Zoom and COVID-19: A brave new world
According to an analysis by SimilarWeb, in the month of March there was a 535% rise in daily traffic to the Zoom.us download page. However, this growth came with increased scrutiny and security issues were subsequently uncovered, ranging from in built attention-tracking features to ‘Zoom bombing’ where uninvited attendees break into and disrupt meetings. Security researchers Arvind Narayan and David Heinemeier Hansson have called Zoom ‘a privacy disaster’ and ‘fundamentally corrupt’.
Security flaws and privacy issues
In 2019, it was revealed that Zoom had secretly installed a hidden web server on Mac user devices that could allow the user to be called without their permission. This meant that ‘any website could forcibly join a user to a Zoom call, with their video camera activated, without the users permission’. This was fixed in an app version that was released thereafter which now prompts users if they were to open the app, whereas before this was done automatically. Two security researchers uncovered a Zoom bug that can be abused to steal Windows passwords, and another bug was discovered on the first week of April 2020 which would enable hackers to take over a Zoom user’s Mac, including tapping into the webcam and hacking the microphone. According to Patrick Wardle, a former NSA hacker, the two bugs can be launched by a local attacker and once exploited, the attacker can gain and maintain continued access to the victims computer, allowing them to install malware or spyware. It was also reported by the UK’s Sunday Times newspaper that hackers had infiltrated the service, leaking more than half a million login details to the dark web.
These are cases on video hijacking in which hackers access video meetings often shouting racial slurs or threats which the FBI announced it was investigating. Hackers are able to infiltrate because Zoom meetings can be accessed by a short number-based URL which can easily be generated and guessed by hackers. This is a security issue that persists to date with numerous incidences being reported especially including prohibited content such as child pornography.
No end-to-end encryption
End-to-end encryption is a system that secures communication so that it can only be read (or in this case be listened to and seen) by the users involved and Zoom falsely represented its platform as being capable of this. They later confirmed in a blogpost that end-to-end encryption was currently not possible on the platform, and it instead offers transport encryption. This means that the Zoom service can access the unencrypted video and audio content of Zoom meetings, and they could be obligated to hand over recordings of meetings to governments or law enforcement in response to legal requests.
In-app surveillance measures
Zoom’s ‘attention-tracking’ feature has been criticized as it allows a host to see if a user clicks away from a Zoom window for 30 seconds or more which would allow employers to check if employees are actually tuned in to a work meeting, or if students are really watching a classroom presentation remotely. Zoom subsequently removed this feature as part of their ‘commitment to the security and privacy’ of customers.
Selling user data
The iOS version of the app was discovered to have been sending analytics data to Facebook, even if Zoom users don’t have a Facebook account, according to a Motherboard analysis of the app. This works by the Zoom app notifying Facebook when the user opens the app and the users details are shared, including a unique advertiser identifier created by the user’s device that companies can use to target a user with advertisements. In response, Zoom changed some of its policies and stated that it has never sold user data in the past and has no intention of selling user’s data going forward. A class action suit is currently being pursued in a Californian District Court against Zoom for illegally disclosing personal information in violation of California’s Unfair Competition Law, Consumer Legal Remedies Act and Consumer Privacy Act.
This issue emerged on the 28th of April 2020 when an American federal intelligence analysis warned that Zoom could be vulnerable to intrusions by foreign government spy services. This analysis was distributed amongst government and law enforcement agencies around the United States and warns that security updates may not be effective as the perpetrators rely on extant delays and vulnerability. In addition to this, Zoom recently admitted that non-Chinese users ‘mistakenly’ had their call routed through China, and the government and parliament in the UK were warned not to use Zoom for confidential matters due to fears of its vulnerability to Chinese surveillance.
How to protect yourself
- Zoom has made numerous changes to address security concerns and it is best advised for users to ensure their Zoom app is up to date in order to take advantage of the many fixes such as Zoom’s removal of the unwanted Web Server which launched the Zoom app unprompted.
- Remain vigilant when sharing Zoom URLs that embed the password or when sharing a meeting ID and its associated password.
- The use of waiting rooms allows the meeting host to screen everyone entering the meeting so that no on uninvited can get in.
- The use of the web interface, rather than the app is recommended because web browsers have their own security measures in place creating a browser sandbox that reduces the amount of harm if the app has a security issue.
- Use the platform as a ‘guest’ to share minimal information.
- When creating an account, share as little information as possible and consider creating a throwaway account for the purpose of signing up.
- The platform provides a feature that allows one to have a back drop image that hides what is behind a user, making identification of a user’s location by their surroundings, much more difficult.
- Users can also use simple calls over mobile networks such as Safaricom and Airtel depending on the need and context.
- The option to shift platforms is also available to users however it is important to note that other major teleconference platforms – Webex, Google Meet and Skype are similarly rife with privacy concerns. Some have slight improvements over others for instance Google gave hosts in Meet the ability to require a password to enter the meeting however all three platforms can collect data on persons in a video conference and use it to build consumer profiles. Smaller platforms need to be similarly vetted to determine the permissions sought by the platform and the corresponding risks. For instance, Jitsi, a growing contender in video conferencing informs potential users that the company may store chat content and recordings of meetings, albeit temporarily.
- The Association for Computing Machinery has come up with a report to address having virtual conferences. The report includes a live document showing the different options in terms of platforms, which address different conferencing needs, such as conference hosting, text-based interactions, livecasting services and shared whiteboards. and their pros and cons.
The introduction of Zoom bridged necessary gaps created due to the to the Covid-19 pandemic, allowing people to carry out functions essential to society such as learning, working and even conducting weddings. The ability to carry out these functions has come at a cost and sheds a spotlight on the need to develop and design homegrown solutions that are tailored to our needs and can meet our data protection and privacy standards.
Users and governments alike need to consider alternative avenues of achieving stated goals. In the Kenyan context, it’s also important to raise the question of having apps which are not homegrown outliving their usefulness when there is a wealth of talent in app development within the country.
While Zoom remains an option for meeting teleconferencing needs, each user has to evaluate the privacy risks and concerns and determine the trade-offs they’re willing to make to fulfill their objectives.