Since remote work became the new norm for many of us, Zoom’s video conferencing software has exploded in popularity – according to estimates by Bernstein Research, the company has added more users in the first two months of this year than during the entire 2019. However, the mass adoption has finally brought mass attention to the security and data privacy issues Zoom has had for a long time.
Reports about security gaps, questionable data transfers, and tracking practices come out one after another. Given that nowadays Zoom is used for everything from work calls through government meetings to therapy sessions, we decided to put together an overview of some of the concerns:
- On Wednesday, a security researcher and former NSA hacker, Patrick Wardle, discovered and revealed two bugs that can be exploited for taking over the Mac computer of a Zoom user and used for tapping into webcams and microphones.
- According to a publication by The Intercept, Zoom calls do not offer end-to-end (E2E) encryption, despite the fact that the software is marketed this way. It appears that Zoom is actually using transport encryption (TLS), which in a nutshell means that while a given meeting will stay private for outside parties who may spy on the user’s Wi-FI, it wouldn’t stay private from Zoom. A statement by the video conferencing provider says ‘Unless a meeting is recorded by the host, the video, audio, and chat content is not stored.’
- The Motherboard reported that Zoom’s ‘Company Directory’ feature can result in the leaking of personal information like email address and picture, and even provide strangers with the opportunity to initiate a video conversation with a user. Zoom’s original idea has been to make it easier for colleagues who have emails on the same domain to find each other but allegedly multiple users who signed up with their personal emails have shared Zoom has added thousands of people they don’t know to their contact list.
- Last year, it also became clear that Zoom failed to disclose that it had installed a hidden web server on Mac computers, which remained even after the user had Zoom uninstalled. The security researcher who disclosed this information, Jonathan Leitschuh, shared in a Medium post: “This vulnerability allows any website to forcibly join a user to a Zoom call, with their video camera activated, without the user’s permission.” Ultimately, Apple had to intervene and push a security update to prevent the practice.
- According to another security researcher’s Twitter post, Zoom uses a technique that allows the software to install on a Mac computer without user confirmation. The same trick is often used by malware to cheat on computers.
- Zoom’s iOS app used to send data such as time zone, device information or location to Facebook, even when the user didn’t have a Facebook account. Zoom has already removed the built-in Facebook code. However, this forwarding of data to Facebook has already resulted in a class-action lawsuit and an investigation by the New York prosecutor.
- Another controversial Zoom feature is ‘attendee tracking’, which allows the hosts of Zoom calls to see whether a participant is following the call attentively. The function can only be used in screen sharing mode – apparently to answer the frequently asked question of whether all participants are currently watching the presentation.
- A couple of weeks ago, digital rights advocacy organization Access Now sent an open letter to Zoom asking the company to release a transparency report, similar to other tech giants like Google and Microsoft. In practice, such reports reveal the number of requests tech companies receive from governments for disclosure of user data as well as the specific scenarios when used data actually gets shared with the public authorities. Zoom is currently reviewing this proposal.
- Organizations like SpaceX and NASA as well as the British Ministry of Defence have already banned employee access to Zoom in light of the possible security concerns.
So, what are the alternatives?
While such exist, each one has certain limitations. On the free side, there are several options. FaceTime does provide end-to-end encryption and put more focus on privacy – however, it’s available only to users of Apple devices. Another app with end-to-end encryption is WhatsApp but its video calls are still limited to four people at a time. Skype has been around for a long time and it’s overall solid but it’s often been reported to freeze up.
What’s next for Zoom?
For the most part, Zoom is a useful tool – many users share the belief that it’s one of the easiest and most convenient video conferencing apps on the market. But while bugs can be fixed, probably the bigger problem is probably that the company is adamant in its claims about the privacy of its software, thereby providing users with an unrealistic feeling of security.
Have you used any video conferencing apps that have proven to care about user privacy? Share examples with us.
UPDATE: Zoom published a blog post stating that the company has already addressed some of the raised privacy concerns:
- Permanently removed the attendee attention tracker feature.
- Released fixes for both Mac-related issues raised by Patrick Wardle.
- Released a fix for the UNC link issue.
- Permanently removed the LinkedIn Sales Navigator app after identifying unnecessary data disclosure by the feature.