Is Zoom ‘zooming’ onto our privacy?
Amid the COVID-19 pandemic, the video conferencing company Zoom has become the “go-to” online platform for school and work. However, Zoom’s increased popularity has come with its fair share of backlash and criticism. Instead of commending Zoom for its usefulness, some consumers are now condemning them for their lack of security and privacy.
Zoom, founded in 2011 by former Cisco Systems executive Eric Yuan, began as a service to facilitate online meetings between company employees, sales representatives, and clients. In the past two months, the company has seen a flock of new consumers from social groups and schools: its daily users went from 10 million in December to 200 million in March (1). As a result, previously undetected privacy risks became apparent with a large number of users. Hackers began to hijack meetings and use the platform’s screen sharing feature to project graphic content in attacks known as “Zoombombing.” In addition, press reports claimed that the company’s iPhone app had leaked user data to Facebook and allowed certain users to secretly access the LinkedIn profile data of other consumers (3).
Hackers can access Zoom accounts and meetings through attacks called credential stuffing. During these attacks, they use bots to generate automated login IDs, usernames, and passwords. Once the bots find a correct combination, the hacker has access to an account or meeting. They can also compile a list of valid combinations to be sold on hacker forums on the dark web. Over five hundred thousand Zoom accounts are reported to be on these forums. As more information surfaces, several people have taken precautions to protect themselves from security breaches (7).
Many organizations have banned the use of Zoom in recent weeks. For instance, the U.S. Senate, New York’s Department of Education, and the German Foreign Ministry have all either warned or banned their constituents from using the platform (2). Others have decided to take legal action. Shareholder Michael Drieu filed a lawsuit in a California federal court, alleging that Zoom had “significantly overstated” the degree to which its platform is encrypted and failed to state its “deficiencies” to shareholders (2). Security researchers have found that while Zoom encrypted its users’ communication, it did not do so with end-to-end encryption, a system that prevents third parties from accessing private communications (1). Chief executive officer Eric Yuan responded that end-to-end encryption was more difficult with more consumers, particularly on a group chat service. Yuan also said that the company had not been prepared for the massive growth in new users during the COVID-19 outbreak (1).
How have other platforms managed during the “stay-at-home” period? Why have we not seen “SkypeBombing” or “Google HangHacks” amid an uptick of video communication users? Other platforms have not seen a large growth in usage like Zoom because most of the new consumers are educators and workers. Skype or Google Hangouts were not originally tailored for a meeting with more than 10 people; instead, these platforms were geared to offer 4-5 people the opportunity to communicate via video chat (6).
Suitable for larger groups like a class of students, Zoom meetings can hold more than 100 people. With more users, end-to-end encryption becomes far more difficult because it relies on software not storing information or “keys”—in this case, the image and speech of the users—on another server. Under this type of encryption, the keys are kept within the meeting server and are not transferred to a remote one; therefore, only participants in the meeting can access the information (not the developers or outside individuals) (5). In large meetings, Zoom has to receive audio input, analyze it, and output it back to multiple users in a short timespan: a strenuous task. In addition, Zoom’s screen-sharing and video feature adds to the information that the software needs to process. The software cannot contain all this information in one server under maximum efficiency (without “lag” and “breaks”). To circumvent this obstacle, Zoom uses an additional server to reduce the time it takes its software to decrypt (5).
Faced with controversy, Zoom responded with new security measures to protect its users. The company first announced it would suspend work on features for the next three months and devote all of its resources to increase its security and privacy practices (1). Following the announcement, Zoom removed Facebook software from its iPhone app and eliminated the LinkedIn data-mining feature on all its platforms. They also introduced default settings that will require K to 12 schools to provide passwords for meetings and individually admit participants through virtual waiting rooms (1). Without a password, hackers only need to guess the meeting ID (which all have a similar format); the addition of a password makes it more difficult for them to obtain the right combination. Even if a hacker were able to find a correct combination, they will be stuck in a waiting room unless the meeting host admits them.
Furthermore, the company has hired former Facebook CSO Alex Stamos as a consultant to improve security practices and “build up [Zoom’s] security, privacy, and safety capabilities” (3). Yuan reassured the public that user privacy and security is Zoom’s top priority over the next few months, expressing his confidence in the new measures (2). With coronavirus unlikely to disappear soon, Zoom will be placed under much scrutiny as the primary option for video conferencing in the world.
Zoom’s mishaps have provided a valuable lesson for video conferencing in the future. When technology is needed the most, an unprepared and untested product can serve as both an asset and detriment to millions of people around the world. Hopefully, Zoom may return as a helpful and trusted tool for educators and employers and fix its image as a platform plagued by privacy and security concerns.
– Jayden Personnat
References
- Singer, N., Perlroth, N., & Krolik, A. (2020, April 8). Zoom Rushes to Improve Privacy for Consumers Flooding Its Service. Retrieved from https://www.nytimes.com/2020/04/08/business/zoom-video-privacy-security-coronavirus.html
- Finnegan, M. (2020, April 9). Zoom hit by investor lawsuit as security, privacy concerns mount. Retrieved from https://www.computerworld.com/article/3537193/zoom-hit-by-investor-lawsuit-as-security-privacy-concerns-mount.html
- Hodge, R. (n.d.). Zoom: Every security issue uncovered in the video chat app. Retrieved from https://www.cnet.com/news/zoom-every-security-issue-uncovered-in-the-video-chat-app/
- Feldman, B. (2020, April 9). Is It Safe to Use Zoom? Retrieved from https://nymag.com/intelligencer/2020/04/the-zoom-app-has-a-lot-of-security-problems.html
- Marczak, B., Scott-Railton, John., (2020, April 3, 2020). Move Fast and Roll Your Own Crypto. Retrieved from https://citizenlab.ca/2020/04/move-fast-roll-your-own-crypto-a-quick-look-at-the-confidentiality-of-zoom-meetings/
- Kingsley-Hughes, A. (2020, March 26). Why are we all Zooming and not Skyping?. Retreived from https://www.zdnet.com/article/why-are-we-all-zooming-and-not-skyping/
- Abrams, Lawrence (2020, April 13). Over 500,000 Zoom accounts sold on hacker forums, the dark web. Retrieved from https://www.bleepingcomputer.com/news/security/over-500-000-zoom-accounts-sold-on-hacker-forums-the-dark-web/
Images
