'Zoom's practices violate our human right to privacy'

Security and privacy experts discuss video-conferencing app's flaws and how concerned we should be.

Zoom: surged in popularity since lockdown
Zoom: surged in popularity since lockdown

In a matter of months, Zoom has joined the coveted club of brands whose names have become verbs – as synonymous to video conferencing as Google is to search and Uber is to ride-hailing.

But explosive growth like this isn't without consequences. The video-conferencing tool, which has become the almost ubiquitous form of communication during the Covid-19 outbreak, is now facing the consequences of failing to put in place adequate privacy and security measures to protect the millions of users who may be having highly sensitive discussions on its app.

The past few weeks have been a game of cat and mouse for Zoom. When a new investigation exposes a flaw in its security or privacy practices, Zoom quickly corrects it. And on it goes. One of the complaints has even developed into a lawsuit – for allegedly failing to protect the personal information of its users.

The latest hit to Zoom came just a few hours ago today (Tuesday) when a major New York securities company, Labaton Sucharow, announced that it was investigating Zoom on behalf of its shareholders, concerning allegations that "Zoom may have issued materially misleading business information to the investing public".

Campaign Asia-Pacific reached out to a handful of security experts for their views on the growing list of complaints lodged against Zoom to establish how alarming its issues are. All agreed the complaints are well-founded and expressed concerns over the safety of the app. One expert even found evidence that Zoom was not fully compliant with the European Union's General Data Protection Regulation and suggested organisations "find alternative solutions".

So what are the issues?

At its crux, the seven-year-old app appears to have – until now – prioritised functionality over security. The ease of setting up a video call in Zoom is part of its allure, especially to those less tech-savvy, but this also leaves it dangerously exposed to hacking. By default, calls within Zoom have been set up without password protection – something that has given rise to a practice called "Zoom bombing", in which hackers hijack a call and broadcast hate speech, porn and other inappropriate content.

There have been countless examples of these incidents taking place in online school lessons and government meetings, leading the FBI to issue a warning about the technology last week. In response, Zoom released a security update on Sunday (5 April) that, by default, turns on meeting passwords and a new feature called "virtual waiting rooms" – in which the meeting host has to manually allow others to join the meeting.

— Anuradha SenGupta (@anuradhasays) April 2, 2020

Then there was the issue of Zoom's data-sharing arrangements. A Motherboard investigation released on 26 March found that the iOS version of the Zoom app was sending information about its users – such as when a user opened the app, their timezone, city and device details – to Facebook without explicity asking users for consent to do so. This information was being transferred via Facebook's SDK (software development kit) that it was using for its "Login with Facebook" feature. 

Tarun Wadhwa, founder and chief executive of Day One Insights, told Campaign that user information trading of this kind "has been a standard practice for the last decade in technology" and is "not particularly surprising". But, he added, both companies "certainly have a responsibility to their users to make sure that collection is secure, limited and properly disclosed".  

One day after Motherboard published the results of its analysis, Zoom issued an update saying it had removed the Facebook code after it was "made aware that the Facebook SDK was collecting unnecessary device data". But that didn't stop a Zoom user from filing a class-action lawsuit against the company for transferring data to third parties such as Facebook without properly notifying users. The suit was filed in a California court last week.

Security experts have also raised concerns about "shady" pre-installation code that allowed Zoom to automatically install on Macs once a user hits the download button without going through the usual security protocols. This practice, which would also pull up a password prompt seemingly masquerading as an Apple security prompt if the user was not an admin, led one Princeton professor to label Zoom "malware".

A few days after the issue was raised, Zoom released an update for the macOS installer that removed these techniques.

Then there's the recent issue of encryption. The Wall Street Journal reported over the weekend that Zoom had previously advertised end-to-end encryption, but security experts discovered the technology did not follow the standard definition of this. Zoom chief executive Eric Yuan told the publication that he "really messed up" when it comes to the privacy and security of the app, and promised the full encryption feature is coming.

Another bone of contention was Zoom's "creepy" attention tracking feature that gave administrators – those who initiate the Zoom meeting – the power to monitor if an attendee did not have Zoom in focus for more than 30 seconds. The feature was removed on 1 April. Administrators still have access information about attendees, including who, when and where they are using Zoom, their chats during the meeting, their internet protocol address and location data, and more.

