Updated on August 12 with the news of the out-of-court settlement of a class action lawsuit filed in California.
What’s the price on your privacy? According to a U.S. District Court in California, about a 15% discount in your monthly Zoom subscription.
On early August, the company denied any wrongdoing against claims ranging from sharing data with Facebook, Google and LinkedIn without permission, and neglecting to inform participants where third-party tools were being used to record or track them without authorization; to lacking data privacy training among employees and of course, “Zoombombing” and misleading claims about end-to-end encryption, among many others claims made in march. Yet it agreed to fund a $85 million claims pool for affected individuals, and pay for employee training on privacy.
Interestingly enough, the court in which the class action was filed uses Zoom.
To the ongoing concerns regarding Zoom’s use practices on privacy and security and its ties with authoritarian governments are now included. As argued by cybersecurity and open source advocates, there was always the risk a powerful company or owner be able to modify the policies and begin exploiting data. Lo and behold, the Oracle-Zoom deal is already raising eyebrows and setting up HIPAA lawsuits. (Provided Zoom-like apps do not kill HIPAA first.)
Zoom found itself as the instant savior, and immediately after the villain in our new working and learning arrangements. It fell pray of the short-lived optimism of the markets —achieving a $35 Billion capitalization, on paper as valuable as Xiaomi, Activision or Nissan— after becoming synonymous with virtual classrooms and meetings. It appears the company flew to close to the sun. But are all the concerns accurate?
What are the accusations?
Indiscriminate collection of private data
The free version of Zoom used to collect unreasonable amounts of personal user information. Security researcher and policy analyst Bruce Schneier pointed out that the user policy entitled Zoom to use this information for basically any kind of commercial purpose, including selling it to third parties. On top of it, the Facebook app used to collect all sorts of information about the computer and telemetry data. Before the software was updated, this would happen whether the user had a Facebook account or not. (This still happens if the user hasn’t updated Zoom recently.) Similar data collection and sharing is known with LinkedIn and Windows applications. Some users have also reporting stumbling upon lots of personal information from other users from the app, with little effort. As argued in the class action lawsuit, Zoom misled both paying and free users about the extent in which end-to-end encryption was implemented.
Zoom changed the policies on March 29, along with a series of blog posts and public statements. The changes clarify that there is no personal data selling at this point, but it is still being collected.
‘Zoombombing’: Strangers showing up in the middle of online classroom
Saint Paulus Lutheran Church in San Francisco sued Zoom for allowing a “known offender” to display child pornography in the middle of a bible study session where senior citizens were attending, according to the lawsuit filed by the Church, which also states it proceeded with civil action only after the company failed to take their concerns seriously.
Related to the lax security practices, malicious actors are able to try and find access to Zoom rooms and meetings where anyone with the link can join, speak and share their screen. You could even get ahold of “zWarDial,” an app that tries to guess unsecured Zoom rooms at random with a reported 4% success rate. Developed by “white hat” researchers (aka good guys), it allowed to collect key data about the meeting and in some cases personal information supplied by the host. (Zoom claims to have fixed the vulnerability in a posterior update.)
The level of trolling and abuse this feature allows has only human imagination at the limit. More serious arguments deem this a boon for industrial espionage operations which make the company’s connections to the Chinese ruling party —see below— all the more worrisome.
Zoom’s initial reaction was deflection. It framed the sharing of Zoom links on social media akin to sharing a password with the world. Upon further pressure and journalistic denounces, it made some UI updates. A similar argument was made in the motion to dismiss with prejudice requested by the company’s legal team, by deeming Zoom an “interactive computer service.” The definition, which was partially accepted by the California court, protects the platform from “publisher” status responsible for information or content broadcast through it, in accordance to Section 230.
To sum up: “Zoom is not suited for secrets.”
Malwar-y: Governments and Federal Agents denounce, discourage, disable Zoom
Zoom had to change some some of its functionality after concerns over too invasive practices that attempted to supersede the user’s deliberate permission. This included the installation process on Mac computers, considered for many “too smooth for comfort” —or plain shady— and access to information from other apps, like in the case of contacts and calendar data mentioned earlier.
Among the “Never-Zoomers” we have, at writing:
In an bizarre journalistic twist, journalists at FT, one of the first outlets to report on them, were found to be exploiting Zoom’s vulnerabilities to spy on competing publications. The journalist is now suspended.
Do Zoom engineers even know what encryption means?
There are glaring loopholes in the Zoom application itself, some bening, some downright dangerous.
- Zoom’s official statements (PDF) on the encryption protocols used do not match those obtained by researchers. Zoom’s actual protocols are nearly obsolete. Seems anecdotal, but it can also allude to “bad security decisions, sloppy coding mistakes, and random software vulnerabilities.”
- Zoom’s security holes can and have been taken advantage of by malicious actors, which can collect personal information and even record using the user’s camera, without their knowledge, let alone permission.
- It previously claimed to feature end-to-end encryption, meaning not even Zoom engineers could access the content being transmitted. But if that were true, it means even if an actor manages to grab private recordings —which has been documented, repeatedly—, the content itself could not be accessed. Evidence shows this is not the case.
- Here are more details on Zoom’s encryption issues by a Columbia C.S. Professor. And as a bonus, let Tux illustrate why Zoom’s ECB encryption is so faulty.
