Business is booming for Zoom, but so are concerns about its data privacy and security practices.
Use of the video conferencing service has soared amid the COVID-19 pandemic, as it is reliable and easy to use, especially for those working from home. 
Zoom was developed primarily for business communications, however the COVID-19 pandemic has created a global escalation in remote work arrangements. Zoom is now also being widely used for virtual education, telehealth and online social gatherings.
Zoom has historically experienced security flaws, but more recently its data privacy and security practices have attracted significant media attention and scrutiny from the New York state regulator.
What are the specific concerns?
The New York Times recently reported that the office of the New York Attorney General is concerned that Zoom’s security measures are inadequate to handle the sudden surge in network traffic volume and properly protect sensitive user data.
They argue that Zoom has been slow to address security flaws e.g. vulnerabilities that could allow hackers to take over webcams.
News organisation The Intercept highlighted that Zoom audio and video calls do not actually support end-to-end encryption. End-to-end encryption implies that content is fully protected from third parties, including Zoom.
Encryption Issues
The encryption that Zoom uses appears to be similar to ‘transport encryption’ which secures the connection between a user’s computer and an external server. This resembles the way URLs using HTTPS secure the connection between a website’s server and the computer accessing it. Zoom’s website indicates that end-to-end encryption is supported.
Implications
The implication is that when you have a Zoom meeting, the video and audio content stays private from anyone spying on your Wi-Fi, but the content won’t stay private from Zoom. Zoom claims that it does not directly access, mine, or sell user data.
Without end-to-end encryption, Zoom has the technical ability to spy on private video meetings, and could be legally compelled to provide recordings of meetings to governments or law enforcement agencies. Google, Facebook, and Microsoft publish transparency reports that disclose the country of origin, the number of government requests for user data they receive and the number that they comply with. However, Zoom does not publish transparency reports to help users understand how their data is protected.
Transparency reports are a highly effective way to disclose privacy threats. They inform our understanding of surveillance laws in different jurisdictions, network shutdowns and provide data on companies that are opposing improper requests for information.
ZoomBombing
ZoomBombing is a new trend where trolls are exploiting Zoom’s screen-sharing feature to share disturbing and/or offensive content.
To counter this, Zoom advises users to utilise the Waiting Room feature which allows the host to control when a participant joins the meeting. Meeting hosts can change the platform’s default administrative settings to ensure the screen-sharing option is disabled for everyone except the host, and meeting hosts can also mute participants. Those hosting private meetings or virtual classrooms can set up password protections that prevent uninvited users from joining.
Windows Issues
iTNews reported that Zoom has a high-risk security issue in its Windows client that can be used for limited remote code execution and, potentially worse, to capture and replay security tokens to access network resources.
iTNews also mentioned that the Zoom Windows desktop client is vulnerable to a high-risk Universal Naming Convention (UNC) injection flaw in how the app handles Uniform Resource Identifier paths.
A Motherboard article also mentions that Zoom’s Company Directory feature leaks email addresses and photos. The Company Directory feature is intended to pool users of the same domain name to make it easier to find colleagues in the same company. However, many users are claiming that their personal email addresses have been pooled with thousands of random people and that their personal data including full names, mail addresses, profile picture and statuses were all shared with strangers.
Zoom Phone App
The Zoom phone app also has data privacy and security concerns, and Zoom’s approach to resolving these issues has proven inadequate.
In response to Motherboard finding that the Zoom iOS app was sending analytics information to Facebook when users opened the app, Zoom removed the code.
Zoom subsequently issued an update to its app to remove the tracking software and added clarifications to its privacy policies, and are now facing a class-action lawsuit over the data the iOS app was sharing with Facebook.
Agilient urges all users of video conferencing phone and computer services to be vigilant with their security settings.
Online collaborative services, such as Slack and Microsoft Teams enable employees to collaborate online. Agilient favours MS Teams for its security protection quality.
Agilient’s expert consultants are available to assist you in addressing any security concerns during the current period of heightened risk. Please contact us for assistance with your cybersecurity.
Author: Phillipa Lee, Agilient Consultant