Zoom Meetings logo is seen displayed on a smartphone. (Photo Illustration by Rafael Henrique/SOPA ... [+]
Since the novel coronavirus kicked off a rolling wave of workplace and school shutdowns last month, more and more people have been turning to remote collaboration tools for work, education, and keeping up with friends and family. A huge part of this is a new reliance on video conferencing and collaboration.
Of all the options out there, one company in particular has come under immense scrutiny for not being up to the task of delivering the privacy and security necessary for such widespread use. It has also, deservedly, received acclaim for its simplicity, user experience, and ability to scale. Coincidentally, it has also become one of the most popular tools during the time of Covid-19—according to the New York Times, around 600,000 people downloaded the app this previous Sunday. This is actually quite frightening—bad actors will absolutely look to take advantage of the opportunity presented by this influx of remote workers using unsecured tools. I wanted to take some time to look at some of the complaints being lodged against Zoom and the stories that are arising from it, with some recommendations at the end.
.. we recognize that we have fallen short of the community’s – and our own – privacy and security expectations. For that, I am deeply sorry, and I want to share what we are doing about it.
Is Zoom keeping your personal and corporate data private?
The New York Times reported this week that Zoom’s videoconferencing platform had been running a data-mining feature, which enabled some participants to view other users’ LinkedIn profile data without their consent or notification. According to the publication’s investigation, Zoom’s software was set up to automatically give names and email addresses of users to a system, which it then used to match the users with their profiles on LinkedIn. LinkedIn users who subscribed to the company’s LinkedIn Sales Navigator service, for sales prospecting, could then click on a LinkedIn icon next to a Zoom user to learn information such as their locations, employer, and job position—all unbeknownst to them. The Times found that this function worked even when users were signed in anonymously, or under pseudonyms (such as a reporter attempting to keep their efforts private). One particularly disturbing discovery was that this information was sent to Zoom’s data-mining tool even if nobody in the meeting at requested it.
While LinkedIn and Zoom agreed to disable this service after being contacted by the Times, I believe it doesn’t speak well of the company that it took being publicly outed to cease this particular data-mining operation. As a result of the incident, the company agreed to put a 90-day moratorium on rolling out new services in order to focus on privacy and security.
The LinkedIn episode was not the only time eyebrows have been raised at Zoom’s handling of user data. Vice reported last week that Zoom’s iOS app transfers user data to Facebook, confoundingly, even if you don’t possess a Facebook account. While it’s not uncommon practice for businesses that utilize Facebook SDKs to build their apps to relay certain information to Facebook, the issue arises when users do not realize that by signing onto one product, they are actually agreeing to send data to an entirely different entity. According to Vice, there was nothing in Zoom’s privacy policy that explicitly informed users of this data sharing with Facebook. After being reached out to for comments, Zoom reportedly apologized for the oversight, and announced that it was removing the Facebook SDK and reconfiguring the feature to prevent it from collecting “unnecessary device data.”
Zoom does not support end-to-end encryption, yet it said it did
Zoom’s platform extended the option for users to hold “end-to-end encrypted” conferences, going as far to tout it as a key feature of its service. The only problem is—that is not true. According to The Intercept, what it actually uses TLS, which, while significantly better than no encryption at all, is not the same thing as end-to-end encryption.
I can’t recommend any regulated industry, businesses who takes privacy and security seriously or schools to use Zoom right now until all these issues are ironed out.
With true end-to-end encryption, not even the organization hosting the service can gain access to the connection. Guess what? Zoom can if they wanted to.
Furthermore, the company can be strong-armed into providing this intercepted video and audio data to governments. When pressured, Zoom fessed up that true end-to-end isn’t possible for its video meetings. Instead, according to The Intercept, the company insisted it meant its own (might I add incorrect) definition of the phrase—encrypted from Zoom end-point to Zoom end-point.
“Zoombombing”
Another disturbing complaint against Zoom is a growing trend in which trolls to jump onto public Zoom conferences and utilize the screen-sharing feature to project inappropriate, graphic content—such as pornography, or a Nazi swastika. This odious practice has become known as “zoombombing,” and was detailed in a recent New York Times article.
Today, the New York times wrote an even more in-depth article on the coordinated, “weaponization” of Zoom that is simply scary. The investigation was comprised of 152 Instagram accounts, “dozens” of Twitter accounts and private chats, 14 “active” Discord groups and “several active” Reddit and 4Chan message boards. The FBI issued a related warning Tuesday which you can find here.
Security expert Brian Krebs discovered here that there’s a new “automated Zoom meeting discover tool called ‘zWarDial’ “ that disrupters are using to find non-password protected Zoom meetings that could be “bombed.” Krebs says the tool “evades Zoom’s attempts to block automated meeting scans by routing the searches through multiple proxies in Tor, a free and open-source software that lets users browse the Web anonymously.”
FBI's warning on Zoom and "zoombombing"
While hosts of public meetings can modify their settings so that only they can utilize screen-share, the default setting gives every member the capability. A spokesperson for Zoom recommended that users either make events invitation only or change the default settings in order to address the problem. However, I believe the onus should be on Zoom to change its defaults so that you have to opt-in to screen-sharing—this way users don’t have to learn this lesson the hard way.
The larger issue at hand
Another exposé, published on Medium serves to highlight what I see as the key issue with Zoom’s opeeating mode.
A security researcher, Jonathan Leitschuh, published a write-up back in July 2019 highlighting a significant vulnerability in the Mac Zoom Client, which would potentially allow bad actors to access users’ cameras without permission. Basically, he found that any website had the ability to forcibly join a user into a Zoom conference—potentially putting the approximately 750,000 companies, globally, that used Zoom at the time to conduct their business at risk. Furthermore, the Leitschuh found this vulnerability had the potential to be exploited for a denial of service attack (DOS), in which a user would repeatedly be joined to an invalid call, hijacking the Mac.
