By now, you are most likely saturated with the massive debate around Zoom, the video conferencing app, and its numerous privacy and security issues. Numerous security researchers, organisations and journalists have spoken out at length about the unending list of privacy and security concerns about Zoom, even as ‘zoombombing’ reports continued to balloon all across the internet. In return, Zoom’s founder and chief executive Eric Yuan yesterday offered a meek apology for not being careful enough with user data and privacy, and promised that his company is hard at work to address all the safety concerns among users. But, the question remains, is Zoom doing enough? Should they have seen the usage trends early and take measures? Or is this, like most technology companies, yet another instance where a company would make huge profits at the expense of the privacy of their customers, and be allowed to walk away with a tepid “I’m sorry” blog post?
According to the statement, Zoom’s then privacy statement also stated that even video recordings would be collected, as well as transcriptions of the video calls. Then came the aspect of no legal control over a host of a Zoom video meeting, which essentially allowed anyone with access to your video to share it with whoever they wished to.
Multiple security concerns about Zoom included monitoring the activity of attendees, accessing others’ dashboards and more.
The privacy concerns did not just end there. A report by the Electronic Frontier Foundation listed multiple security concerns about Zoom, which included the ability of a call’s host to monitor the activity of all attendees, access detailed dashboards of user activities, access contents of calls recorded by other non-admin users, and even access device information, OS information, IP address and user location data.
Right on cue, a Vice report revealed that Zoom’s iOS app was sharing user data with Facebook without adequate disclosure of the same to its users. More worryingly, it did so even for users without Facebook accounts, signalling a major breach of privacy and security. Even as Zoom promptly “apologised” and fixed the gaffe, this was closely followed by a massive rise in the number of malicious domains impersonating Zoom to steal more data and money, although it can be said that the latter is not Zoom’s own fault.
For Windows, Zoom was leaking login credentials of users, while on Mac, Zoom’s installer did not need user permission.
In essence, the video conferencing app has been called out for having close to every possible security threat that it could have, all the while breaking common cyber security and privacy protocols along the way.
What Zoom is doing
Given the sheer number of privacy and security concerns that Zoom has had in recent times, it becomes really hard to believe in the blog posts of a company that really has had a lackadaisical and thoroughly ignorant approach to user security.
The updated user agreement further says, “Zoom collects only the user data that is required to provide you Zoom services. This includes technical and operational support and service improvement. For example, we collect information such as a user’s IP address and OS and device details to deliver the best possible Zoom experience to you regardless of how and from where you join.”
In most cases, instead of specifying “we collect”, it now states “data our customers share with us”.
As of now, explaining how Zoom deals with user data, the policy explains the use of a user’s “approximate location”, with an additional clarification that reads, “we do not “track” your specific location”. It also collects specific user metadata such as participant information, in order to “provide Zoom services”.
Yesterday, Zoom CEO Yuan also penned an “apology” for the overwhelming list of security issues with the app, offering a rather meek justification for it and stating that it has frozen all development of new features, until its privacy and security issues are fixed. A previous Zoom blog also spoke about its tryst with encryption of services. As the post stated, “In a meeting where all of the participants are using Zoom clients, and the meeting is not being recorded, we encrypt all video, audio, screen sharing, and chat content at the sending client, and do not decrypt it at any point before it reaches the receiving clients.”
However, users need to be aware
While Zoom is to be deservedly held accountable for all these flaws, and for simply having so many privacy issues at one go, it is important to note that even users need to be wary of the issues. Yuan’s post from yesterday clarifies that the company is offering tutorials and webinars on how to best use the app’s privacy features, and educate users about reading the data usage policy in full, before giving consent.
Avinash Prasad, vice president and head of managed security services at Tata Communications, puts the onus on organisations to also take charge of cyber security practices. In a statement shared with News18, Prasad says, “Organisations must put together a cross-functional and collaborative team to have a holistic COVID-19 risk management strategy, covering both human safety as well as information and data security.”
Going forward, even as work from home periods extend further, it remains to be seen exactly how Zoom and its security issues evolve over time, in a climate where cyber security threats all around are witnessing a sharp rise.