reader or your smartphone

One factor being examined is the use of your smartphone as a roaming authentication device. Part of what will be looked at is using Bluetooth LE as a machine-to-machine link between the device you are signing in from and your phone to conditionally release online-service authentication keys.

This avoids you entering a one-time-password in to a phishing site for example because you are not transcribing information in to a site. The Bluetooth functionality is also about device proximity – your smartphone is close to the device you want to sign in from.

I also see the Bluetooth link appealing to client devices that have limited user interfaces like connected-TV devices, printers and the Internet Of Things. It avoids the need to log in to your online service to transcribe a “binding code” to use it with connected-TV devices or, at worst, “hunt and peck” a username and password to associate it an online service.

It will also support bare-bones provisioning to new devices irrespective of the platform such as when you, as an iOS or Android mobile-platform user, want to set up you Windows laptop to work with your online services.

As well, it could come in to its own with temporary-use scenarios like shared computers or equipment installed in places like hotels. It could even include adding one’s online video service account to smart TVs or set-top devices installed in hotels, holiday home or common rooms for temporary use.  I could even see this earn its keep as an alternative to cards for authentication at kiosk-type setups like ATMs.

Multi-device authentication

The multi-device approach would be on the likes of Apple, Google and Microsoft coming to the party. This is because it would be based on device operating systems and associated cloud-driven account services like Apple ID (MacOS, iOS, tvOS), Google Account (Android, ChromeOS) and Microsoft Account (Windows, XBox).

In some cases, it may extend to device vendors or other entities who run their own cloud-driven account services and want them as the login of choice for your online world. Even account services typically managed by businesses or education establishments could become “primary” account services typically for large fleets of organisation-owned devices.

Amazon Echo Show 10 press image courtesy of Amazon

Even smart displays like the Amazon Echo Show 10 could be in on the action

This approach would have the operating system create and use the authentication key and store these with your account on the cloud-driven account service. It would come in to its own if you are adding a device that works with the same platform as what you were using, for example onboarding an iPad to the same Apple ID as your iPhone.

The system can distinguish between an extant device and a newer device through another device-bound authentication key that underscores that you are authorised to use the service with that physical device. Here, it can be about deeming that particular new device as trusted and under your control or some corporate setups may use it as a way to constrain use of the service to devices they have control over.

Online services would have to support a number of authentication keys for the same username with these associated with different computing platforms an end-user is likely to use. As well, another requirement that would be expected is to have one authentication key able to work across a vendor’s different operating systems such as a mobile OS and a desktop OS. This is due to vendors architecting their mobile operating systems for battery efficiency while the desktop operating systems are maintained for performance.

Situations

Moving between devices or platforms

Apple TV 4th Generation press picture courtesy of Apple

.. as could the likes of connected-TV and set-top-box setups like the Apple TV

If you are moving your online life between devices of the same platform, the multi-device authentication would  have all the platform-level authentication keys moved across similar to what happens with a password vault app.

The Bluetooth authentication approach will come in to play if you have devices of a different platform. But you have to have one of the devices still alive and in your possession for this to work properly.

What really may happen is that you may use Bluetooth authentication to “enrol” other computing devices and have them seen as trusted devices once one or more of your devices support the necessary standards. Then, whichever one of them that is “alive” like, per se, your regular computer or your mobile-platform tablet would be used to authenticate your replacement smartphone to your secure online circle even if this was to replace a lost, stolen or damaged phone.

If you intend to completely move off a platform, you can simply delete from your online services all the credentials associated with that particular platform. This may be through account management options offered by the online service where you revise what platforms you are logged in from.

Multiple-platform setups

Most of us are likely to operate a multiple-platform setup for our online lives. This will typically range from an iPhone and a Windows or Macintosh computer through an Android phone, an iPad and a Windows computer.

Online services will be likely to keep with your username, multiple sets of access credentials for each computing platform you are using. There will still be the ability to keep a platform-specific authentication key for your devices that operate a particular platform along with another for a different platform.

Gaps yet to be filled

One gap that needs to be filled is software-to-software authentication like what is expected for email or document-contribution setups or even the Internet of Everything. Such setups typically rely on stored credentials to authenticate the user with their account on that service along with client software like email clients having continual access to that service.

This may have to be about adapting protocols like IMAP4 or XML-RPC to device-generated authentication credentials and supporting multiple sets of these credentials for one user account. This would be important where multiple client devices are being used for the same online service such as a smartphone and a laptop for an email service.