Leitschuh reportedly originally reached out to Zoom about the issue in early March 2019. After a long, protracted back and forth, Zoom finally reported the vulnerability had been fixed in late June, and made a public disclosure about it in July. However, the problem was reportedly not addressed by Zoom until a public interest research center, the Electronic Privacy Information Center, filed a complaint against the company with the FTC. While it’s certainly good that Zoom ultimately patched the vulnerability, what is less good is the fact that it took so long to be addressed once the initial red flag was raised. Moreover, it’s another example of Zoom’s tendency to only address its various liabilities—its vulnerabilities, false claims, and sketchy data-mining practices—once it has been called out. I do not believe this is the type of behavior of a company that is operating in good faith towards the consumer, government or business.
While Zoom CEO Eric Yuan did come out this week to address some of the controversies, I do not think enough was actually said to reassure the public of the company’s supposed commitment to data privacy and security. While he said that the company would spend the next 90 days putting resources into better identifying, addressing, and fixing issues, no specific new security measures were announced beyond saying that the company had addressed the aforementioned issues brought to light by third parties. The rest of the letter seemingly focused on the ways Zoom was educating its customers to “address” these issues themselves. Again, putting the onus on the customers.
Legal troubles
All of these stories have not gone unnoticed by the Justice Department. The New York Times reported on Monday that the office of New York’s attorney general, Letitia James, reportedly sent Zoom a letter asking what, if any, new steps the company was taking to detect malicious actors and ensure security for the increased traffic on its network brought on by coronavirus. The letter purportedly expressed concerns with the company’s historic slowness to remediate security flaws such as the ones outlined above.
Additionally, Zoom is being taken to court in California in a class-action lawsuit alleging the company shared users’ personal data with external companies, like Facebook, mentioned earlier, without disclosing to its customers what was happening. According to CBS News, the lawsuit also alleges Zoom was paid an undisclosed sum for sharing this user data, a claim that Zoom denies.
The new Facebook?
With all of Zoom’s missteps, apologies and declarations to do better in the future in such a short time, I believe the company is looking more like Facebook than a serious video and communications tool like Cisco Webex, Microsoft Teams or Google Hangouts and Meet. Like Facebook, I believe Zoom rushes out features, stumbles on security and privacy, apologizes, fixes it, and says it will do better in the future. Zoom is business-smart in the sense that it has seen Facebook screw up over and over and again and not really be severely wounded for its actions. A Wired article entitled “Why Zuckerberg’s 14-Year Apology Tour Hasn’t Fixed Facebook” illustrates this well.
Who should avoid Zoom right now
As an industry analyst, where I come down on all of this is simple. I can’t recommend any regulated industry, a business who takes privacy and security seriously or schools to use Zoom right now until all these issues are ironed out. Come back and reassess in the 90 days that CEO Eric Yuan said the company was reassessing security and privacy itself. Some big corporate names seem to agree—Elon Musk’s SpaceX has purportedly banned the use of Zoom video conferencing by its employees. Apple has reportedly banned Zoom as well. Both of these companies have some of the smartest people running their security and should give you some indication of what’s going on even if you aren’t a security or privacy expert.
I can highly recommend Zoom for consumers or businesses having public conversations, but for anything beyond that, I would have serious concerns. Even here, you have to worry about making sure your settings are correct else you still risk “Zoombombing.”
Instead, I would recommend looking at alternative video conferencing solutions, such as Cisco Webex, Microsoft Teams, and Google Meet. These are all very public-facing companies known for their enterprise-grade security and privacy. No companies are perfect and each of these companies has had issues spike, but these companies architect their products from the grounds up for security and privacy. Their companies future depends on their security and privacy so they can’t screw it up. In regards to the current influx of Webex users, Cisco’s CEO Chuck Robbins recently tweeted that his company regards data privacy as “a fundamental human right.” This is the sort of leadership and conviction that Zoom should take some cues from in this area. Until it truly puts data privacy and security first, I believe the company is going to continue to suffer from bad press and unwanted legal attention.
Disclosure: Moor Insights & Strategy, like all research and analyst firms, provides or has provided paid research, analysis, advising, or consulting to many high-tech companies in the industry, including Amazon.com, Advanced Micro Devices, Apstra, ARM Holdings, Aruba Networks, AWS, A-10 Strategies, Bitfusion, Cisco Systems, Dell, Dell EMC, Dell Technologies, Diablo Technologies, Digital Optics, Dreamchain, Echelon, Ericsson, Foxconn, Frame, Fujitsu, Gen Z Consortium, Glue Networks, GlobalFoundries, Google, HP Inc., Hewlett Packard Enterprise, Huawei Technologies, IBM, Intel, Interdigital, Jabil Circuit, Konica Minolta, Lattice Semiconductor, Lenovo, Linux Foundation, MACOM (Applied Micro), MapBox, Mavenir, Mesosphere, Microsoft, National Instruments, NetApp, NOKIA, Nortek, NVIDIA, ON Semiconductor, ONUG, OpenStack Foundation, Panasas, Peraso, Pixelworks, Plume Design, Portworx, Pure Storage, Qualcomm, Rackspace, Rambus, Rayvolt E-Bikes, Red Hat, Samsung Electronics, Silver Peak, SONY, Springpath, Sprint, Stratus Technologies, Symantec, Synaptics, Syniverse, TensTorrent, Tobii Technology, Twitter, Unity Technologies, Verizon Communications, Vidyo, Wave Computing, Wellsmith, Xilinx, Zebra, which may be cited in this article.
