As the coronavirus forced businesses and schools across the country to conduct work online, the video conferencing software Zoom became increasingly popular. However, with that spike in usage came a steady stream of privacy and security concerns.
It seems like with each week of social distancing, a new Zoom security or privacy problem revealed itself.
From the beginning, the company misled users in how it encrypted or collected information from private calls. In addition, the company recently disclosed that a tool in collaboration with Facebook was allowing the social media company to gather Zoom user information. The Zoom software specifically even had bugs that allowed for hackers to easily gather unprotected user information.
The wave of security and privacy issues around Zoom conferences reached a breaking point when lawmakers and advocacy groups began calling for a Federal Trade Commission (FTC) investigation. The Senate sergeant-at-arms even told senators to stop meeting on Zoom, according to Business Insider.
But perhaps the issue that generated the most attention was “Zoombombing,” when strangers interrupt a Zoom meeting and begin spewing racist slurs, showing indecent images, or otherwise disrupting the call.
One example of Zoombombing came from Casey Fiesler, an assistant professor at the University of Colorado Boulder. She said Zoom’s technology is to blame for a Zoombomb that took place in one of her classes.
“One of our classes has been the victim of some really intense zoombombing, and all I can think about is that this is exactly why ethical speculation around unintended consequences and bad actors is a CRITICAL part of the design process for any new technology,” CU Boulder Professor Casey Fiesler tweeted.
The sudden rise in Zoombombing and other security incidents didn’t go unnoticed. Zoom acknowledged that they were ill prepared for security breaches that came with the massive user influx.
“We did not design the product with the foresight that, in a matter of weeks, every person in the world would suddenly be working, studying, and socializing from home,” Zoom CEO Eric Yuan wrote in a statement.
But as the country tries to slow the spread of coronavirus, many schools and businesses rely on the company’s services now. Zoom rooms are hosting business calls, virtual school lessons, and more.
Here’s some Zoom info you need to know and the software’s security and privacy problems that have cropped up recently. Zoom has also laid out how it is going to fix them.
Zoom has exploded in popularity
Setting up a Zoom conference has become a go-to video chat choice for many working, studying, or “happy houring” from home during the coronavirus. Universities and businesses adopted the service for its affordability and easy-to-use features, according to Zoom’s website
For example, a user could host a Zoom meeting with a large number of participants for zero cost. For advanced features like additional storage and participants, Zoom offers plans for $20 per month.
To host a Zoom meeting, users sign up with their email or create their own account. Then the host invites participants by link or email invitation. The software is available on the computer and a Zoom mobile app.
For these reasons, Zoom’s user base exploded in March when the U.S. issued stay-at-home orders.
In December, the company had 10 million users. Four months later, 200 million people were using Zoom, according to a blog post published by Yuan, Zoom’s CEO.
It has definitely garnered the attention of Gen Z. As they’ve spent so much time on Zoom during the coronavirus emergency, many kids have begun joking that they attend “Zoom University,” according to the New York Times.
Millions of people now use Zoom everyday to communicate among their businesses, schools, and communities.
However, with the hype came issues.
The downside of Zoom’s popularity
The massive migration to online platforms is a dream of anyone trying to disrupt, or hack, online—especially when many people are new to using a specific software.
For Zoom, that was exactly the case. Many of the first time users did not enable security measures like password protected invitation links. That meant anyone could join the call by simply clicking on the link. Suddenly, Zoombombing exploded.
“In middle of lecture to HBCU students… my screen was taken over & a mob of #zoombombers dropped n-word, drew swastikas, & posted porn @Zoom FIX THIS. Last thing I need in a pandemic is to be terrorized online,” Megan Ming Francis, a visiting professor at Harvard’s Kennedy School, tweeted.
In addition to Zoombombing, privately recorded calls on Zoom software were found by web search according to the Washington Post. Recorded calls are not a default setting, but hosts can enable the feature.