Compounding these and all issues in this guide is the recurrent pattern of fixing issues only after significant public demand. There is evidence showing that Zoom engineers were aware of vulnerabilities that were not changed even after being alerted.
The company has promised to upgrade the security, and appears to have done so for paying customers. But Schneier is was satisfied.
In August, Zoom confirmed that end-to-end encryption is available to all customers. Following the class action lawsuit settlement, Zoom agreed to provide training to employees on data privacy topics.
The China situation, and the unknown unknowns
Not meaning to get political, so take it for what it’s worth: Zoom operates a team of over 700 engineers in the country (under 3 different company names), known for the invasive online surveillance practices of its government. It has admitted to have rerouted traffic through the country, which surprises given the “Great Firewall,” and furthering suspicion, to date unproven, of cooperation with Beijing officials. Zoom Founder and CEO, Eric S. Yuan, is a Chinese American, born and raised in the Shandong Province.
As of this writing, several agencies, governments and security researchers continue to look into Zoom’s issues. New and unexpected ones are likely to arise. How damning are they? They have proven to cause at least some dismay for users, local bans and a class action lawsuit in the U.S. is on the works. Are they exclusive to Zoom? In all likelihood, they are not. Schneier again: “Zoom is a security and privacy disaster, but until now had managed to avoid public accountability because it was relatively obscure. Now that it’s in the spotlight, it’s all coming out.” (Not that researchers were not onto Zoom earlier.) In other words, whoever becomes Zoom’s heir is likely to be the next target of scrutiny, and new loopholes or even “privacy disasters” should surprise no one.
Misleading claims about usage, market share and operational performance
Bad news only if you are a current supporter or investor. The Verge has documented a few instances where public announcements mislead to believe the company has a higher number of subscribing (and paying) users than it’s the case. It is another piece of evidence in the practice of righting wrongs only after being called out for publicly. It also heightens the fears that despite the skyrocketing use, it might only minimally translate to financial success and sustainability for the company.
NEW: Censorship and denial of service upon request of the Chinese government
The company reported the request, claiming its illegality according to national laws. The government requested the removal of Chinese citizens participating in the gathering. Zoom explained that it did not have the ability to remove users from live meetings, nor to block them according to their country, so it decided to shut down the meetings and suspend the hosts accounts, U.S. and Hong Kong nationals. (3 in total.)
The company apologized right away and reinstated the non-Chinese users. But the pattern is in full display again: The response only took place after public outcry.
Furthermore, Zoom added new features on the platform to allow the removal or blocking of a participant based on their location, upon government request, in a way that does not impact anyone outside of mainland China.
Personal protection measures against Zoom-like apps
Aside from the glaring loopholes, the issue of online security always touches on the “company V the user” conundrum. There is an unavoidable trade-off between a hassle-free user experience and security measures. Zoom has been proactive enough to produce all kinds of guides and instructional content for best security practices. Will these be acceptable for users? Impossible to say for now.
As for the common practices you should consider, on Zoom or most live meeting apps, here are some of the most common, varying on the amount of hassle involved and effectiveness. Note that these will help with the “Zoombombing” but might do little with the rest of the issues, known and unknown.
- Consider disabling screen sharing, microphone access and chat by default.
- Require passwords. (Note that it is very likely that someone at Zoom still gets to access those.)
- Require user sign-ups. (Might provide an unreasonable amount of personal data to Zoom and third parties.)
- Use “waiting areas” to verify who can join a room and in which capacity. (Zoom’s own “Waiting Room,” however, seems vulnerable.)
- Disable “Join before host”
- Disable chat windows
- Some apps offer personal rooms as well as general-purpose, often temporary rooms. Whenever possible, go for the latter.
- If all else fails, complain about it loudly. (@Zoom_US)
Open source, ‘Zoombombing’-free alternatives
Admittedly, these alternatives may not feel as comfortable as Zoom, and you will need to factor in the cost and hurdle of installing them on your own server. Being able to install them on your own server ensures your data isn’t hosted in someone else’s computer. You may even be able to find them as “open containers.”
Get your own server or the apps, which offer more or less the same level of features as Zoom, with what it’s perhaps it’s “killer feature”: End-to-end encryption. Furthermore, it does not require any form of user ID. While its cloud service collects general performance data (“Crashlytics”), the server-based comes without any form of analytics features or libraries.
The OBS Project
Focused on high-performing video recording an live streaming, Open Broadcaster Software is worth watching. It’s sponsored by Facebook, Amazon Twitch and Nvidia and offers advanced mixing, scenes, modular dock UI and more.
A browser-based, fairly simple and lightweight solution built with security in mind. A Moodle plugin is available.
An open elearning (and LMSPulse) favorite that needs little introduction. Install it on your server and connect it with your LMS.
This cult classic for one-on-one communication —and Snowden favorite— might not fit in your idea of what a live classroom app should be. But with the most comprehensive encryption available and a 5.0 GPA on Mozilla’s eyes, Signal can double as a class experiment involving privacy, encryption and civil liberties in the modern age.
Speaking of which: Are you sure what you need is that live video class?
- Collaboration Services for Telework — A guide by the NSA (PDF)
- Which Video Call Apps Can You Trust? (Mozilla Blog)