By now, you are most likely saturated with the massive debate around Zoom, the video conferencing app, and its numerous privacy and security issues. Numerous security researchers, organisations and journalists have spoken out at length about the unending list of privacy and security concerns about Zoom, even as ‘zoombombing’ reports continued to balloon all across the internet. In return, Zoom’s founder and chief executive Eric Yuan yesterday offered a meek apology for not being careful enough with user data and privacy, and promised that his company is hard at work to address all the safety concerns among users. But, the question remains, is Zoom doing enough? Should they have seen the usage trends early and take measures? Or is this, like most technology companies, yet another instance where a company would make huge profits at the expense of the privacy of their customers, and be allowed to walk away with a tepid “I’m sorry” blog post?
The timeline
Reports about Zoom and its privacy and security concerns began to flood the internet through the second and third weeks of March. On April 24, 2020, Consumer Reports published an article detailing how Zoom’s erstwhile privacy policy effectively rendered a user’s right to privacy completely useless. As the article stated, alongside claiming its legal right to collect and store data and sell to advertisers for generating revenue, Zoom extended its data collection to “customer content”, which apparently included the content from cloud meetings, messages, shared files, whiteboard notes and more.
According to the statement, Zoom’s then privacy statement also stated that even video recordings would be collected, as well as transcriptions of the video calls. Then came the aspect of no legal control over a host of a Zoom video meeting, which essentially allowed anyone with access to your video to share it with whoever they wished to.
Multiple security concerns about Zoom included monitoring the activity of attendees, accessing others’ dashboards and more.
The privacy concerns did not just end there. A report by the Electronic Frontier Foundation listed multiple security concerns about Zoom, which included the ability of a call’s host to monitor the activity of all attendees, access detailed dashboards of user activities, access contents of calls recorded by other non-admin users, and even access device information, OS information, IP address and user location data.
Prior to this, plenty of reports about Zoom’s security issues have floated across the internet. Now, with the massive increase in user base, some of these issues appear to have remained — outside users tapped into private meetings as most users remained ignorant about privacy settings introduced later, in a following update to Zoom’s privacy policy. This led to the establishment of the term zoombombing, where users’ video meetings were bombarded with pornographic content.
Right on cue, a Vice report revealed that Zoom’s iOS app was sharing user data with Facebook without adequate disclosure of the same to its users. More worryingly, it did so even for users without Facebook accounts, signalling a major breach of privacy and security. Even as Zoom promptly “apologised” and fixed the gaffe, this was closely followed by a massive rise in the number of malicious domains impersonating Zoom to steal more data and money, although it can be said that the latter is not Zoom’s own fault.
For Windows, Zoom was leaking login credentials of users, while on Mac, Zoom’s installer did not need user permission.
On March 30, a day after Zoom updated its privacy policy significantly, reports stated that the service was being investigated by the office of New York Attorney General, Letitia James. Independent security researchers also found security problems with Zoom’s Windows and Mac apps — for Windows, the app was found to be leaking the login credentials of users to cyber criminals, whereas on Mac, Zoom’s installer client did not need explicit user permission to be installed, creating an all new threat of being accessible to hackers as a remote access tool (RAT).
In essence, the video conferencing app has been called out for having close to every possible security threat that it could have, all the while breaking common cyber security and privacy protocols along the way.
What Zoom is doing
Given the sheer number of privacy and security concerns that Zoom has had in recent times, it becomes really hard to believe in the blog posts of a company that really has had a lackadaisical and thoroughly ignorant approach to user security.
However, the company’s updated privacy policy largely claims that it does not sell user data. Other salient bits from its privacy policy include: “We do not monitor them or even store them after your meeting is done unless we are requested to record and store them by the meeting host. We alert participants via both audio and video when they join meetings if the host is recording a meeting.”
The updated user agreement further says, “Zoom collects only the user data that is required to provide you Zoom services. This includes technical and operational support and service improvement. For example, we collect information such as a user’s IP address and OS and device details to deliver the best possible Zoom experience to you regardless of how and from where you join.”
In most cases, instead of specifying “we collect”, it now states “data our customers share with us”.
As of now, explaining how Zoom deals with user data, the policy explains the use of a user’s “approximate location”, with an additional clarification that reads, “we do not “track” your specific location”. It also collects specific user metadata such as participant information, in order to “provide Zoom services”.
In its recordings clause, the policy has been updated to now state, “Recordings may contain personal data and may be stored in Zoom’s cloud at the request of the customer.” Zoom has also changed the exact way it chose to write its privacy policy, and in most cases, instead of specifying “we collect”, it now states “data our customers share with us”. It isn’t particularly convincing, but is a start, nonetheless.
Yesterday, Zoom CEO Yuan also penned an “apology” for the overwhelming list of security issues with the app, offering a rather meek justification for it and stating that it has frozen all development of new features, until its privacy and security issues are fixed. A previous Zoom blog also spoke about its tryst with encryption of services. As the post stated, “In a meeting where all of the participants are using Zoom clients, and the meeting is not being recorded, we encrypt all video, audio, screen sharing, and chat content at the sending client, and do not decrypt it at any point before it reaches the receiving clients.”
However, users need to be aware
While Zoom is to be deservedly held accountable for all these flaws, and for simply having so many privacy issues at one go, it is important to note that even users need to be wary of the issues. Yuan’s post from yesterday clarifies that the company is offering tutorials and webinars on how to best use the app’s privacy features, and educate users about reading the data usage policy in full, before giving consent.
Avinash Prasad, vice president and head of managed security services at Tata Communications, puts the onus on organisations to also take charge of cyber security practices. In a statement shared with News18, Prasad says, “Organisations must put together a cross-functional and collaborative team to have a holistic COVID-19 risk management strategy, covering both human safety as well as information and data security.”
Going forward, even as work from home periods extend further, it remains to be seen exactly how Zoom and its security issues evolve over time, in a climate where cyber security threats all around are witnessing a sharp rise.
