Updated April 3rd 2020 with new entries.
This was originally a newsletter sent out on March 30th but given how current the information is, we decided to publish it on the site earlier than planned. We’ve also updated the newsletter given some new information that came to light since the newsletter’s publication. To sign up for our newsletter, click here.
With the US still in the middle of the coronavirus pandemic, more and more employers are working remotely and choosing Zoom as their video-conferencing app of choice. But how privacy-friendly is Zoom for a given employee? Here’s what we found out.
Zoom’s CEO has issued a statement around the (many) privacy issues that pop up once a day for Zoom. In addition to removing some of the privacy-invading features like the Attendee Attention Tracker and the LinkedIn Sales Navigator integration (details below), they’ll also stop work on all new features in order to properly assess (with third parties) their security and privacy.
A good move overall, and one that not only shows that they take privacy and security seriously, but that they care that their consumers value it as well.
The New York Times reported that Zoom was providing meeting attendants with LinkedIn information on other attendants without asking for permission and even if the attendants used a pseudonym, making privacy an impossibility. After being asked about the feature (used as part of LinkedIn’s Sales Navigator), Zoom stated they’d pull the feature.
The data-sharing was enabled by Facebook’s SDK which offers the ‘login with Facebook’ option many apps and companies use. So Zoom isn’t the only one at fault here. If you see a ‘login with Facebook’, then your data is likely being shared with Facebook, whether you have an account with them or not.
*Update* Zoom gets slapped with a lawsuit
On the other side of the US, the NY Attorney General has sent a letter to Zoom wanting to know more information about how Zoom is able to handle a surge of users and traffic without succumbing to hackers or failing to protect user data. The NY AG is also interested in Zoom’s data sharing practices.
If your organization is running Zoom meetings on private settings, you’re at risk for Zoom-bombing, a phenomenon where a random user jumps into your call. This is easily done just by brute-forcing the meeting URL. By randomly choosing a 9, 10, or 11 digit number, a random person may find a Zoom meeting and join it if there’s no pin or password protection. The same is true if they dial in, they just need to guess a meeting ID.
The best way to prevent this is to place authentication measures on Zoom.
At the time of writing, Zoom markets its video conferencing on its website as having end-to-end encryption. However, a report by The Intercept has confirmed that it’s not necessarily true. Zoom does provide a form on encryption but it’s not end-to-end. The most important detail is the fact that Zoom can access the contents of user meetings (unlike true end-to-end encryption, where the content is inaccessible outside of the parties involved).
This may become a privacy issue as subpoenas and other government orders may force Zoom to disclose the contents of their meetings.
In their Privacy Page, Zoom previously answered the question “Does Zoom Sell Your Data?” with “Depends on what you mean by ‘sell.’” – a vague response. However, on March 29th, they updated their privacy page and now explicitly state that they “do not sell your data.”
But if you read a bit further down their page, you’ll see that for GDPR and CCPA purposes, you may “opt out of certain advertising related to personal data by clicking the ‘Do Not ‘Sell’ My Personal Information’ link.” So it’s a little unclear as to what they mean by ‘sell’.
Security researchers have found that Zoom installs itself on MacOS devices much like malware does. It bypassing Apple’s security, accessing root privileges via a ‘misleading prompt’ and failing to obtain final user consent.
While this doesn’t necessarily mean Zoom is malware, legitimate software shouldn’t behave like malware for installation purposes.
Zoom has two helpful features that erode your privacy, just a little bit.
Their attention-tracking feature will alert administrators when you don’t have the Zoom meeting window ‘in focus’ (meaning active and open) for longer than 30 seconds.
And the meeting record feature will capture the video conference, produce a text transcript of the meeting, and also capture any chat messages that were sent during the meeting. The recording can then be sent around as the administrator sees fit. So be careful what you’re messaging via chat – others may see it after the meeting ends.
In what appears to be a bug, users without the proper domain name at the end of their email address are allowed into Company Directories and able to see other users’ email addresses, full names, and photos. The Company Directory features is used to house individuals from a single company using a shared domain name (except many email providers). However, some users have been collectively added to a directory with their personal email addresses, exposing their info to each other.
Zoom collects a lot of data on its users that they share with various third-parties – some of this data collection is stymied if you only use the web browser. Zoom has also fixed several security vulnerabilities soon after its use skyrocketed (and as more security researchers took a close look at Zoom) so if you are using the desktop app, make sure it’s constantly updated so you’re not exposed to these vulnerabilities.