While the coronavirus crisis has thrown several companies under the bus, there’s one area that’s seeing a meteoric rise- digital services. The crisis has now put the spotlight on services like Zoom, which has become a key player in the video conferencing space.
While the American company is in the midst of its best quarter yet, it has come under intense scrutiny for its multiple privacy violations.
Back to Facebook
Oh Facebook! Even when it is not their service, the company finds itself associated with a privacy scandal. In March, Vice Media found that Zoom’s iOS app was sharing analytics data with Facebook, even when the particular user did not have a Facebook account.
Sending data to Facebook is not uncommon, it happens when a developer uses Facebook’s Software Development Kit (SDK) to add features. However, there was no mention of data being sent to Facebook in the privacy policy, or through any pop-up in Zoom.
Zoom connected to Facebook’s Graph API, which allowed the social network to access data such as details of the user’s device, their location and phone carrier.
In a statement to Motherboard, Zoom said: “To address this, in the next few days, we will be removing the Facebook SDK and reconfiguring the feature… We sincerely apologize for this oversight, and remain firmly committed to the protection of our users’ data.“
The company now faces a class-action lawsuit, filed in San Jose California by Robert Cullen. The suit alleges that the company is in violation of California’s Consumer Privacy Act, by leaking data to Facebook.
Contacts leak
On March 31, Vice found that Zoom is leaking people’s email addresses and photos. The issue, linked to Zoom’s “Company Directory” setting, is perhaps the biggest violation of privacy yet. The bug (or as Zoom likes to think of it – feature), adds other people to a user’s lists of contacts if they signed up with an email address that shares the same domain.
The feature was intended to help people find a colleague through their email address. However, many Zoom users signed into the service through their personal mail ID rather than corporate ones. As a result, Zoom grouped the ID’s from domains as if they all belonged to the same account.
The issue was first reported by several dutch users, who use domains like xs4all.nl, dds.nl, and quicknet.nl, which are provided by Dutch Internet Service Providers (ISPs). The leak is limited to similar non-standard domains, a support doc says that Zoom does not group “publicly used domains including gmail.com, yahoo.com, hotmail.com, etc.”
Other violations
Zoom’s privacy violations do not end there. With Zoom Version 4.0, the company implemented an attendee attention tracking feature. It allows meeting organisers to see if other participants have the Zoom window “open and active” or not during a call. If the window is closed for more than 30 seconds, the organiser gets a clock-like indicator next to the participants’ name, indicating that they aren’t actively attending the meeting.
There’s also a tracking feature for administrators, who manage cloud recordings and other tasks. Under Zoom’s managing cloud recordings feature, admins can see details of how, when and where users are using Zoom in the company.
Zoom provides detailed dashboards of user activities. Admins can also access data such as IP address, operating system, location data, type of machine and user-configured names of the devices.
Administrators also have the ability to jump into a call in their organisation, without warning or consent of the attendees. All these violations were discovered by the Electronic Frontier Foundation on March 19.
Zoombing
Well before the pandemic, Zoom also suffered from other privacy issues. The biggest being the ability to generate active meeting ID numbers. The hack, discovered by cybersecurity firm Check Point, allows a hacker to join a meeting that isn’t password protected. While Zoom did address the issue, it did not say users had to use a password, which was a key recommendation by Check Point.
The issue came back into the limelight after British Prime Minister Boris Johnson shared a screenshot of a cabinet meeting on March 31. The screenshot clearly shows the meeting ID, which would have made it easy for any hacker to join in.
It has given rise to the term ‘zoombing’, as trolls are now targeting meetings that aren’t password protected. A New York Times article exposed how trolls are jumping into meetings at random, and broadcasting graphic content, forcing meetings to be cancelled.
The most high-profile target so far has been fast food brand Chipotle, who was in the middle of a public Zoom chat with musician Lauv, before a participant began using the screen sharing feature to broadcast pornography.
Trolls have taken to sites like Twitter and Discord to share public zoom meeting IDs, and many IDs are available on event pages.
“We have been deeply upset to hear about the incidents involving this type of attack. For those hosting large, public group meetings, we strongly encourage hosts to change their settings so that only they can share their screen. For those hosting private meetings, password protections are on by default and we recommend that users keep those protections on to prevent uninvited users from joining,” said a spokesperson for Zoom Video Communications in a statement to the New York Times.
A challenging future
Zoom was built as a corporate communications tool, not a social media network. As the world has moved online, the company failed to foresee the challenges ahead.
Unlike Facebook, Zoom is not the undisputed leader in its industry. Offerings like Skype, Hangouts and Messenger mean that it is easier for users to shift from Zoom than from Facebook.
Zoom does, however, offer significant benefits like cheaper plans and advanced features giving it a slight edge over the competition. If it manages to tackle the issues soon, it could become the de facto tool for the future.
If you enjoyed this article please consider checking out the rest of our tech coverage.
