'Zoom's practices violate our human right to privacy'

In a matter of months, Zoom has joined the coveted club of brands whose names have become verbs—as synonymous to video conferencing as Google is to search, Uber is to ride-hailing.

But explosive growth like this isn't without consequences. The video conferencing tool, which has become the almost ubiquitous form of communication during the COVID-19 outbreak, is now facing the consequences of failing to put in place adequate privacy and security measures to protect the millions of users that may be having highly-sensitive discussions on its app.

The past few weeks have been a game of cat and mouse for Zoom. When a new investigation exposes a flaw in its security or privacy practices; Zoom quickly corrects it. And so it goes. One of the complaints has even developed into a lawsuit—for allegedly failing to protect the personal information of its users.

The latest hit to Zoom came just a few hours ago (April 7) when a major New York securities firm Labaton Sucharow LLP announced it was investigating the company on behalf of its shareholders, concerning allegations that "Zoom may have issued materially misleading business information to the investing public".

Campaign Asia-Pacific reached out to a handful of security experts for their views on the growing list of complaints lodged against Zoom, to establish how alarming its issues are. All agreed the complaints are well-founded and expressed concerns over the safety of the app. One expert had even found evidence that Zoom was not fully compliant with GDPR, and suggested organisations "find alternative solutions".

So what are the issues?

At its crux, the seven-year-old app appears to have—until now—prioritised functionality over security. The ease of setting up a video call in Zoom is part of its allure—especially to those less tech-savvy folks—but this also leaves it dangerously exposed to hacking. By default, calls within Zoom have been set up without password protection, which has given rise to a practice called "Zoom bombing", in which hackers hijack a call and broadcast hate speech, porn and other inappropriate content. There have been countless examples of these incidents taking place in online school lessons and government meetings, leading the FBI to issue a warning about the technology last week. In response, Zoom released a security update on Sunday (April 5) that by default turns on meeting passwords and a new feature called 'virtual waiting rooms'—in which the meeting host has to manually allow others to join the meeting.

A press conference hosted on Zoom by India’s TV rating agency @BARCIndia was hacked just minutes after it started. The host’s presentation slides were defaced and random videos were displayed instead. https://t.co/IJSjEqsEBa

— Anuradha SenGupta (@anuradhasays) April 2, 2020

Then there was the issue of Zoom's data-sharing arrangements. A Motherboard investigation released March 26 found that the iOS version of the Zoom app was sending information about its users—such as when a user opened the app, their timezone, city, and device details—to Facebook without explicity asking users for consent to do so. This information was being transferred via Facebook's SDK (Software Development Kit), that it was using for its ‘Login with Facebook’ feature. 

Tarun Wadhwa, founder and CEO, Day One Insights, told Campaign that user information trading of this kind "has been a standard practice for the last decade in technology" and is "not particularly surprising". But, he added, both companies "certainly have a responsibility to their users to make sure that collection is secure, limited, and properly disclosed".  

One day after Motherboard published the results of its analysis, Zoom issued an update saying it had removed the Facebook code after it was "made aware that the Facebook SDK was collecting unnecessary device data". But that didn't stop a Zoom user from filing a class-action lawsuit against the company for transferring data to third parties like Facebook without properly notifying users. The suit was filed in a California court last week.

Security experts have also raised concerns about "shady" preinstallation code that allowed Zoom to automatically install on Macs once a user hits the download button without going through the usual security protocols. This practice, which would also pull up a password prompt seemingly masquerading as an Apple security prompt if the user was not an admin, led one Princeton professor to label Zoom "malware".

Let's make this simple: Zoom is malware. https://t.co/xkJDaP4OoK

— Arvind Narayanan (@random_walker) March 31, 2020

A few days after the issue was raised, Zoom released an update for the macOS installer which removed these techniques.

Then there's the recent issue of encryption. The Wall Street Journal reported over the weekend that Zoom had previously advertised end-to-end encryption, but security experts discovered the technology did not follow the standard definition of this. Zoom CEO Eric Yuan told the Journal he "really messed up" when it comes to the privacy and security of the app, and promised the full encryption feature is coming.

