As the coronavirus pandemic worsened in the U.S., Zoom Video Communications offered free access to its videoconferencing platform, and demand skyrocketed.
“Zoom has quickly become the de facto for teleconferencing during the COVID-19 pandemic,” said James McQuiggan, security awareness advocate at KnowBe4.
“A lot of organizations are using it to keep in contact with their employees,” he told the E-Commerce Times.
Success Has Its Price
However, since entering the spotlight, Zoom has drawn heavy criticism for its privacy practices.
Zoom’s iOS app, created with Facebook’s SDK, shared analytics data with Facebook without informing users, according to Motherboard. It provided information about users, whether they had a Facebook account or not.
“Zoom is in the advertising business, and in the worst end of it: the one that lives off harvested personal data,” he observed. “What makes this extra creepy is that Zoom is in a position to gather plenty of personal data, some of it very intimate.”
Referring to the Facebook data sharing, Zoom “had an obligation to disclose that to its users,” said Rob Enderle, principal analyst at the Enderle Group.
“Facebook has had many significant issues regarding protecting user privacy. For many, avoiding an application that shared data with Facebook would have been prudent,” he told the E-Commerce Times.
Zoom should have known the perils of using Facebook’s SDK, McQuiggan suggested.
“Application SDKs will use various levels of logging depending on how they are configured,” he pointed out. “Developers should be aware of the logging capabilities when coding applications to interface with Facebook or other third-party organizations.”
Hackers have intruded on Zoom videoconferences — known as “Zoom-bombing” — triggering a public warning from the U.S. Federal Bureau of Investigation.
The Intercept reported a slew of privacy problems on Zoom’s platform, including the following:
- Its videoconferences are not encrypted end to end as claimed, but only in transit, except for in-meeting text chat; and
- Its Meeting Connector lets companies host a Zoom server on their internal corporate network, which means metadata about videoconferences or virtual meetings, including the names of participants, goes through Zoom’s servers, giving Zoom access to that data.
Cybercriminals have been setting up fake Zoom domains, according to Checkpoint Security. However, that is not a problem for Zoom alone. Phishing websites have sprung up to imitate every leading communication application, including Google Classroom.
New York State Attorney General Letitia James has written Zoom, asking what measures it’s taking to ensure users’ privacy.
“We have sent a letter to Zoom with a number of questions to ensure the company is taking appropriate steps to ensure users’ privacy and security,” a spokesperson said in a statement provided to the E-Commerce Times by James’ press secretary Fabien Levy.
The pros of using Zoom are that it’s relatively inexpensive and it works better than most of the alternatives, Enderle remarked. “On the other hand, it may violate many national and international privacy laws, opening the company up to employee and customer litigation and potential regulatory fines.”
Closing the Gaps
Zoom has cleaned up its privacy act, said author Searls.
The company has removed the code that sends data to Facebook.
— DHH (@dhh) March 28, 2020
Still, the company’s privacy protections “are below standard for a communications application,” Enderle observed. They “should both require more disclosure and more direct approval of the risks the user is taking by using the product.”
End-to-end encryption is too difficult, Zoom has argued, although Apple has been managing it with FaceTime.
However, FaceTime “is an on-demand connection between iPhone or Apple devices, with limits on how many you can connect to at one time,” McQuiggan noted. “Zoom is a multiplatform connection tool for various devices, operating systems, and platforms.”
End-to-end encryption “does increase latency and processing overhead in both directions, Enderle pointed out.
“Given the part, you’re generally mostly concerned with is in transit, [Zoom’s security] may be acceptable to most, particularly given that phone conversations aren’t encrypted right now,” he said.
Protecting Yourself on Zoom
To avoid the risk of being Zoom-bombed, McQuiggan recommended the following steps:
- In the platform’s General Settings, turn on “Require a password” when scheduling a meeting. Don’t include the password in the invitation link but email it separately to attendees;
- Turn on “Screen Sharing by Host Only” to prevent people from posting inappropriate material. The host can enable other users once the meeting has begun;
- Turn on “Only Authenticated Users Can Join: Sign-in to Zoom” to restrict access only to people who have signed in and been authenticated either by Zoom or the organization or company; and
- Turn on “Enable Waiting Room” to let the host control who can join the meeting and prevent unauthorized attempts to join.
Web conferencing platform users tend to avoid using passwords because it makes joining the meeting harder, said Matt Keil, director of product marketing at Cequence Security.
However, “consumers should take to heart the password advice that Zoom and other Web conferencing vendors offer,” he told the E-Commerce Times, “and enable the use of default security features to avoid snooping.”