Zoom Privacy and Security Issues You Should Know About

By Ava McKinneyOnline Safety

Zoom Privacy and Security Issues You Should Know About

About a year ago, I was introduced to Zoom by friends who wanted to have a video conference. It took me about ten minutes to decide to forget about Zoom forever. First, Zoom is not open-source software, and second, their privacy policy stated that they collect tons of information about their users. I suggested an ethical open-source alternative (which I’ll mention below), and we managed without Zoom.

With the onset of the global quarantine, everyone suddenly started using Zoom for video conferences, even heads of state. Zoom + Windows OS = facepalm, and then people are surprised when hackers get hold of important government information. For example, the UK Prime Minister was seen having a good time on Zoom (even revealing the meeting ID) with some officials. There are plenty of similar posts on social media where politicians hold their meetings via Zoom.

I used to think that when politicians from different countries held video conferences, some super-admins would set up a highly encrypted communication channel with special software not available to the public. But now, everyone just uses Zoom.

Zoom has faced a massive influx of new users as the COVID-19 outbreak forces more people to work from home. However, new users should be aware of the company’s privacy and security practices. A quick look at their privacy policy and supporting documents reveals that Zoom tracks your presence during calls, shares large amounts of data with third parties, and has serious security vulnerabilities.

1) Zoom Knows If You’re Paying Attention

Whenever you join a call, there’s an option to enable the attention tracking feature. This notifies the call organizer whenever someone in the meeting does not have the Zoom desktop or mobile app in focus for more than 30 seconds. In other words, if you minimize Zoom or switch to another app, the organizer will be notified after 30 seconds, regardless of whether you’re taking notes, checking email, or answering a question elsewhere.

This feature only works if someone is sharing their screen. It’s unclear if participants are notified when attention tracking is enabled. Of course, not looking at the Zoom screen doesn’t mean you’re not paying attention or doing your job. The feature only works on Zoom apps version 4.0 or later and is less reliable if you use Zoom through a web browser.

Also, if the organizer decides to record the meeting, Zoom will save a TXT file of the chat messages and share it with the meeting host. According to their support page, “the saved chat will only include messages sent to everyone.” However, it’s not clear what happens to direct messages between participants.

2) Zoom Tracks More Than Just Your Attention

According to Zoom’s privacy policy, the company collects a lot of data about you, including:

  • Your name
  • Physical address
  • Email address
  • Phone number
  • Job title
  • Your employer

Even if you don’t create a Zoom account, it collects and stores data about your device and IP address. It also gathers information from your Facebook profile (if you use Facebook to log in) and any “information you upload, provide, or create while using the service.”

Some of this data is entered by you (for example, your email to join a call), but most is collected automatically by the Zoom app. In their privacy policy, under “Does Zoom sell personal data?”, they say: “It depends on what you mean by ‘sell’.” In summary, Zoom claims not to sell personal data for money to third parties, but they do share it with third parties for those companies’ “business purposes.” For example, they may share your data with Google.

A Vice article noted that the Zoom iOS app shared significant user data with Facebook, even if the user didn’t have a Facebook account. Two days after the article was published, Zoom removed the code that sent data to Facebook. Zoom explained that they were unaware the Facebook SDK used for “Login with Facebook” was collecting unnecessary data. The data collected included device type and version, time zone, OS, model, carrier, screen size, processor cores, and disk space.

Currently, Zoom faces a class-action lawsuit from a California resident who claims Zoom violated the California Consumer Privacy Act by sharing user data with Facebook without consent. The New York Attorney General also sent a letter to Zoom expressing concern that their security practices may not protect user data, especially for students, as Zoom recently increased the number of free participants to help schools teach remotely.

3) Zoom Does Not Use True End-to-End Encryption

Zoom has used its own definition of end-to-end encryption (E2EE), which can mislead users. Despite claims on their website and in their security documentation that “computer audio” calls are end-to-end encrypted, analysis shows that Zoom only uses transport layer security (TLS)—the same encryption that protects websites using HTTPS.

