Who’s Zoomin’ Who?
Emergence of Zoom
The Coronavirus has forced millions of people around the world to work from home, and adapt to a professional and social culture that does not permit in-person interaction. As a result, many have turned to Zoom’s videoconferencing platform for virtual meetings, e-classrooms, virtual happy hours, and religious services. On March 23, Zoom was the most downloaded application on the Apple App Store, with 2.13 million downloads worldwide. Two months ago, the application was being downloaded under 56,000 times a day. Zoom has been around for nine years, without flaws being subject to poking and prodding, but when the usership explodes, cracks are exposed
Consumers are choosing Zoom’s free version because it can host up to 100 video participants at once, which is double what Skype’s free model allows. Zoom has many other appealing features including the ability to pick from different backgrounds, have adjusted camera angles, and direct messaging.
The company is also sending some analytics data to Facebook, even if Zoom users don’t have a Facebook account, according to a Motherboard analysis of the app. Essentially, Zoom was sending information about the device the user connected from, which phone carrier they are using, and a unique advertiser identifier created by the user’s device to Facebook.
According to cybersecurity superstar and Harvard Kennedy School fellow Bruce Schneier in his data security blog,
“In general, Zoom’s problems fall into three broad buckets: (1) bad privacy practices, (2) bad security practices, and (3) bad user configurations. . . The company collects a laundry list of data about you, including user name, physical address, email address, phone number, job information, Facebook profile information, computer or phone specs, IP address, and any other information you create or upload. And it uses all of this surveillance data for profit, against your interests.”
Zoom’s meteoric rise combined with Zoombombing has invited greater scrutiny to its privacy and security practices. On March 30 2020, the New York State Attorney General’s office sent Zoom a letter requesting updates on Zoom’s security measures, ability to handle increased traffic and detect hackers. Within the letter, New York’s Attorney General expressed concern that Zoom’s existing security practices was inadequate to handle both the volume and sensitivity of data being passed through. Other attorneys general have expressed similar concern. Connecticut’s Attorney General released a statement expressing his alarm at the Zoombombing incidents, and his intention to work with his counterparts in other states to seek more information from Zoom about its privacy and security measures.
A Zoom user filed a class action lawsuit against the company for sending data to Facebook, arguing that the company knew or should have known that existing security practices were inadequate to safeguard the personal information and that the risk of unauthorized disclosure to Facebook was highly likely. The legal grounds for the suit is California’s requirement for entities to maintain reasonable security safeguards against unauthorized disclosures.
As a result of the scrutiny, Eric Yuan, the founder and CEO of Zoom took to a blog post to respond to this concern. In the blog post, Eric Yuan acknowledged that Zoom usage far surpassed their expectations. He also apologized for having “fallen short of the community’s — and our own — privacy and security expectations.” Zoom is taking a reprieve from adding new features, choosing to focus on addressing privacy issues, and plans to release a report for the sake of transparency.
In the blog post, Eric Yuan also apologized to users for Zoom’s claim to provide “end-to-end encryption for all meetings.” End-to-end encryption for all meetings would mean that the entire platform would only be visible to participants, but as the Zoombombing episodes indicate, that was clearly not the case. A Washington Post article revealed intrusions on “one-on-one therapy sessions; a training orientation for workers doing telehealth calls that included people’s names and phone numbers; small-business meetings that included private company financial statements; and elementary school classes, in which children’s faces, voices and personal details were exposed.” As we have discussed on this blog before, there is a false sense of security with end-to-end encryption, even where it does exist. Zoom does not decrypt any information if all participants of a meeting are on its app and if the meeting is not being recorded. However, Zoom claims that full encryption is not possible if any of the participants are dialed in from a phone or another external device. In response to the findings made about Zoom’s information sharing practices, Zoom pushed an update to the app to remove the code which sends the data.
Where To Go?
As a nation, and as a world, we are navigating a pandemic that has put life as we know it on hold. As society tries to adjust to social distancing while still being social, and entities attempt full work-from-home workforces, while maintaining efficiency and productivity, there is a premium on safe and private technology. We are witnessing a case study in how pertinent security and privacy remain during a crisis while malicious cyber actors remain on the loose. During this vulnerable time, Zoom has fallen short. In pre-pandemic times, Zoom may have been able to skirt any scrutiny. No such luck when your app is being downloaded two million times a day. As the New York City Department of Education proved, entities are beginning to look elsewhere.