What is Going on with Zoom?

Ravie Lakshmanan from The Hacker News states the issues quite nicely to understand. Keep in mind, as Lakshmanan clarifies: Zoom is not malware. However, that does not mean that Zoom is clean and clear of questionable activities. There are still several issues with Zoom, as is apparent through recent events and research.

There is a hefty list below, so here’s the TL;DR:

• Zoom sold user information to third-party companies, including Facebook, and as though this issue has been addressed recently, Zoom continues to collect user information under a non-clear privacy policy.

• Many Zoom users who use smaller email domains have also suffered from personal information being leaked to other Zoom users in the same email domain.

• Many Zoom conference video recordings were posted online, accessible with everyone, without the permission of the organization.

• Zoom would also scrape user profiles on LinkedIn behind the scenes.

• Finally, their encryption is not quite as they promised.

Personal Data Marketing

What is going on with sending information to Facebook and third parties?

The iOS app version of Zoom sent analytics data to social media sites (specifically Facebook), even if the users were not logged into Facebook or even have a Facebook Account.

For more information, read Joseph Cox’s article on Vice.

Zoom’s Privacy Policy also leaves many things to be desired. Zoom is capable of collecting “extensive data,” Lakshamanan says, about all of its users. This includes videos, transcripts of audio, and shared notes. All of this data is then sold to third-parties (and no, the users do not get a cut).

For more information, read Doc Searls Weblog and Schneier on Security.

What is being done?

Zoom has removed the Facebook tracking feature with the following statement, as Schneier describes in his article. “‘We [Zoom] were recently made aware that the Facebook SDK was collecting unnecessary device data,’ Zoom told Motherboard in a statement on Friday.”

Zoom is refining its privacy policy to now say that it cannot sell information collected from meetings for advertisements. However, it will still collect data about the users when they visit Zoom’s marketing websites. Not only that, Zoom collects data from users’ meetings via cookies and cache, especially if the users do not protect themselves by blocking Zoom from reading their browser cookies.

Zoom only has made it clear that it is no longer selling user data for marketing purposes.

Attendee Tracking

What is going on with Attendee Tracking?

Zoom allowed the host of the call check if the attendees were clicking away from the Zoom call window. This may sound useful, as it allows teachers to track if their students are actually paying attention; however, this allows the host to monitor what every single attendee is doing on their device, and for students, that includes their home devices. Richie Koch from Protonmail even noted that attendees in the meeting are not even alerted.

For more information, read Lindsay Oliver’s article in EFF

What is being done?

Zoom has removed this feature as of April 2, 2020. However, Zoom allows hosts to view private messages sent during the call if the call is recorded locally on the computer.

Data Mining

What is going on with Undisclosed Data Mining?

Zoom had a tool (undisclosed to users) that would automatically match each user’s name and emails to their respective LinkedIn profile when the user would sign into Zoom. This doesn’t sound too suspicious, until pointing out that Zoom would even match this information when the user was anonymous or using a fake name in the calls.

If a user was subscribed to LinkedIn Sales Navigator, then Zoom was able to access the LinkedIn profiles of all of the other participants within that Zoom meeting without consent from any of the users. This became an issue as it would allow other people in the meeting to view the user’s real name, job title, employer, location, and other information available on even private LinkedIn accounts.

For more information, read Aaron Krolik and Natasha Singer’s article in the NYT.

What is being done?

Zoom has disabled this feature as of April 2, 2020.

Information Leaks

What is going on with Leaked Information?

Users who had the same domain name with non-traditional email address domains, like Google or Outlook, were grouped together with the notion that they belonged in the same company, which then in turn shared their personal information with other strangers who happened to have the same email domain. There are hundreds of non-traditional email domains that fell victim to this leak. The information that would get released consequently includes each user’s name, photos, and mail addresses to those who share domains.

For more information, read Joseph Cox’s article on Vice.

As if this data leakage was not enough, many (thousands) of Zoom videos are left unsecured and published on the web. This content includes confidential conferences, such as one-on-one therapy sessions, business meetings, training orientations, and elementary to highschool class sessions. It appeared that many of these videos have been recorded and can be viewed online with an easy search and are able to be downloaded by anyone. The probability of this being exposed is heightened when conferences use the default Zoom video recording name.

Many of these recorded Zoom calls can be found within unprotected areas of Amazon storage space (known as “buckets”), which are normally locked down and heavily encrypted by default.

For more information, read Drew Harwell’s article in the Washington Post.

What is being done?

Zoom blacklisted the affected email domains and removed all cases of these domains in this feature to prevent this unwarranted sharing of personal information.

Zoom, concerning the online Zoom-recorded sessions, has been notified.

Encryption

What is going on with Encryption?

Zoom claims to use end-to-end encryption. Simply, this means that the data is encrypted on the sender’s side and decrypted on the receiver’s side without the company having the ability to unencrypt it.

The data is encrypted from the sending user in a call and is not decrypted until it reaches all of the other users. However, this type of encryption does not apply to all of the calls. If a call is recorded, the keys to decrypt are accessible through a cloud platform for Zoom to access, so not being quite so “end-to-end”.

For more information, read Micah Lee and Yael Grauer’s article on The Intercept and Matthew Green’s blog.

Not only that, Zoom claims to be using AES-256 encryption, but in actuality, a single AES-128 key is used to encrypt calls. This mostly means that Zoom promises a higher standard of encryption, but in reality it uses a lower-end encryption method, meaning it has a higher likelihood of being cracked.

For more information, read Schneier on Security

What is being done?

Zoom has not currently released information about what is being done with its encryption practices.

Conclusion

The biggest question stands: is the convenience of using Zoom worth the risk to the company or the school? If possible, businesses and educators should lean away from using Zoom in favor of other platforms in order to avoid the risks attached to Zoom.

For Zoom users, consider following the FBI’s recommendations:

• 1. Do not make the meetings in Zoom public. Require a password or apply a waiting room to verify the attendees.

  2. Do not share the link or the password to the meeting publicly. This includes Facebook and other social media.

  3. Limit screen sharing options. Keep screen-sharing to “Host Only” if acting as the host of the meeting.

  4. Update Zoom. Zoom has updated to patch several bugs that can give attackers access to affected devices in the past few days (April 2nd). Check the updates for Windows, MacOS, Android, and iOS.

Other recommendations from us:

• 1. Be wary of what you do and say (off mic and through messaging) during a Zoom call.

  2. Avoid recording Zoom calls unless necessary. Double check to see if the Zoom call is being recorded (Zoom calls do not need everyone’s consent in the meeting to be recorded) by clicking on the participants tab and seeing a record symbol next to the recorder’s name.

If it is necessary to record, change the default name from “Zoom_0.mp4” or “audio_only.m4a” to something different or unidentifiable. Do not post the recording on a cloud based service, especially without all users’ consent