Conclusion

Even the common reality of users operating multiple devices or using a highly-portable device like a smartphone as an authentication device will not escape the goal of a password-free online-service future. Here it would primarily be about authenticating with a device-local PIN or your fingerprint

Cloudflare to work on simplified CAPTCHA

Article

CAPTCHA text

Cloudflare is intending to replace CAPTCHA authentication on Web forms with …

CAPTCHAs May Soon Go Extinct (gizmodo.com)

From the horse’s mouth

Cloudflare

Humanity wastes about 500 years per day on CAPTCHAs. It’s time to end this madness (cloudflare.com)

My Comments

The CAPTCHA is being used as a means to prevent spam emails or comments on Websites or to assure that people who register in an online context are real people.

But these measures, typically ranging from transcribing letters or identifying objects, can be very frustrating for many people. This is caused by hard-to-read or small letters or instructions relating to object identification being difficult to understand on a language or cultural context. As well, some of these CAPTCHAs don’t work well for mobile setups like smartphones which is increasingly the common way to use the Internet. That leads to abandoned registrations or online-shopping carts or people not joining in to online services for example.

HP Elitebook 2560p business notebook fingerprint reader

you scanning your fingerprint on your flaptop’s fingerprint scanner or you entering your device’s PIN code to prove that a person is entering the data

CloudFlare are working on a different approach to authenticating the personhood of a device user without resorting to letters to transcribe or objects to identify. Initially they are using USB security keys for this purpose but are moving towards full WebAuthN implementation for this purpose.

This approach will work with WebAuthN-capable browser and operating-system setups and work in a similar vein to password-free authentication for online services using that technology. This will require you to enter your device PIN, use face recognition or use the fingerprint reader, operate a USB security key or an authenticator app on your smartphone to prove your personhood, as if you are enrolling in to an online service that implements WebAuthN technology.

The success or failure of the WebAuthN test will simply allow you to submit that form or not on the Website. The logic won’t cause any extra identifying factors to be stored on the online service’s server under default setups. But it may store a device-local cookie to record success so as to treat the session as authenticated, catering towards data revision approaches in wizard-based forms or long data-entry sessions.

A question I would have with this CloudFlare approach is how it can work with computing setups that don’t support WebAuthN. This will also include shared computing setups and public-access computers where the use of this kind of authentication may not be practicable for a single session.

But Cloudflare’s effort is taking WebAuthN further as a way to prove that a real person rather than a robot is actually operating an online account in a manner that is universal to abilities, languages and cultures.

Zoom to provide privacy notifications for video conferences

Article – From the horse’s mouth

Zoom (MacOS) multi-party video conference screenshot

Zoom to introduce privacy disclosure for enhanced functionalities during a video conference

Zoom

Zoom Rolls Out In-Product Privacy Notifications – Zoom Blog

In-Product Privacy Notifications – Zoom Help Center (Detailed Resource)

Previous Coverage on videoconferencing platform security

A call to attention now exists regarding videoconferencing platform security

My Comments

As the COVID-19 coronavirus plague had us homebound and staying indoors, we were making increased use of Zoom and similar multi-party video conference software for work, education and social needs. This included an increased amount of telemedicine taking place where people were engaging with their doctors, psychologists and other specialists using this technology.

Thus increased ubiquity of multi-party videoconferencing raised concerns about data-security, user-privacy and business-confidentiality implications with this technology. This was due to situations like business videoconference platforms being used for personal videoconferencing and vice versa. In some cases it was about videoconferencing platforms not being fit for purpose due to gaping holes in the various platforms’ security and privacy setup along with the difficult user interfaces that some of these platforms offered.

During August 2020, the public data-protection authorities in Australia, Canada, Hong Kong, Gibraltar, Switzerland and the UK called this out as a serious issue through the form of open letters to the various popular videoconferencing platforms. There has been some improvement taking place with some platforms like Zoom implementing end-to-end encryption, Zoom implementing improved meeting-control facilities and some client software for the various platforms offering privacy features like defocusing backgrounds.

Zoom has now answered the call for transparency regarding user privacy by notifying all the participants in a multi-party videoconference about who can save or share content out of the videoconference. This comes in to play with particular features and apps like recording, transcription, polls and Q&A functionality. It will also notify others if someone is running a Zoom enhanced-functionality app that may compromise other users’ privacy.

There is also the issue of alerting users about who the account owner is in relation to these privacy issues. For corporate or education accounts, this would be the business or educational institution who set up the account. But most of us who operate our personal Zoom accounts would have the accounts in our name.

