As COVID-19 forces people to partake in social distancing, the popularity of the video conferencing app Zoom has skyrocketed, with the number of new monthly active users in February of 2020, at 2.22 million, already being more than the total number of added monthly active users in 2019, 1.99 million. As such, it has gone under much scrutiny by security experts, and what they found was that Zoom’s security and privacy was severely lacking.
One major security issue that’s on the rise is Zoom-bombing, where hackers disturb a conference by writing, drawing, or shouting offensive content though the chat, annotation tool, or audio connection. They gain access to meetings by obtaining a Zoom meeting link through some means, such as finding them on social media or by brute force-finding valid links.
Another security/privacy flaw for video meetings is a lack of end-to-end encryption, which is an encryption system used to secure communication among only the users, and no one else. Zoom’s marketing claimed to have end-to-end encryption for video meetings, but the company later confirmed that they are not encrypted end-to-end, but instead through TLS, which, unlike end-to-end, allows Zoom to collect video and audio from meetings.
Zoom already has a lawsuit under its belt following the patch-up of an issue where the iOS Zoom app was sending analytics data to Facebook, regardless if they even had a Facebook account. Although sending analytics data to third parties is common, Zoom didn’t notify its users or state anywhere in its privacy policy that it did.
There are also some issues with privacy among users. The host of each Zoom meeting is given a large amount of power that the participants may be unaware of, such as recording and attention tracking. When the host starts recording a conference, the only indication of it is a small and easy-to-miss indicator popping up on each user’s screen. If the participants are recorded without knowing or consent, potential legal problems may arise.
For attention tracking, hosts are notified when a participant has clicked off the zoom screen for more than 30 seconds, which may feel intrusive to users. This feature does not tell the host what the participant is doing, so they may be looking at a document irtrelevant to the meeting or have clicked onto a seperate monitor with zoom still being open on another.
These security and privacy concerns have caused bans on Zoom in certain school districts, such as schools in New York City, and organizations may follow, SpaceX and NASA already being some of them. Despite its current popularity and convenience, Zoom is at best suspicious, and at worst comparable to malware.