Zoom made some clarifying updates to its privacy policy last week (29 March) to make it "more clear, explicit and transparent", in response to concerns.

In a statement, it said: "Zoom takes its users’ privacy extremely seriously. Zoom collects only the data from individuals using the Zoom platform required to provide the service and ensure it is delivered effectively under a wide variety of settings in which our users may be operating. This data includes basic technical information, such as the user’s IP address, OS details and device details."

Jamal Ahmed, fellow of information privacy and chief executive of Kazient Privacy Experts, believes the attention-tracking feature was "especially intrusive". Ahmed reviewed Zoom's privacy policy and said that as of 2 April, Zoom would "fail to fully comply with GDPR".

"It appears Zoom is able to share personal data with third-party advertisers now or any time in the future, and until their most recent update to their privacy policy was also able to use user videos, messages and transcripts for the same," he found. "Zoom is also able to use video content from Zoom sessions for targeted advertising campaigns and to develop facial recognition. Hosts are able to record and share calls with anyone they want and especially intrusive is the 'attention-tracking' feature."

Zoom flagged that data it shares with advertising companies such as Google is only collected on its marketing websites, such as zoom.us and zoom.com, rather than from the app.

"No data regarding user activity on the Zoom platform – including video, audio and chat content – is ever provided to third parties for advertising purposes," the company said.

Should organisations still use Zoom?

Ahmed said he has recommended clients against using Zoom within their organisations after conducting data protection impact assessments. Zoom has released several updates to its privacy policy since Ahmed's review and it may have addressed concerns around the sharing of personal data. But that doesn't excuse its negligence up to that point.

"In my view, Zoom's privacy practices violate our human right to privacy and I would encourage organisations to find alternative solutions," Ahmed suggested.

Elonnai Hickok, chief operating officer at the Centre for Internet and Society India, noted that in light of Zoom's issues, and as online forms of communication become more of the norm, "it is clear that the governments, regulators, platforms and application developers have to reassess their security and privacy practices".

"Zoom, Facebook and such other platforms have repeatedly faced scrutiny regarding their privacy and data practices, but such scrutiny does not seem to have had the needed impact on their behaviour and practices," she told Campaign. "Platforms and application developers who prioritise 'privacy by design', transparent and ethical data practices and end-to-end encryption should be given precedence by users. Regulators and governments could help this by confirming these minimum standards and certifying the same."

What's driving the increased scrutiny?

While there have been several flaws exposed in recent weeks, Zoom has faced other security complaints in the past. For instance, last year, security researcher Jonathan Leitschuh uncovered a critical vulnerability that allowed attackers to gain access to users’ webcams on Macs with the Zoom client installed. Zoom fixed the vulnerability, but was criticised for taking several months to do so. The speed at which it has responded to recent concerns has been praised by security experts.

With this in mind, the scrutiny of the company is "well-deserved", Wadhwa said. He believes the increased concern over security is being driven by a change in how the software is used.

"We’re using Zoom for many different things beyond just the usual routines of business. Behaviours are changing because of coronavirus. In the past two weeks alone, I've personally taken part in a book club, game night and happy hour all over Zoom – none of that happened before the outbreak," Wadhwa said. "Zoom is likely experiencing massive pressure to scale up their services. There's always a tension between reliability, doing new things and maintaining a secure environment for communication."

In a statement sent to Campaign, the Electronic Frontier Foundation said: "Covid-19 has forced many people to work from home and many are relying on Zoom to do their jobs, do their school work and stay in touch with loved ones. Users are rightfully concerned about the privacy and security risks of using Zoom and other video-conferencing apps. 

"To mitigate security and privacy risks, users should be careful about invitations to Zoom meetings from strangers or from Zoom-like accounts that look suspicious, and by setting passwords that are required to enter meetings. We’re troubled by reports that Zoom was sharing analytics data about users with Facebook. We still don’t know to what extent Zoom shares user information with other third parties."

Additional reporting by Rahul Sachitanand. A version of this article first appeared on Campaign Asia-Pacific


Become a member of Campaign

Get the very latest news and insight from Campaign with unrestricted access to campaignlive.co.uk , plus get exclusive discounts to Campaign events

Become a member

Looking for a new job?

Get the latest creative jobs in advertising, media, marketing and digital delivered directly to your inbox each day.

Create an alert now

Partner content