Personally, I would also like to have the option to know about data-sovereignty information for corporate, education or similar accounts. This can be important if Zoom supports on-premises data storage or establishes “data-trustee” relationships with other telco or IT companies and uses this as a means to assure proper user privacy, business confidentiality and data sovereignty. A good example of this could be the European public data cloud that Germany and France are wanting to set up to compute with American and Chinese offerings while supporting European values.

Another issue is how this will come about during a video conference where the user is operating their session full-screen with the typical tile-up view but not using the enhanced-functionality features. Could this be like with Websites that pop up a consent notification disclosing what cookies or similar features are taking place when one uses the Website for the first time or moves to other pages?

It will be delivered as part of the latest updates for Zoom client software across all the platforms. This may also be a feature that will have to come about for other popular videoconferencing platforms like Microsoft Teams or Skype as a way to assure users of their conversation privacy and business confidentiality.

Google to participate in setting standards for mobile app security

Articles – From the horse’s mouth

Google

A standard and certification program now exists for mobile application security

A New Standard for Mobile App Security (Google Security Blog post)

Internet Of Secure Things Alliance (ioXT)

ioXt Alliance Expands Certification Program for Mobile and VPN Security (Press Release)

Mobile Application Profile (Reference Standard Document – PDF)

My Comments

There is a constant data-security and user-privacy risk associated with mobile computing.

And this is being underscored heavily as a significant number of mobile apps are part of “app-cessory” ecosystems for various Internet-of-Things devices. That is where a mobile app is serving as a control surface for one of these devices. Let’s not forget that VPNs are coming to the fore as a data-security and user-privacy aid for our personal-computing lives.

Internet of Secure Things ioXT logo courtesy of Internet of Secure Things Alliance

Expect this to appear alongside mobile-platform apps to signify they are designed for security

But how can we be sure that an app that we install on our smartphones or tablets is written to best security practices? What is being identified is a need for an industry standard supported by a trademarked logo that allows us to know that this kind of software is written for security.

A group called the Internet of Secure Things Alliance, known as ioXT, have started to define basic standards for secure Internet-of-Things ecosystems. Here they have defined various device profiles for different Internet-of-Things device types and determined minimum and recommended requirements for a device to be certified as being “secure” by them. This then allows the vendor to show a distinct ioXT-secure logo on the product or associated material.

Now Google and others have worked with ioXT to define a Mobile Application Profile that sets out minimum security standards for mobile-platform software in order to be deemed secure by them. At the moment, this is focused towards app-cessory software that works with connected devices along with consumer-facing privacy-focused VPN endpoint software. For that matter, Google is behind a “white-box” user-privacy VPN solution that can be offered under different labels.

This device profile has been written in an “open form” to cater towards other mobile app classes that need to have specific data-security and user-privacy requirements. This will come about as ioXT revises the Mobile Application Profile.

Conclusion

The ioXT Internet-of-Secure-Things platform could be extended to certifying more classes of native mobile-platform and desktop-platform software that works with the Internet of Everything. The VPN aspect of the Mobile Application Profile can also apply to native desktop VPN-management clients or native and Web software intended to manage router-based VPN setups.

At least a non-perpetual certification program with a trademarked logo now exists for the Internet of Everything and mobile apps to assure customers that the hardware and software is secure by design and default.

European businesses still value data protection for their online services

Article Map of Europe By User:mjchael by using preliminary work of maix¿? [CC-BY-SA-2.5 (http://creativecommons.org/licenses/by-sa/2.5)], via Wikimedia Commons

Europäische Cloud-Anbieter profitieren von Datenschutzbedenken (European cloud offerings profit from data protection) | Netzwoche.ch (German language / Deutsche Sprache)

My Comments

I am following the scene as far as European online services and cloud computing for both business and consumer use is going. This is based on how I see that Europe could compete with the US establishment when it comes to offering any online service and ensure it respects European values.

I have just read a Swiss article which talked about the US and Chinese hyperscale cloud platforms dominating the European cloud-computing scene. But this article is stating that European cloud-computing / online-service providers are catching up with these behemoths. Here these companies are using data protection as a selling point due to data-protection and user-privacy concerns by European businesses and government authorities.

An example I saw of this is Germany and France working towards creating public-cloud computing services with the goal of being able to compete against the public-cloud services offered by the USA and Asia.

A recent survey completed by the French IT consultant Capgemini highlighted that the German-speaking part of Europe (Germany, Australia and Switzerland) were buying minimal European IT services. But the same Capgemini survey were saying that 45 of the respondents wanted to move to European providers in the future thanks to data protection and data sovereignty issues.

