Is Zoom safe to use? Here’s what you need to know
Zoom, a videoconferencing service created for corporate webinars and meetings, has grown into something more amid the coronavirus outbreak.
With the number of daily users exploding from 10 million to 200 million from December to March, it has become a forum for nearly every kind of social function,including happy hours, yoga sessions, school classes, funeral services as well as Passover, Easter and (soon) Ramadan rituals.
But no sooner had many tried Zoom for the first time than they began to hear reasons they might want to stay away.
Trolls have crashed meetings, flashing porn or racist slurs on screens. Security researchers released report after report on newly discovered vulnerabilities including leaked emails and bugs that might have allowed hackers to access webcams.
Earlier this month, Google warned employees not to use Zoom’s desktop application on their work computers “due to privacy and security vulnerabilities.” SpaceX, the U.S. Senate and New York City’s school district have enacted similar restrictions.
If you’re among the tens of millions of people who have become regular Zoom users in recent weeks, you may be wondering what all this means for you. Here’s a primer on some of the notable privacy and security lapses and how to keep your calls and data safe.
Is Zoom sending my data to Facebook?
A Vice investigation showed that Zoom’s app for iPhones sent data about users’ devices to Facebook, including about users who did not have Facebook accounts. The company was hit with at least two lawsuits in federal court, one by a California resident who alleges Zoom violated the state’s new Consumer Privacy Act by disclosing information to Facebook without providing consumers with adequate notice or the ability to opt out.
Zoom Chief Executive Eric Yuan said in a blog post March 27 that the company removed code that sent user data to Facebook in an updated version of the iOS app. The company updated its privacy policy March 29 after a swell of concern from users.
“I think Zoom wasn’t completely honest,” Electronic Frontier Foundation senior technologist Bill Budington said. “I think they are going through a lot of growing pains.”
A new law that will let you opt out of the online data economy goes into effect on Jan. 1 — assuming businesses can figure out how to make that happen in time.
How else might my information have been compromised?
Reports of Zoom’s vulnerabilities predate the coronavirus crisis. Last July, security researcher Jonathan Leitschuh exposed a flaw that allowed hackers to take over Mac webcams through the app. The company fixed the problem after a public interest research center filed a complaint with the Federal Trade Commission.
Thousands of personal Zoom videos were left viewable on the open web, including one-on-one therapy sessions, telehealth calls, and elementary school classes, the Washington Post reported. People’s names, phone numbers and intimate conversations were revealed and children’s faces and voices were exposed.
Several people identified in the videos told the Post they did not know how the videos made their way online. Zoom said in a statement that meetings are only recorded at the host’s choice and are stored either locally on their device or in the Zoom cloud using a “safe and secure” method, and that users should exercise caution if they later choose to upload their meetings elsewhere.
Experts say the company now seems to be making more serious efforts to identify and quickly patch vulnerabilities. It formed an advisory council of chief security officers from other companies and hired Alex Stamos, Facebook’s former chief security officer, as an advisor. “That’s a lot of money being thrown at the problem to improve security. That is not insubstantial,” said Leitschuh, who discovered the Mac camera vulnerability last year.
Are Zoom calls encrypted, and does that matter?
Zoom marketed its communications as protected by end-to-end encryption, which makes it, in effect, impossible for anyone, including the company itself, to spy on them. Recently, however, the Intercept revealed Zoom has been using a different type of encryption, called transport encryption, which enables the company to decode the content of calls.
That means the company could hypothetically be susceptible to pressure from government authorities to disclose communications, said Bill Marczak, a fellow at the Citizen Lab and a postdoctoral researcher at UC Berkeley.
That doesn’t make those calls uniquely vulnerable, however. Cellphone calls and Skype calls on default settings, for example, aren’t encrypted end to end either, and it’s unlikely the average person would need this type of security. But reporters or dissidents under oppressive regimes, government officials discussing classified information or big companies that want to keep their business strategies confidential might want to use a more secure platform, Budington said.
