Zoom has exploded in popularity as people turn to video calling software amid the ongoing coronavirus pandemic. The moment of huge growth has seen Zoom rocket to the top of iOS and Android app stores as people gather around it for yoga classes, school lessons, and virtual nights out. Even the UK government has been holding daily cabinet meetings over Zoom.
With all this extra attention, Zoom is now facing a huge privacy and security backlash as security experts, privacy advocates, lawmakers, and even the FBI warn that Zoom’s default settings aren’t secure enough. Zoom now risks becoming a victim of its own success.
Zoom has battled security and privacy concerns before. Apple was forced to step in and silently remove Zoom software from Macs last year after a serious security vulnerability let websites hijack Mac cameras. In recent weeks, scrutiny over Zoom’s security practices has intensified, with a lot of the concern focused on its default settings and the mechanisms that make the app so easy to use.
Each Zoom call has a randomly generated ID number between 9 and 11 digits long that’s used by participants to gain access to a meeting. Researchers have found that these meeting IDs are easy to guess and even brute forceable, allowing anyone to get into meetings.
Part of this ease of use has led to the “Zoombombing” phenomenon, where pranksters join Zoom calls and broadcast porn or shock videos. At fault here are Zoom’s default settings which don’t encourage a password to be set for meetings, and allow any participants to share their screen. Zoom adjusted these default settings for education accounts last week, “in an effort to increase security and privacy for meetings.” For everyone else, you’ll need to tweak your Zoom settings to ensure this never happens.
Perhaps the most damning issue came to light yesterday. While Zoom still states on its website that you can “secure a meeting with end-to-end encryption,” the company was forced to admit it’s actually misleading people. “It is not possible to enable E2E encryption for Zoom video meetings,” said a Zoom spokesperson in a statement to The Intercept, after the publication revealed Zoom is actually using transport encryption rather than end-to-end encryption.
Privacy advocates have also raised issues over an attendee tracking feature that lets meeting hosts track whether participants have their Zoom app in view on a PC or whether it’s simply in the background. A digital rights advocacy group also called on Zoom to release a transparency report last month, to share the number of requests from law enforcement and governments for user data. Zoom has only said the company is considering the request, and has not yet published a transparency report.
Security researchers and privacy advocates aren’t the only groups raising concerns over Zoom. The FBI is warning schools about the dangers of Zoom’s default settings for Zoombombings, and reports suggest the UK’s Ministry of Defence has banned Zoom while it investigates “security implications.” The office of New York’s attorney general also sent a letter to Zoom this week requesting to hear “whether Zoom has undertaken a broader review of its security practices” in light of recent concerns.
Zoom hasn’t responded in detail to the more recent concerns, but last week Zoom CEO Eric S. Yuan said the company was reviewing its practices in relation to the Facebook privacy issues. “We sincerely apologize for the concern this has caused, and remain firmly committed to the protection of our users’ privacy,” said Yuan. “We are reviewing our process and protocols for implementing these features in the future to ensure this does not happen again.”
Zoom is now facing lawsuits that allege the company is illegally disclosing personal information to third parties. Two lawsuits were filed earlier this week in California, and one is seeking damages on behalf of Zoom users for alleged violations of California’s Consumer Privacy Act.
As security researchers and privacy advocates continue to dig into Zoom’s software and practices, there are signs more issues will need to be addressed. Some are now discovering just how Zoom works around OS restrictions by using “the same tricks that are being used by macOS malware” to get its software on Macs. “To join a meeting from a Mac is not easy, that is why this method is used by Zoom and others,” says Zoom CEO Eric S. Yuan in a Twitter response to the concerns. “Your point is well taken and we will continue to improve.”
Ultimately, Zoom is feeling the effects of a rare moment for the app. The video conferencing app was never designed for the myriad of ways consumers are now using it. Zoom doesn’t require an account, it’s free for 40-minute meetings, and it’s reliable. The barriers to entry are so low, and the coronavirus pandemic so unusual, that Zoom is suddenly in the spotlight as a crucial tool for many.
Zoom may well be forced to tighten up the very parts of its app that make it so appealing for consumers and businesses alike in the coming months. The company now faces some tough decisions on how to better balance its default settings, user privacy, and ultimately its ease of use. Zoom’s appeal has been its simple approach to video conferencing, but that crucial ingredient now threatens to be its downfall unless it gets a firm grip on the growing concerns.