Zoom names all of the downloadable calls under the same name which makes the recorded calls more identifiable to bad actors. If a user saves their call to an unprotected storage space, like a passwordless iCloud space, their call is available on the open web. Confidential doctor appointments, financial statements, and a variety of other private information were found online by the Post.
- Zoom got popular during coronavirus. Now it’s facing scrutiny from advocacy groups
- Zoom is the perfect software for the authoritarian boss in your life
- Boris Johnson tweets first cabinet Zoom meeting, accidentally shares meeting ID
Patrick Jackson, a former National Security Agency researcher, told the Post he found over 15,000 videos on a search engine that sorts open cloud storage.
It does not end there. In mid-April, cyber risk experts found 500,000 Zoom accounts were available on the black market for free, according to Forbes. Information including username, password and invite URLs were stolen.
All of that could make more Zoombombing more likely in the future if users don’t take steps to protect themselves.
Zoom issues spark investigation calls
Zoom’s own software and data collection policies sparked some concern among privacy advocates.
For one, the company misled users on their implementation of end-to-end encryption. Typically, end-to-end (E2E) encryption means only the sender and the receiver of a message can decode and therefore see or hear audio of a message.
The Intercept reported that Zoom’s technical white paper says that users can enable an E2E encryption feature, but a spokesperson for the company said it’s impossible for Zoom’s software to use E2E encryption.
Instead, Zoom uses transport encryption, which gives them access to video and audio from user meetings.
The company eventually apologized for the encryption “confusion,” adding that there was a “discrepancy between the commonly accepted definition of end-to-end encryption and how we were using it.”
Zoom’s relationship with Facebook also alerted privacy advocates. Until March 27, Zoom used a feature called Facebook SDK to allow users to sign up through their Facebook account.
This feature allowed the social media giant to collect user information including “mobile OS type and version, the device time zone, device OS, device model and carrier, screen size, processor cores, and disk space” according to a Zoom statement.
Yuan said Zoom removed the tool once it realized that this data collection was not necessary for its purposes.
For these reasons, Sen. Richard Blumenthal (D-Conn.) called for an FTC investigation into Zoom’s security practices last week.
What Zoom is doing to safeguard user security?
For those already impacted by Zoombombing, the company’s response is too late.
But, it is rolling out additional security efforts to earn back the trust of users.
On April 8, Zoom announced new security plans which intend to reorganize the company.
“We’re going to transform our business to a privacy-and-security-first mentality,” Yuan, Zoom’s CEO, told NPR.
To do that, Zoom issued a 90-day plan led by Alex Stamos, the former Chief Security Officer at Facebook. He tackled security issues at the social media platform during the spread of disinformation by Russian trolls in 2016.
New features include the ability for users to access webinars to learn how to properly use new security features. Some of them specifically explain how to prevent Zoombooming.
Another change removed meeting IDs from the video chat screen. Users would post photos of their Zoom happy hour without blocking the meeting ID, allowing for anyone to join.
In addition, the company added a security option on the video chat toolbar so hosts can quickly react to unwanted guests. There is also a waiting room feature so hosts can see who is entering the chat before starting.
Zoom has also said it will set passwords requirements for various kinds of meetings on by default. Previously they could have been disabled.
In late April, the company announced “Zoom 5.0” to address a number of security and privacy concerns including: adding a security icon in the host’s interface, beefing up its encryption (although not to end-to-end), “host controls” that allow people to report users, and having a waiting room feature on by default for education, basic, and single-license accounts, among other things.
All of those new Zoom features may be key, because there are some scientists that believe social distancing could last far longer than anyone wants it to.
A Harvard study is predicting stay-at-home orders may last until 2022. That means services like Zoom are necessary for the continuation of services deemed nonessential by the government, but essential to many.
Classrooms, doctor appointments, and more now depend on online meetings. However, without proper safeguards, many users could be sacrificing their privacy for convenient video conferencing on Zoom.