Zoom, the videoconferencing app that’s dominating our coronavirus-created work, school, and social lives, is more popular than ever. With this popularity has come a wave of scrutiny, and Zoom’s new users have been joined by a lawsuit, a letter from a state attorney general, and accusations of shady privacy practices.
On Monday, Zoom found itself the recipient of not just a letter from New York Attorney General Letitia James but also a class action lawsuit, both over privacy issues that have been brewing since even before the coronavirus existed but which gained momentum once seemingly everyone began using it.
How lax security brought us “Zoombombing”
Zoom was released in 2013 and steadily climbed the videoconferencing app ranks, becoming one of the most popular business apps out there for the last several years. When the pandemic hit, forcing millions of workers and students to work remotely and friends and family members to interact virtually, many of them turned to Zoom. It is currently the most popular Apple and Android app in the world, and its stock price has more than doubled since late January — an especially impressive rise considering the stock market crash that also occurred during this time.
Leading up to the pandemic, Zoom suffered from several security issues, including a well-publicized vulnerability that could force Mac users that have (or ever had) Zoom installed on their device to join Zoom meetings with their cameras automatically activated. In January, cybersecurity firm Check Point found a way that a hacker could easily generate active meeting ID numbers, which they could then use to join meetings if the meetings weren’t password protected. Zoom instituted a number of changes to help fix the issue, but Check Point’s recommendation that meetings must be password protected was not.
So now we have “Zoombombing,” where public Zoom meetings are joined by a troll who broadcasts things like porn and Nazi imagery to the rest of the room. Public Zoom events that have been targeted must shut down to stop the broadcast. There are ways to mitigate this, such as password protecting meetings or limiting the screensharing setting to the meeting host. But the fact that it is so easy for anyone to join and then disrupt a public Zoom meeting at all indicates that Zoom’s developers didn’t anticipate the ways those meetings could be disrupted in the first place — something that anyone who has used the internet before really should have foreseen.
James, the New York Attorney General, sent Zoom a letter on Monday saying her office was “concerned” that Zoom’s security practices weren’t enough to handle its sudden boom in users, and it wanted to know what, if any, measures the company was taking to improve them. The New York Attorney General’s office also wanted to know what data the app collects about its users and why, and how it was following legal requirements to get consent from minor users.
Why Zoom’s privacy problems probably won’t ruin your day
Some of Zoom’s other recent sources of controversy, namely those related to privacy concerns, may have been blown out of proportion.
When its “attention tracking” feature was highlighted, many thought it allowed Zoom meeting hosts to secretly monitor their participants’ activities. The truth is less sensational: attention tracking can be turned on by the meeting host without participants’ knowledge. This can certainly feel like a privacy invasion. But Zoom told Recode that the feature is only enabled when the host is in screensharing mode, and it only tells the host which participants haven’t had its app in focus for 30 seconds or more. In other words, a meeting host can’t monitor everything the participants are doing on their computers — just when they stop looking at Zoom for a while. Even so, Zoom recently disabled the attention tracking feature.
Another recent dustup followed a Vice report last week that Zoom’s iOS app sends data back to Facebook through a software development kit, or SDK. (SDKs are packages of tools that developers use to build apps, and it’s very common for apps to have third-party SDKs that transmit information back to those third parties.) Facebook’s SDKs are some of the most popular in the world, mobile app intelligence service Apptopia told Recode, with at least a million apps using its most popular social SDK and at least half a million apps using its login SDK. The login SDK enables users to log in to Zoom through their Facebook accounts, and in Zoom’s case, it also sent basic device information back to Facebook, including the device’s model, app version, and cellphone service carrier.
It’s hard to know what Facebook was doing with this data. Cybersecurity company Bitdefender did find it unusual that the SDK sent this data back to Facebook even if the user didn’t log in through Facebook (or have a Facebook account at all). It did not tell Facebook which meetings the user joined or what was said in them. Zoom claimed it didn’t realize this information was being sent to Facebook and removed the SDK after Vice’s report. A class action lawsuit was filed several days later accusing Zoom of collecting and disclosing information about its users without properly notifying them.
The trouble doesn’t end there. On Tuesday, the Intercept reported that Zoom inaccurately claims that meetings can be “end-to-end encrypted.” In true end-to-end encrypted services like WhatsApp and Signal, the message content is encrypted even from the service provider. Zoom’s video chats can be seen by Zoom, although according to the Intercept, text chats in those meetings are truly end-to-end encrypted. The report triggered a letter to the company from Sen. Richard Blumenthal (D-CT) asking Zoom to explain, among other things, whether the service truly provides end-to-end encryption for video conferences.
Then, on Thursday, the New York Times reported that Zoom enabled a LinkedIn feature that, through names and email addresses, automatically associated Zoom users with their LinkedIn profiles, without their knowledge. Subscribers to LinkedIn’s Sales Navigator service could then immediately identify and access those users’ profiles during meetings. While Zoom once heralded this feature as “add[ing] tremendous value to Zoom,” it was removed shortly before the Times’ report was published.
What’s Zoom’s problem?
With its vaguely worded privacy policies and misleading marketing materials, Zoom’s real overarching issue seems to be a lack of transparency. This, combined with an apparent lack of forethought about how video meetings with insufficient privacy protections — both on the back and the front end — could be exploited by hackers or trolls. This entire scenario becomes especially problematic considering the growing number of students that Zoom eagerly recruits for the platform. Features that might have been appropriate or even welcome in the business settings Zoom thrived in are now seen as invasive, creepy, and unwelcome. It all seems like a bad publicity time bomb that went off as soon as Zoom became an essential piece of pandemic software and people started really looking more closely at how the service worked.
It remains to be seen just how damaging these reports will be. Some schools are already backing off using Zoom. Public schools in Fairfax County, Virginia, for example, announced on Monday night that they “can no longer use Zoom” for video calls. Then again, the Prime Minister of the United Kingdom, currently quarantined after contracting coronavirus, hosted a cabinet meeting over a (password protected) Zoom call on Tuesday. Perhaps Zoom is just too popular and necessary to fail now. Or maybe its problems are just beginning.
Update, April 2, 11:30 am: Updated to add more reports about Zoom’s privacy issues, the letter from Sen. Richard Blumenthal, and Zoom’s disabling of its attention tracking and LinkedIn Sales Navigator service.
Open Sourced is made possible by Omidyar Network. All Open Sourced content is editorially independent and produced by our journalists.