Amidst a general slaughter in the global economy, Zoom Video Communications is one of the few companies enjoying a massive boom period. The video conferencing platform has added about two million active users per month since the start of 2020, which is about the amount it added across all of 2019. But all of this new attention has also put a lens on Zoom privacy issues. Among other things, the platform has some concerning data collection policies. It has also experienced some significant vulnerabilities, and not all employees may be aware of the monitoring tools employers have at their disposal during video calls.
Zoom privacy issues temper the platform’s explosive growth
Zoom is far from the only viable platform for video conferencing that brings together workers in multiple locations, but it has become the market leader during the coronavirus crisis for several reasons. It’s one of the most affordable options, meetings that are under 40 minutes are free, the call quality tends to be very good, and the interface is more intuitive for non-technical users (i.e. many members of the C-suite or middle management tasked with running meetings) than most of the other similar products.
However, all of these benefits come packaged with some significant security concerns. Perhaps the most colorful of these making the rounds in the news as of late is “Zoom bombing.” The URLs that Zoom users gather at for their meetings can be accessed by anyone on the internet if password protection is not enabled. As anyone who has ever run or attended a dispersed video conference of this type can probably attest, people not knowing or losing the password can become a significant headache and time-waster. So many of these Zoom meetings are run with only the so-called “capability URL” as the only measure of keeping unauthorized parties out.
That might not be so bad if Zoom handled capability URLs as, say, Google does. Google’s unique URLs for sharing pictures and files tend to have around 40 characters; the Zoom “Meeting ID” URLs have only 9 to 11. Naturally, people have developed tools to “war dial” and scan through these combinations to come upon active meetings in progress. Sometimes war dialing is not even necessary, as meeting IDs are posted by naive attendees on social media. While it’s possible that a Zoombomber might commit corporate espionage this way, by and large the trick has been used to troll and disrupt random meetings with dirty images and the yelling of racial epithets.
The security of Zoom conferences thus depends almost entirely upon keeping the meeting ID from the public and insisting on password use, as Paul Bischoff, privacy advocate with Comparitech, explains: “Hosts posting links to Zoom conferences in public places should rethink their strategy. Participants should be verified with a password, or limit participants to a particular email domain (both features that come built into Zoom).”
Zoom bombing has thus been more of a clown show than a major security concern to this point, but it is far from the end of the Zoom privacy issues story. In fact, the silly nature of it might be masking the more serious problems in terms of media coverage.
Is Zoom’s encryption safe?
The Intercept has recently published a report that the encryption algorithm underpinning the platform may have known vulnerabilities, and also raises questions about keys being issued from Chinese servers for meetings taking place in other parts of the world. Though Zoom is based in San Jose, any encryption keys that are generated within China are subject to the government’s policy of absolute right to seizure.
The report also points out that Zoom has been using 128-bit AES encryption in electronic codebook (ECB) mode, an outdated and notably weak mode that has been known to leak patterns in encrypted data. This may be the most serious of all of the Zoom privacy issues.
Attendee attention tracker and chat logging
One of the more controversial aspects of the Zoom privacy issues was the ability for whoever is hosting the meeting to use an “attention tracker” that tells them if participants have left the app window out of focus for more than 30 seconds.
Zoom has responded to widespread criticism of this feature and has removed it as of April 2. However, another controversial monitoring feature remains; all chat messages from the meeting are automatically saved to a log and sent to the meeting host. Normally, only messages sent to the entire group would be saved in this way. However, if the host records the meeting to local storage rather than to a cloud server then even private messages sent between two participants will be saved to the log.
You are not immune to personal information collection if you attend a meeting via a web browser without creating a Zoom account; the service will still log your device type, IP address, and Facebook address if you are logged in at the time.
An extended history of Zoom privacy issues
This recent crop of Zoom privacy issues is not the first for the platform. There was a high-profile problem last year with an unintentional backdoor that exploited a feature in Safari. This allowed the web cams of users to potentially be activated without their knowledge (this issue has since been patched).
None of this reduces the platform’s usefulness for basic meetings that do not involve the discussion or sharing of sensitive information. However, the track record of Zoom privacy issues should give the throngs of new adopters pause — particularly the issues with encryption. At the very least, anyone working remotely via a Zoom call should be practicing good security hygiene based on the knowledge of these vulnerabilities.