Data security is being given increasing importance due to recent cyber attacks and the increased digitalisation of production processes. But the Europeans have very strong data protection and end-user privacy mandates at national and EU level thanks to a strong respect for privacy and confidentiality within modern Europe.

COVID-19 had placed a lot of European IT projects on ice but there has been a constant push to assure business continuity even under the various public-health restrictions mandated by this plague. This includes the support for distributed working whether that be home-office working or remote working.

But how is this relevant to European households, small businesses and community organisations? I do see this as being relevant due to the use of various online and cloud IT services as part of our personal life thanks to the like of search engines, email / messaging, the Social Web, online entertainment, and voice driven assistants. As well, small businesses and community organisations show interest in online and cloud-based computing as a means of benefiting from what may be seen as “big-time” IT without needing much in the way of capital expenditure.

It will be a slow and steady effort for Europe to have online and cloud computing on a par with the US and Asian establishment but this will be about services that respect European privacy, security and data-sovereignty values.

Zoom even makes it easier to deal with Zoombombing incidents

Article

Zoom (MacOS) multi-party video conference screenshot

Zoom to give more control to meeting hosts

How to stop a Zoombombing | Lifehacker

From the horse’s mouth

Zoom

3 New Ways We’re Combatting Meeting Disruptions (Blog Post)

My Comments

During the COVID-19 pandemic causing us to work or study from home, we have been seeing increased use of videoconferencing platforms like Zoom.

It has led to the convergence of business and personal use of popular multiparty videoconferencing platforms; be it business platforms of the Zoom and Microsoft Teams ilk serving personal, social and community needs; or personal platforms like Skype and WhatsApp being used for business use. This is more so with small businesses, community organisations and the like who don’t have their own IT team to manage this software. The software developers even support this convergence through adding “personal and social” features to business users that also gain free social-user tiers or adding business features to personal platforms.

But this has brought along its fair share of miscreants. A key example of this is “Zoombombing” where these miscreants join a Zoom meeting in order to disrupt it. This manifests in disruptive comments being put in to the meeting or at worst all sorts of filth unfit for the office or family home appearing on our screens. Infact there have been a significant number of high-profile Zoom virtual events disrupted that way and a significant number of governments have encompassed this phenomenon as part of raising questions about videoconferencing platform security.

This has been facilitated by Zoom and similar business videoconferencing platforms allowing people to join a videoconference by clicking on a meeting-specific URL This is compared to Skype, Viber, Facebook Messenger, WhatsApp and similar personal videoconferencing platforms operating on an in-platform invitation protocol when joining these meetings.

But these Weblinks bave been posted on the Social Web for every man and his dog to see. There have been some online forums that have been hurriedly set up for people to solicit others to disrupt online meetings.

Zoom recently took action by requiring the use of meeting passwords and waiting-room setups and operating with that by default. As well meeting hosts and participants have been encourage not to place meeting URLs and passwords on any part of the Web open to the public. Rather they are to send the link via email or instant messaging. As well, they are encouraged to send the password under separate cover.

They also have the ability to lock the meeting so no further attendees can come in, which is good if the meeting is based around known attendees. There is also the ability for the host to control resource-sharing and remote-control functionality that Zoom offers. Let’s not forget that they also added meeting-wide end-to-end encryption for increasingly-secure meetings.

But Zoom has taken further action by offering meeting hosts more tools to control their meeting, a feature available to all client software and to all user classes whether free or paid.

There is the ability for the Zoom meeting host to pause the meeting. Once this is invoked, no activity can take place during the meeting including in any breakout rooms that the meeting has spawned. They also have the ability to report the meeting to Zoom’s platform=wide security team and to selectively enable each meeting feature. They can also report users to Zoom’s platform security team, which allows them to file the report and give the disruptive user the royal order of the boot from that meeting.

Another feature that has been introduced thanks to the “join by URL” method that Zoom supports is for meeting hosts to be alerted if their meeting is at risk of disruption. Zoom facilitates this using a Webcrawler that hunts for meeting URLs on the public Web and alerts the meeting host if their meeting’s URL is posted there such as being on the Social Web. Here, they are given the opportunity to change the URL to deflect any potential Zoombomb attempts.

But this year has become a key year as far as multiparty videoconferencing is concerned due to our reliance on it. Here, it may be about seeing less differentiation between business-use and personal-use platforms or the definition of a basic feature set that these videoconferencing platforms are meant to have with secure private operation being part of that definition.