Zoom Privacy Backlash

October 6, 2020

Return to Learning Center

Be cautious about Zoom and working from home when it comes to privacy.

Zoom's video calling app has jumped drastically in popularity as many professionals work from home and turn to video calling software amid the ongoing coronavirus pandemic. This new working from home era has caused many privacy concerns on Slack and other workplace software. This has seen Zoom rocket to the top of iOS and Android app stores as people gather around their computer screens for dance classes, school discussions, and even virtual nights out playing card games. Politicians are holding rallies over Zoom: just as the Founding Fathers intended. Even the UK government has been holding daily cabinet meetings over Zoom.

With all this extra attention, Zoom is now facing a huge privacy and security backlash as security experts, privacy advocates, lawmakers, and even the FBI warn that Zoom's default settings aren't secure enough. This is common with much software like Facebook whose defaults you'd want to check. Zoom is doing great, but has some risk of growing too fast and becoming a victim of its own success before it was ready.

Zoom has battled security and privacy concerns in the past. Apple was actually forced to step in and silently remove Zoom software from Macs last year after a serious security vulnerability let websites hijack Mac cameras. In recent weeks, scrutiny over Zoom's security practices has intensified, with a lot of the concern focused on its default settings and the mechanisms that make the app so easy to use. Each Zoom call has a randomly generated ID number between 9 and 11 digits long that's used by participants to gain access to a meeting. Anybody who has studied Computer Science knows that getting random numbers right is actually very hard and researchers have found that these meeting IDs are easy to guess and even brute forceable, allowing anyone to get into meetings.

Part of this ease of use has led to the "Zoombombing" phenomenon, where Internet Comedians and pranksters join Zoom calls and broadcast porn or shock videos they post on YouTube or TikTok or other sites. At fault here were Zoom's default settings which didn't encourage a password to be set for meetings, and allow any participants to share their screen. Zoom adjusted these default settings for education accounts but you'll need to double check your own profile settings.

The Zoombombing phenomena was the first of many grave Zoom security and privacy concerns. Zoom was forced to update its iOS app to remove code that sent private device data to Facebook. Zoom also had to rewrite parts of its privacy policy after it was discovered that users were vulnerable to their personal data being used for ad targeting. User information is also reportedly being leaked because of an issue with how Zoom groups contacts. It's a complex App that got popular very quickly and is clearly going through some growing pains. And despite some of the marketing language that appeared on their website, they're not even using end-to-end encryption: they're using transport encryption.

Privacy advocates have announced concerns over an attendee tracking feature that lets meeting hosts track whether participants have their Zoom app in view on a PC or whether it's just on in the background. While this feature can be handy for teachers and bosses to gauge attentiveness, it does bring to light some unconsidered social privacy concerns. Digital rights advocacy groups have called on Zoom to release a transparency report to share the number of requests from law enforcement and governments for user data which is the type of thing a large, responsible corporation should do.

Security advocates and privacy researchers aren't the only groups asking questions about Zoom. The FBI has been warning schools about the dangers of Zoom's default settings for Zoombombings: in most cases they just lead to funny videos but can potentially harm people. Reports suggest the UK's Ministry of Defence has banned Zoom while it investigates "security implications". In this new pandemic situation with everybody rapidly adjusting, there's no playbook for what to do and balance safety and security and actually doing business. The New York attorney general's office also sent a letter to Zoom requesting to hear "whether Zoom has undertaken a broader review of its security practices" in light of recent concerns. Many New York office buildings are obviously doing a lot of their business online nowadays so it is of special importance to Manhattan and Brooklyn residents.

Zoom has also been facing lawsuits that imply the company is illegally disclosing personal information to third parties like marketers. At least two major lawsuits were filed in California, and one is seeking damages on behalf of Zoom users for alleged violations of California's Consumer Privacy Act. As security researchers and privacy advocates continue to dig into Zoom's software and practices, there are signs more issues will need to be addressed over time as they're uncovered. Ultimately, Zoom is feeling the effects of a unicorn moment for the app. The video conferencing app was never intended for the multitudes of ways consumers are now using it. Zoom doesn't require an account, it's free for 40-minute meetings, and it's reliable. The barriers to entry are so low, and the coronavirus pandemic such a rare occurrence, that Zoom is suddenly in the spotlight as a crucial business and even life-saving tool for many.

Zoom may well be forced to harden the very parts of its app that make it so appealing for consumers and businesses alike. The company faces some tough decisions on how to better balance its default settings, user privacy, and ultimately its ease of use: which is something every company struggles with as it grows. Zoom's appeal has been its simple approach to video conferencing, but that crucial ingredient now threatens to be its downfall unless it gets a firm grip on the growing concerns. As always, we hope that privacy and security considerations are taken well into account by the Zoom App programmers.

We hope you enjoyed reading this guide and learned something new! Check out our Learning Center to learn more about online privacy and security or consider subscribing to our Online Privacy Service to remove your phone number, name, and address from Google, Bing, Yahoo, and DuckDuckGo search results and hundreds of data broker sites.