What information does Zoom give my boss or co-workers?
If you’ve been part of a long, boring webinar, you perhaps thought there would be no harm in checking your email or your Facebook feed to pass the time. So many were alarmed at the revelation of an “attention tracking” feature that allowed the meeting host to see when participants clicked away from the active Zoom window for more than 30 seconds. The company announced it had removed the feature in an April 2 blog post.
That’s not the only way hosts can gather information on attendees. They can also record audio and video from meetings and save a record of group chats. Some Zoom users were surprised to learn that if they use a tool that allows them to save the chat log from a call on their local devices — which many use as a way to document meeting minutes — that record will include private chats they’ve sent in addition to messages the group has sent.
What is ‘Zoombombing’?
Because Zoom is so easy to use, it has also been easy for people to exploit the app to sow mischief or chaos. “Zoombombing” is when uninvited participants interrupt or derail a meeting. Sometimes it’s harmless trolling, but often it rises to the level of harassment.
As USC and local school districts transitioned to online meetings, they reported getting Zoombombed with racist taunts and pornographic images. On Tuesday, Berkeley High School students were in the middle of a video conference when a man joined the Zoom meeting, exposed himself and shouted obscenities, the Mercury News reported.
The New York Times found scores of accounts on Instagram and on Reddit and 4Chan message boards where users coordinated to share meeting passwords and derail Zoom meetings.
Zoom’s default setting allowed anyone to join video calls if they had the meeting ID, which is a number 9 to 11 digits long. These meeting IDs are easy to guess — with an automated tool (called “war-dialing”), one could access thousands of meetings within a day by simply making a lot of guesses.
What are some steps I can take to make Zoom safer to use?
Be careful about how you share meeting IDs. Don’t post them publicly.
Generate a new ID for every meeting you launch using the options panel, instead of using your personal meeting ID. That way, if someone gets ahold of your personal ID, future meetings won’t be disrupted by Zoombombers.
You can toggle settings to ensure meeting participants need a password to access the meeting, which will further protect from disruption.
Enable Zoom’s “Waiting Room” feature, which lets meeting hosts keep would-be participants in a digital queue until they approve them to join the session. Beginning April 4, Zoom enabled the Waiting Room feature by default, requiring additional password settings for free users. Zoom has a guide to the feature on its website.
You can switch off a host of features that could be abused, if needed, including private chats, file transfers and custom backgrounds. The annotation feature, for example, could allow trolls to draw offensive shapes. You can also toggle the “allow removed participants to rejoin” option. Zoom has a guide to host controls on its website.
Keep your desktop app up to date, so that any patches Zoom makes to security vulnerabilities are added to your device.
If you want to be extra careful, use Zoom only on a mobile device, such as an iPad or an Android phone, because these versions go through review in the app stores.
What are some alternative platforms?
Signal and WhatsApp communications are encrypted end to end. WhatsApp allows encrypted calls with as many as four people. This is a suitable option for highly sensitive conversations.
There are also other video chatting services, such as Skype, Google Hangouts, Webex from Cisco, and FaceTime on Apple devices. Microsoft also offers powerful web, audio and video conferencing tools through its Microsoft Teams platform.
The bottom line
The reality is you can’t see your friends, your classmates and maybe your co-workers right now. You can’t eat at restaurants and you definitely can’t go to bars. Zoom is one of the platforms people have ubiquitously adopted to replace these in-person interactions amid the coronavirus outbreak. And it works relatively well.
It’s OK to use Zoom, experts say. Just be thoughtful about what you’re using it for and observe a few precautions.
Disclosure: Times owner Patrick Soon-Shiong invested in Zoom and serves as an advisor to the company.
More to Read
Updates
2:53 p.m. April 16, 2020: This story has been updated to include Zoom’s response to a report that thousands of video recordings of calls were left viewable on the open web.