Zoom’s Soaring Popularity Is a Double-Edged Sword

remote work business meeting

As the coronavirus pandemic worsened in the U.S., Zoom Video Communications offered free access to its videoconferencing platform, and demand skyrocketed.

“Zoom has quickly become the de facto for teleconferencing during the COVID-19 pandemic,” said James McQuiggan, security awareness advocate at KnowBe4.

“A lot of organizations are using it to keep in contact with their employees,” he told the E-Commerce Times.

Success Has Its Price

However, since entering the spotlight, Zoom has drawn heavy criticism for its privacy practices.

Zoom’s iOS app, created with Facebook’s SDK, shared analytics data with Facebook without informing users, according to Motherboard. It provided information about users, whether they had a Facebook account or not.

Zoom’s privacy policy “is creepily chummy with the tracking-based advertising business,” wrote Doc Searls, alumnus fellow of the Berkman Center for Internet and Society at Harvard University and one of the four authors of The Cluetrain Manifesto.

“Zoom is in the advertising business, and in the worst end of it: the one that lives off harvested personal data,” he observed. “What makes this extra creepy is that Zoom is in a position to gather plenty of personal data, some of it very intimate.”

Referring to the Facebook data sharing, Zoom “had an obligation to disclose that to its users,” said Rob Enderle, principal analyst at the Enderle Group.

“Facebook has had many significant issues regarding protecting user privacy. For many, avoiding an application that shared data with Facebook would have been prudent,” he told the E-Commerce Times.

Zoom should have known the perils of using Facebook’s SDK, McQuiggan suggested.

“Application SDKs will use various levels of logging depending on how they are configured,” he pointed out. “Developers should be aware of the logging capabilities when coding applications to interface with Facebook or other third-party organizations.”

Meanwhile, Zoom is facing a class action lawsuit alleging that its privacy policy did not explain to users that its app contained code that disclosed information to Facebook and, potentially, other third parties.

Hackers have intruded on Zoom videoconferences — known as “Zoom-bombing” — triggering a public warning from the U.S. Federal Bureau of Investigation.

The Intercept reported a slew of privacy problems on Zoom’s platform, including the following:

  • Its privacy policy let it collect user data and employ that in marketing;
  • Its videoconferences are not encrypted end to end as claimed, but only in transit, except for in-meeting text chat; and
  • Its Meeting Connector lets companies host a Zoom server on their internal corporate network, which means metadata about videoconferences or virtual meetings, including the names of participants, goes through Zoom’s servers, giving Zoom access to that data.

Cybercriminals have been setting up fake Zoom domains, according to Checkpoint Security. However, that is not a problem for Zoom alone. Phishing websites have sprung up to imitate every leading communication application, including Google Classroom.

New York State Attorney General Letitia James has written Zoom, asking what measures it’s taking to ensure users’ privacy.

“We have sent a letter to Zoom with a number of questions to ensure the company is taking appropriate steps to ensure users’ privacy and security,” a spokesperson said in a statement provided to the E-Commerce Times by James’ press secretary Fabien Levy.

The pros of using Zoom are that it’s relatively inexpensive and it works better than most of the alternatives, Enderle remarked. “On the other hand, it may violate many national and international privacy laws, opening the company up to employee and customer litigation and potential regulatory fines.”

Closing the Gaps

Zoom has cleaned up its privacy act, said author Searls.

The company has removed the code that sends data to Facebook.

Zoom has stopped the data leakage to Facebook. That’s good. But their privacy policy is still a complete trash fire that belittles privacy legislation and grants themselves the right to do exactly what they were just caught doing.

— DHH (@dhh) March 28, 2020

In addition to amending its privacy policy, Zoom maintained that it does not sell users’ personal data.

Still, the company’s privacy protections “are below standard for a communications application,” Enderle observed. They “should both require more disclosure and more direct approval of the risks the user is taking by using the product.”

Encryption Issues

End-to-end encryption is too difficult, Zoom has argued, although Apple has been managing it with FaceTime.

However, FaceTime “is an on-demand connection between iPhone or Apple devices, with limits on how many you can connect to at one time,” McQuiggan noted. “Zoom is a multiplatform connection tool for various devices, operating systems, and platforms.”

End-to-end encryption “does increase latency and processing overhead in both directions, Enderle pointed out.

“Given the part, you’re generally mostly concerned with is in transit, [Zoom’s security] may be acceptable to most, particularly given that phone conversations aren’t encrypted right now,” he said.

Protecting Yourself on Zoom

To avoid the risk of being Zoom-bombed, McQuiggan recommended the following steps:

  • In the platform’s General Settings, turn on “Require a password” when scheduling a meeting. Don’t include the password in the invitation link but email it separately to attendees;
  • Turn on “Screen Sharing by Host Only” to prevent people from posting inappropriate material. The host can enable other users once the meeting has begun;
  • Turn on “Only Authenticated Users Can Join: Sign-in to Zoom” to restrict access only to people who have signed in and been authenticated either by Zoom or the organization or company; and
  • Turn on “Enable Waiting Room” to let the host control who can join the meeting and prevent unauthorized attempts to join.

Web conferencing platform users tend to avoid using passwords because it makes joining the meeting harder, said Matt Keil, director of product marketing at Cequence Security.

However, “consumers should take to heart the password advice that Zoom and other Web conferencing vendors offer,” he told the E-Commerce Times, “and enable the use of default security features to avoid snooping.”

Richard Adhikari

Richard Adhikari has been an ECT News Network reporter since 2008. His areas of focus include cybersecurity, mobile technologies, CRM, databases, software development, mainframe and mid-range computing, and application development. He has written and edited for numerous publications, including Information Week and Computerworld. He is the author of two books on client/server technology. Email Richard.

Leave a Comment

Please sign in to post or reply to a comment. New users create a free account.

More by Richard Adhikari
More in Privacy

E-Commerce Times Channels