With millions of people around the world working from home, business is booming for Zoom. However, this is bringing more attention to the company and its privacy issues.
Zoom Privacy Issues
Zoom not only tracks your attention, it tracks you.
The encryption that Zoom uses to protect meetings is TLS. This is the same technology that web servers use to secure HTTPS websites. This means that the connection between the Zoom app running on a user’s computer or phone and Zoom’s server is encrypted in the same way the connection between your web browser is encrypted.
Simply put, when you have a Zoom meeting, the video and audio content will stay private from anyone spying on your Wi-Fi. However, it won’t stay private from the company.
According to a report from Motherboard
Popular video-conferencing Zoom is leaking personal information of at least thousands of users. This includes their email address and photo. It’s giving strangers the ability to attempt to start a video call with them through Zoom.
The issue lies in Zoom’s “Company Directory” setting. It automatically adds other people to a user’s lists of contacts if they signed up with an email address that shares the same domain. This can make it easier to find a specific colleague to call when the domain belongs to an individual company.
In the last week alone, it has emerged that Zoom’s calls are not end-to-end encrypted despite several claims that they are.
The potential security issues that Zoom’s facing are myriad. Already, numerous reports have emerged of threat actors hijacking Zoom meetings. Apparently, they are upending the meetings with hate speech, threats of sexual harassment, and pornographic images. Some of the attacks have even gone so far as to threaten those attending the meeting with physical harm.
Our video call was just attacked by someone who kept sharing pornography + switching between different user accounts so we could not block them. Stay tuned for next steps. And I am sorry to everyone who experienced. We shut down as soon as we could.
— Jessica Lessin (@Jessicalessin) March 20, 2020
Zoom meetings have an option to be password protected, but there are still ways attackers could bypass that. Check Point Research on Monday pointed to cybercriminals setting up fake Zoom domains. They then persuade victims to enter their account credentials into that domain. The credentials could then be used to snoop in on conference meetings.
Zoom’s Data Collection and Data Sharing
- Physical address
- Email address
- Phone number
- Job title
Even if you don’t make an account with Zoom, it will collect and keep data on what type of device you are using and your IP address. It also collects information from your Facebook profile. If you use Facebook to sign in.
Some of this data you enter yourself when you are signing in (for example, to join a call online, you must give your email). However, much of it is collected automatically by the Zoom app.
It’s important to note that as mentioned, this does not affect users with common email addresses such as Gmail, Yahoo or Hotmail accounts. However, the app appears to have missed enough personal email domains such that thousands of users have had their personal data shared with strangers.
Security Measures and How To Protect Your data
In the meantime, Zoom users can make sure they’re taking extra security precautions.
- Setting a password for your meetings. This adds a randomly generated password that invitees will need to input. Use a numerical password to authenticate users who connect by phone. Do not embed the password in the meeting link.”
- Use two devices during meetings or calls: Use your phone to check your email or chat with other call attendees. This way you will not trigger the attention tracking alert.
- Do not use Facebook to sign in: It is a poor security practice and dramatically increases the amount of personal data Zoom has access to.
- Keep your app updated: Zoom removed the remote web server from the latest versions of its apps. If you recently downloaded Zoom, there’s no need to be concerned about this specific vulnerability.