Another bone of contention was Zoom's "creepy" attention tracking feature that gave administrators—those who initiate the Zoom meeting—the power to monitor if an attendee did not have Zoom in focus for more than 30 seconds. The feature was removed on April 1. Administrators still have access information about attendees, including who, when, and where they are using Zoom, their chats during the meeting, their IP address and location data, and more.

Zoom made some clarifying updates to its privacy policy last week (March 29) to make it "more clear, explicit, and transparent", in response to concerns.

In a statement, it said: "Zoom takes its users’ privacy extremely seriously. Zoom collects only the data from individuals using the Zoom platform required to provide the service and ensure it is delivered effectively under a wide variety of settings in which our users may be operating. This data includes basic technical information, such as the user’s IP address, OS details, and device details."

Jamal Ahmed, fellow of information privacy and CEO of Kazient Privacy Experts, believes the attention tracking feature was "especially intrusive". Ahmed reviewed Zoom's privacy policy and said that as of April 2, Zoom would "fail to fully comply with GDPR".

"It appears Zoom is able to share personal data with third-party advertisers now or any time in the future, and until their most recent update to their privacy policy was also able to use user videos, messages and transcripts for the same," he found. "Zoom is also able to use video content from Zoom sessions for targeted advertising campaigns and to develop facial recognition. Hosts are able to record and share calls with anyone they want and especially intrusive is the "Attention Tracking" feature."

Zoom flagged that data it shares with advertising companies like Google is only collected on its marketing websites, such as zoom.us and zoom.com, rather than from the app.

"No data regarding user activity on the Zoom platform – including video, audio, and chat content – is ever provided to third parties for advertising purposes," it said.

Should organisations still use Zoom?

Ahmed says he has recommended clients against using Zoom within their organisations after conducting data protection impact assessments (DPIA). Zoom has released several updates to its privacy policy since Ahmed's review, and it may have addressed concerns around the sharing of personal data. But that doesn't excuse its negligence up to that point.

"In my view Zoom's privacy practices violate our human right to privacy and I would encourage organisations to find alternative solutions," Ahmed surmises.

Elonnai Hickok, chief operating officer, Centre for Internet and Society India, says that in light of Zoom's issues, and as online forms of communication become more of the norm, "it is clear that the governments, regulators, platforms and application developers have to reassess their security and privacy practices".

"Zoom, Facebook and such other platforms have repeatedly faced scrutiny regarding their privacy and data practices but such scrutiny does not seem to have had the needed impact on their behavior and practices," she tells Campaign. "Platforms and application developers who prioritise "privacy by design", transparent and ethical data practices and end-to-end encryption should be given precedence by users. Regulators and governments could help this by confirming these minimum standards and certifying the same."

What's driving the increased scrutiny?

While there have been several flaws exposed in recent weeks, Zoom has faced other security complaints in the past. For instance, last year, security researcher Jonathan Leitschuh uncovered a critical vulnerability that allowed attackers to gain access to users’ webcams on Macs with the Zoom client installed. Zoom fixed the vulnerability, but was criticised for taking several months to do so. The speed at which it has responded to recent concerns has been praised by security experts.

With this in mind, the scrutiny of the company is "well deserved", says Wadhwa. He believes the increased concern over security is being driven by a change in how the software is used.

"We’re using Zoom for many different things beyond just the usual routines of business. Behaviours are changing because of coronavirus. In the past two weeks alone I've personally taken part in a book club, game night, and happy hour all over Zoom—none of that happened before the outbreak," he says. "Zoom is likely experiencing massive pressure to scale up their services. There's always a tension between reliability, doing new things, and maintaining a secure environment for communication.”

In a statement sent to Campaign, the Electronic Frontier Foundation said: “COVID-19 has forced many people to work from home, and many are relying on Zoom to do their jobs, do their school work, and stay in touch with loved ones. Users are rightfully concerned about the privacy and security risks of using Zoom and other videoconferencing apps. 

"To mitigate security and privacy risks users should be careful about invitations to Zoom meetings from strangers, or from Zoom-like accounts that look suspicious, and by setting passwords that are required to enter meetings. We’re troubled by reports that Zoom was sharing analytics data about users with Facebook. We still don’t know to what extent Zoom shares user information with other third parties.”

Additional reporting by Rahul Sachitanand.