Zoom: Negligence or Deliberate Espionage?
During the height of the self-isolation period, the popular American video conferencing app Zoom found itself in the spotlight. Its popularity skyrocketed twentyfold in just a month due to the mass shift to remote work and online learning, making it the most downloaded app in the U.S. However, Zoom attracted attention not just for its user growth, but for a series of scandals involving massive leaks of corporate and personal user data to Facebook, as well as thousands of private video conference recordings being made publicly available on YouTube and Vimeo.
What Is Zoom and How Does It Work?
Zoom is primarily designed for video conferences, supporting HD video streams and up to 100 participants in a single call. Users appreciate features like screen sharing, chat with file attachments, and integration with popular cloud services like Google Drive and Dropbox. The app also allows sharing your mobile device screen and includes a “raise hand” feature for asking questions during meetings.
Despite its robust functionality, Zoom has major issues with user privacy. The app does not support end-to-end encryption and has other serious security vulnerabilities, many of which stem from added features.
Attendee Attention Tracking: “I’m Watching You”
One such feature, Attendee Attention Tracking, allowed hosts to see if participants were distracted from the meeting. While this might seem useful for managers and teachers, the downside was significant: it used tracking scripts that could bypass browser security settings and monitor users via their webcams without consent. Privacy experts raised concerns, prompting Zoom to remove this feature on April 2, 2020, stating it was done to protect user security and privacy.
Facebook SDK: Data Sent to Zuckerberg
Another major issue was Zoom’s automatic transmission of user data to Facebook, which uses such information for advertising. According to DuckDuckGo, Facebook’s ad trackers are present on 36% of all websites, second only to Google’s 85%.
Zoom shared data such as login times, user location, device type, and advertising IDs, which are used for targeted ads. The real problem was that Zoom’s iOS app sent data to Facebook even for users without Facebook accounts, a fact not disclosed in the user agreement—an unauthorized data transfer, or in other words, spying.
After user complaints, Zoom removed the Facebook SDK from its app. However, lawsuits followed, as the company had not required all users to update to the new, fixed version, leaving many still vulnerable.
Privacy? Never Heard of It
Removing Attendee Attention Tracking and the Facebook SDK were positive, if overdue, steps. But Zoom’s security problems run deeper. Its privacy policy states that advertising partners like Google Ads and Google Analytics automatically collect “certain information” about users, without specifying what that includes.
Security researcher Doc Searls commented: “Zoom is in the advertising business, and in the worst way: the company lives off the personal data it collects. Even more disturbing is that Zoom can collect a lot of private, intimate data (like doctor-patient conversations), and none of the participants realize it.” He added, “If your browser cares about privacy (like Brave, Firefox, or Safari), it will likely block ad trackers, but in Zoom, you can’t tell what data is being collected or how.”
Until recently, Zoom didn’t even allow users to opt out of data collection or its sale to third parties, a clear violation of privacy and security. Searls summed up Zoom’s policy: “We expose your virtual necks to data vampires who can do what they will with it.”
Privacy Policy Update
After a wave of criticism, Zoom updated its privacy policy on March 29, 2020 (link), stating: “We do not sell your personal data. Whether you are a business, educational institution, or individual user, we do not sell your data.”
Another key point: “Your meetings are your own. We do not monitor or store them after they end, unless the meeting organizer records and saves them.”
Zoom also clarified: “We only collect user data necessary to provide Zoom services, such as your IP address and information about your operating system and device.”
Finally: “We do not use data from your use of our software for advertising. We only use data from your visits to our commercial sites, like zoom.us and zoom.com. You can control your cookie settings when visiting our commercial sites.”
While these changes are positive, there are still important caveats.
Other Vulnerabilities
Windows users, who make up the majority worldwide, face a serious issue: Zoom converts UNC paths (file paths in Windows) into clickable links (source). Hackers can use these links to steal Zoom users’ credentials. Zoom is aware of this vulnerability, but has yet to release a fix.
Another blow came from The Intercept, which reported on March 31, 2020, that Zoom video is not properly encrypted and that the company can access any user session. The lack of end-to-end encryption allows outsiders to join meetings—a phenomenon called “Zoombombing,” where pranksters disrupt meetings, sometimes broadcasting inappropriate content. Unfortunately, these pranks are among the least harmful things that can happen to Zoom users.
Zoom Leaks and Elon Musk’s Ban
The Washington Post recently reported thousands of Zoom meetings were leaked online, published on YouTube and Vimeo. These videos included confidential information: names, phone numbers, company financials, and even children’s personal data from online classes. Some videos contained deeply personal conversations and nudity, such as a teacher demonstrating hair removal techniques.
Worse, even hidden recordings on Zoom’s own servers can be accessed by guessing the standard numbering system Zoom uses for its files. Many victims told The Washington Post they had no idea their private conversations were made public.
Even before these leaks, Elon Musk banned Zoom at SpaceX and Tesla, citing serious privacy and security concerns. SpaceX blocked Zoom access for employees on March 28, 2020, recommending email and phone for corporate communication instead.
NASA and Google Also Say No to Zoom
NASA spokesperson Stephanie Schierholz announced the same day that the agency banned Zoom for its employees. On March 30, the Boston FBI office warned staff not to make Zoom meetings public or share links.
More bad news for Zoom: Google banned the Zoom desktop app on employee laptops as of April 8, 2020, citing security concerns. Google spokesperson Jose Castaneda said, “Recently, our security team informed employees using the Zoom Desktop Client that it will no longer be supported on corporate computers as it does not meet our security standards. However, Google still allows the use of Zoom via mobile apps and browsers.”
Promises to Improve
Zoom Video Communications claims the data leak issues arose because their servers were unprepared for the surge in users. CEO Eric Yuan addressed this in detail on his blog, promising major efforts to regain user trust (link).