Zoom, the video conferencing app, faces inquiries over privacy
The coronavirus epidemic has seen millions of people instructed to stay in their homes drove to Zoom, using the video conference application for everything from birthday parties and brunches to religious events and even a UK cabinet meeting. But the rise in popularity is leading to a wave of scrutiny, mainly around privacy.
Though video chat apps in general have seen an increase in usage, including Microsoft’s (MSFT) Skype and Cisco’s Webex and Teams platforms, Zoom (ZM) has emerged as the go-to contender thanks to its capability to hold a large number of users — up to 100 in the free version — and exciting social features such as customizable photo backgrounds. The company’s stock price has almost doubled up in the past two months.
But that increase in growth and the company’s extensive usage have surfaced numerous concerns.
In the last week alone, concerns with Zoom’s privacy protections have been flagged by users, security investigators and US authorities. The increased attention emphasizes a new front in the global debate over security and privacy as an outcome of the global pandemic, as millions of people adjust to working remotely and using technology that could possibly expose their data.
New York Attorney General Letitia James mailed a letter to Zoom on Monday asking whether the company “is taking suitable steps to ensure users’ privacy and security,” a spokesman for James’s office informed.
In a statement, Zoom said it would reply to James’s questions. “Zoom takes its users’ security, privacy and trust extremely seriously,” a spokesperson for the company said in an announcement. “During the COVID-19 epidemic, we are working around-the-clock to make sure that universities, hospitals, schools, and other businesses across the world can stay linked and operational. We realize the New York Attorney General’s engagement on these issues and are glad to provide her with the demanded information.”
On Monday, the FBI handed out a warning against “Zoom-bombing,” where trolls or hackers hijack a public video call. The agency mentioned examples of users entering virtual classrooms or meetings to shout vulgarities and share pornography. The FBI advised victims of “teleconference hijacking” to report any incidents to the agency.
Zoom CEO and founder Eric Yuan addressed some of those matters in a tweet on Friday, saying they shoot from users not enabling some security features such as additional privacy and meeting passwords controls.
“We will impose these settings in addition to blogs and training,” he said.
A Zoom spokesperson said the company was “intensely upset to hear about the incidents including this type of attack.”
Users hosting large public meetings should evaluate their settings to make sure only the hosts can share their screen, and initiate additional privacy controls, the spokesperson added. “We also lately updated the default screen sharing settings for our schooling users so teachers by default are the only people who can share content in class.”
Started nine years ago, Zoom has found itself unexpectedly become a vital social and professional lifeline for masses around the world. But that quick growth has led to it already being hit by the kind of arguments that far larger tech companies like Google (GOOGL) and Facebook (FB) frequently grapple with.
“They’ve gone from stimulating new startup product to part of the global structure in days. And I consider the many gaps in maturity are becoming embarrassingly clear,” Jules Polonetsky, the former chief privacy officer of AOL and CEO of the Future of Privacy Forum told CNN Business in an interview. “Some of them vary from just stupid stuff that maybe doesn’t create threat to most users, to other things that are going to make legal liability for them.”
Another current issue, first reported by Motherboard, includes Zoom’s sharing of user data with Facebook. Zoom initially allowed users to sign into its iOS app using their Facebook accounts, but the feature it was utilizing to do so shared information with Facebook about the user’s device, containing its language, time zone, model number and IP address. (Facebook proposes the tool to any developer to integrate with their apps.)
The exposure led to two Zoom users individually filing class action lawsuits against the company in a Northern California district court this week, with one suit claiming that the video app “has failed to protect the personal information of the increasing masses of users of its software” and the other claiming it gave them “no prospect to express or withhold agreement to Zoom’s misconduct.” The lawsuits blame Zoom of collecting users’ personal information and communicating it with third parties, including Facebook, without properly informing the users.
Zoom refused to comment on the lawsuits, but directed media to a recent blog post in which it says it removed the code that permits the data sharing with Facebook to occur. Facebook did not answer to a request for comment.
Some security specialists have expressed reservations about Zoom’s statement that it offers “end-to-end encryption for all meetings.”
In its place, Zoom uses something called transport encryption, which only safeguards the message while it’s en route from a video chat to the company’s servers, according to David Kennedy, initiator of cybersecurity firm TrustedSec and an ex cyberwarfare specialist with the United States Marine Corps. That means Zoom efficiently functions as a middleman in all video conversations on its platform and has entree to those conversations, he said.
A report by The Intercept first acknowledged the shortcoming.
The Zoom spokesperson accepted that the company gathers “basic technical information” such as IP addresses and device details, but emphasized that it has strict privacy controls to guard against unauthorized access.
“Importantly, Zoom does not sell user data of any type to anyone,” the spokesperson added.
Deprived of end-to-end encryption on video, Kennedy says video conversations on Zoom could precisely be accessed and kept by the company.
“Zoom doesn’t appear to be very clear on what they record, what they don’t record,” he said. “There are many things that Zoom is doing that is mainly alarming and concerning, because they’re not using the correct language and terminology.”