TLS encryption protects internet connections from third-party eavesdropping, but it does not protect data from Zoom itself. This is different from true E2EE services like ProtonMail, where messages are encrypted on the user’s device and can only be decrypted by the recipient. No one else can access the unencrypted data between users.

A Zoom spokesperson clarified that E2EE for Zoom means “the connection is encrypted from the Zoom endpoint to the Zoom endpoint,” but here, “endpoint” refers to Zoom’s server, not the user’s app. This does not meet the standards of true end-to-end encryption.

4) Zoombombing

Online trolls have disrupted many Zoom meetings by sharing offensive or pornographic material using the Screen Share feature—a phenomenon known as “Zoombombing.” By default, Zoom allows any participant to share their screen without the host’s permission. If a call is public, anyone with the link can join, making it easy for attackers to hijack meetings and display inappropriate content.

5) Webcam Hacking Issue

Last year, security consultant Johnathan Leitschuh discovered that Zoom installed a local web server on Mac computers, allowing Zoom to bypass Safari 12’s security features. This web server was not mentioned in any official Zoom documentation and was used to bypass the pop-up that appeared before enabling the camera.

This remote web server was not properly secured and could be accessed by any website, allowing malicious sites to take over the Mac’s camera without warning the user. This led the Electronic Privacy Information Center to file a complaint with the FTC, claiming that Zoom “intentionally designed its web conferencing service to bypass browser security settings and remotely enable a user’s web camera without the user’s knowledge or consent.”

Although Zoom has since removed these web servers, their disregard for user consent and ongoing neglect of security and privacy in favor of convenience raises serious concerns.

Key Generation in China

According to researchers at the University of Toronto, some Zoom video conferences are encrypted using keys issued by servers in China, even when all participants are in North America. Zoom also reportedly has at least 700 employees in China across three subsidiaries.

A report by Citizen Lab states that Zoom “is not suitable for use” and is legally required to disclose encryption keys to Chinese authorities and “respond to pressure” from them.

When you start a Zoom meeting, the software on your device receives an encryption key from Zoom’s cloud infrastructure, which includes servers worldwide. The key comes from a “key management system” that generates and distributes encryption keys to meeting participants. Each user receives the same shared key, which is sent to their device via TLS encryption.

Depending on the meeting setup, some Zoom cloud servers called “connectors” may also receive a copy of the key. For example, if someone joins by phone, the key is sent to a Zoom telephony connector server.

Some key management systems (5 out of 73) appear to be located in China, with the rest in the US. During a test call between two Citizen Lab researchers in the US and Canada, the meeting’s encryption key “was sent to one participant via TLS from a Zoom server apparently located in Beijing.”

The report notes that Zoom may be legally required to provide encryption keys to Chinese authorities if those keys are generated on a server in China. If Chinese authorities or any other attacker with access to the key want to spy on a Zoom meeting, they would also need to control the participant’s internet access or monitor Zoom’s internal network. By collecting the encrypted meeting traffic, they could use the key to decrypt and recover the video and audio.

What Does Zoom Say?

Zoom’s CEO has expressed regret about these privacy and security issues. In a recent blog post, he said Zoom usage has grown by 1,900%, reaching about 200 million daily users, up from 10 million per day in December 2019.

Notable Incidents

  • A Norwegian school stopped using Zoom after a naked man “guessed” the conference link.
  • Elon Musk’s SpaceX banned Zoom.

What Should You Use Instead?

If you work for a company, consider suggesting a self-hosted solution to your administrators, such as:

For personal use:

  • Jami
  • You can also use Jitsi, but be aware that WebRTC (for now) does not provide a way to conduct multi-party calls with end-to-end encryption. Your traffic is encrypted on the network but decrypted on the bridge server when using Jitsi Meet.

The architecture of Jitsi Meet allows you to deploy your own version, including all server components. In this case, your security is roughly equivalent to a direct one-on-one WebRTC call, which is a unique security advantage of Jitsi Meet.

Official servers from the Jitsi team (check their privacy policy):

A list of Jitsi servers run by various organizations, communities, and enthusiasts (check their privacy policy and research who runs the server before use):

Stay safe and make informed choices about your video conferencing tools.

Leave a Reply