We believe it ’ south important for our community who may be switching to Zoom in their workplace during the coronavirus outbreak to be mindful of these issues, and this post looks at each of them in detail. At the end, we ’ ll offer some suggestions for what you can do to protect yourself while using Zoom .
Zoom privacy regarding your data
Zoom not lone tracks your attention, it tracks you.
Some of this datum you enter yourself when you are signing in ( for example, to join a call on-line, you must give your e-mail ), but much of it is collected mechanically by the Zoom app .
An article in Vice pointed out that the Zoom io app shared a hearty sum of drug user data with Facebook, even if the user does not have a Facebook account. however, two days after this history was published, Zoom removed the code that sent data to Facebook. In a statement to Vice, Zoom explained it was unaware that the Facebook software development kit ( SDK ) used to implement the “ Login with Facebook ” feature in its app was collecting unnecessary data. The affirmation besides listed the types of device data the Facebook SDK had collected, including the mobile operating system ( OS ) type and translation, the device meter zone, device OS, device model and carrier, screen size, processor cores, and disk space .
Zoom is now facing a class action lawsuit from a California house physician who alleges that Zoom violated the California Consumer Privacy Act by not getting users ’ accept before sharing their data with Facebook. besides, the New York Attorney General ’ randomness agency recently sent a letter to the party, expressing concern that Zoom ’ s existing security practices fail to secure its users ’ data. The Attorney General ’ s primary concern is that Zoom may not be doing adequate to meet the state ’ mho requirements to protect scholar data. Zoom recently increased the number of participants allowed on its free calls to help teachers and schools reach students at base .
Zoom does not use end-to-end encryption
Zoom used its own definition for end-to-end encoding ( E2EE ), one that is likely to mislead many of its users. Despite both Zoom ’ s web site and its security white newspaper claiming calls that use “ calculator sound recording ” are end-to-end code, The Intercept found that Zoom only uses transport layer security (TLS) encryption, the lapp encoding that protects all websites that use HTTPS .
TLS encoding protects Internet connections from being eavesdropped on by third parties, but in this casing, it does not protect the datum from Zoom itself. This is unlike from E2EE services like ProtonMail. With true E2EE, a message ( or video chat ) is encrypted on a drug user ’ mho device and then can not be decrypted until it reaches the recipient ’ s device. No one can decrypt or access unencrypted data between the two end users .
A Zoom spokesman clarified that E2EE to Zoom means, “ the connection [ is ] encrypted from Zoom end decimal point to Zoom end point. ” here “ end point ” refers to the Zoom server, not the Zoom app. This is not true E2EE .
In response to this report and the far-flung confusion, Zoom put out a web log stake that acknowledged, “ there is a discrepancy between the normally accept definition of end-to-end encoding and how we were using it. ”
zoom has since announced that it will make on-key end-to-end encoding available for all users .
Online trolls have disrupted numerous on-line league calls, by sharing disturbing or pornographic material using a Zoom screen door share feature. This has become known as “ Zoombombing, ” and it is a widespread problem .
Zoom, by default, allows anyone to share their screen with the participants of a call without permission from the call’s host. If a call is public, anyone with the URL to the call can join. This has allowed malicious actors to sneak into calls using publicly shared links and then take over by sharing their screen and showing the audience offensive material .
Our video call was just attacked by person who kept sharing pornography + switching between different exploiter accounts so we could not block them. Stay tuned for next steps. And I am deplorable to everyone who experienced. We shut down angstrom soon as we could.
— Jessica Lessin (@Jessicalessin) March 20, 2020
The camera hacking bug
last year, security adviser Johnathan Leitschuch discovered that Zoom set up a local web waiter on a drug user ’ s Mac device that allowed Zoom to bypass security features in Safari 12. This web server was not mentioned in any of Zoom ’ s official documentation. It was used to bypass a pop fly window that Safari 12 would show before it turned on your device ’ south television camera .
however, this remote control world wide web server was besides not adequately secured. pretty much any web site could interact with it. The resultant role was that Zoom allowed malicious websites to take over your Mac ’ s camera without ever alerting you .
This Zoom vulnerability is banana. I tried one of the proof of concept links and got connected to three early randos besides freaking out about it in veridical time. hypertext transfer protocol : //t.co/w7JKHk8nZy pic.twitter.com/arOE6DbQaf— Matt Haughey (@mathowie) July 9, 2019
This led Electronic Privacy Information Center to file an FTC ailment against Zoom, alleging that Zoom “ intentionally designed its web conferencing service to bypass browser security settings and remotely enable a exploiter ’ sulfur world wide web camera without the cognition or consent of the exploiter. ”
While Zoom has since removed these outside network servers, its cavalier approach to getting user license and its repeat disregard for security and privacy concerns in the pursuit of convenience lift serious questions about trust .
How you can protect your data
As Zoom becomes the standard video conferencing tool, there are some steps you can take to keep your data dependable .
- Do not use Facebook to sign in: It might save time, but it is a poor security practice and dramatically increases the amount of personal data Zoom has access to.
- Keep your Zoom app updated: Zoom removed the remote web server from the latest versions of its apps. If you recently downloaded Zoom, there’s no need to be concerned about this specific vulnerability.
- Prevent intruders and Zoombombing on your calls: Before you set up a public Zoom call, go to Settings and turn Screen Sharing to “Host only,” disable “Join Before Host,” disable “Allow Removed Participants to Rejoin,” and disable “File Transfers.” If practical, you should also protect your conference call with a password.
We recognize that working from home is going to require a reconfiguring of how companies, offices, and employees work. however, workers ’ personal privacy should not be sacrificed in this passage .
nowadays that offices are closed, it is more significant than ever that workers remember security guidelines. We have resources that can help you stay safe. Our IT security ebook, with its electronic mail security system and IT security best practices lists, can help employees maintain their security and privacy while working from home .
UPDATE March 27, 2020: This article was updated to incorporate the news that Zoom ’ s io app shares data with Facebook .
UPDATE March 30, 2020: This article was updated after Zoom removed the code that shared users ’ device data with Facebook .
UPDATE April 1, 2020: This article was updated after the New York Attorney General requested security information from Zoom and a California resident filed a classify action become against the company. It besides incorporates new information discovered about Zoom ’ s false claims regarding throughout encoding and newly report on Zoombombing .
UPDATE May 4, 2020: This article was updated to show that Zoom removed its attendant attention tracking have, which alerted the hosts of a call if you minimized or clicked away from your Zoom window for 30 seconds. It besides now includes Zoom ’ s explanation for why it was using “ end-to-end encoding ” in its selling .
UPDATE June 9, 2020: This article was updated after Zoom announced it would make throughout encoding available onl yttrium for paying users.
UPDATE June 25, 2020: This article was updated after Zoom backtracked from its original stance that it would alone offer throughout encoding to paying users. It has since announced that E2EE will be available to all users, including those on a free plan .
You can get a free secure email account from ProtonMail here.
We also provide a free VPN service to protect your privacy.
and ProtonVPN are funded by community contributions. If you would like
to support our development efforts, you can upgrade to a paid plan or donate. Thank you for your support.