Zoom, the video conferencing app that really shot to prominence when social distancing measures were brought in around the world, can’t seem to keep itself out of the headlines right now.
The company has dropped clanger after clanger after clanger over recent days, ones that are serious enough to make you reconsider whether you should be using Zoom at all. Summarised below are some of the key issues that have emerged so far.
In a blog post published on April 1, Zoom apologised to users and said that over the next 90 days, all of its engineering resources will shift their focus to the service’s “biggest trust, safety, and privacy issues”.
Related: How to delete a Zoom account
Not end-to-end encryption
On March 31, The Intercept revealed that Zoom’s definition of “end-to-end encryption” is different to the common understanding of “end-to-end encryption”.
The Intercept discovered that though Zoom meetings are encrypted, the company has the ability to access the unencrypted video and audio content from calls made through its service. In other words, calls are not end-to-end encrypted, despite the fact that Zoom has been telling users otherwise.
“Currently, it is not possible to enable E2E encryption for Zoom video meetings,” a Zoom spokesperson admitted to The Intercept.
The company says it has “layered safeguards in place” that prevent “anyone, including Zoom employees, from directly accessing any data that users share during meetings, including — but not limited to — the video, audio and chat content of those meetings.”
However, this doesn’t change the fact that Zoom has been misleading its users and, if it was to be compelled to, would have the ability to hand over the content of users’ video calls to governmental authorities or law enforcement.
On the same day, it emerged that the Prime Minister has continued to use Zoom for cabinet meetings − despite warnings of “security implications” from the Ministry of Defence, which has banned its staff from using the software.
Furthermore, to date Zoom has not published any transparency reports that show how many government requests for user data it receives and complies with. On March 18, Access Now wrote an open letter urging Zoom to publish one, and on April 1, Zoom committed to putting a transparency report together.
Sending data to Facebook
On March 26, Vice’s Motherboard revealed that the iOS version of the Zoom app had been sending analytical data, such as login times, device details, local area and a unique advertising-related identifier, to Facebook without Zoom users’ consent.
This was found to be the case whether or not users had a Facebook account.
Furthermore, it said that Zoom may collect information from users’ Facebook profiles, but only for Zoom users who “use Facebook to log-in to our Products or to create an account for our Products”.
“We originally implemented the ‘Login with Facebook’ feature using the Facebook SDK in order to provide our users with another convenient way to access our platform. However, we were recently made aware that the Facebook SDK was collecting unnecessary device data,” Zoom told Vice after its article went live.
“To address this, in the next few days, we will be removing the Facebook SDK and reconfiguring the feature so that users will still be able to login with Facebook via their browser. Users will need to update to the latest version of our application once it becomes available in order for these changes to take hold, and we encourage them to do so.”
Zoom’s iOS app has now been changed.
In a blog post, Zoom wrote: “We want to emphasize that:
- Zoom does not sell our users’ data.
- Zoom has never sold user data in the past and has no intention of selling users’ data going forward.
- Zoom does not monitor your meetings or its contents.
- Zoom complies with all applicable privacy laws, rules, and regulations in the jurisdictions within which it operates, including the GDPR and the CCPA.
Every Zoom call has an ID number assigned to it in order to make it easy for people to join it, but there have been numerous reports of trolls successfully gatecrashing chats − and abusing participants − simply by feeding random ID numbers into the system.
Zoom, however, does let users password-protect meetings. The issue is that this step isn’t mandatory, which inevitably means that many users don’t bother with it.
Related: How to use Zoom
The Electronic Frontier Foundation has compiled a small but nauseating roundup of some of the creepy things Zoom allows meeting hosts and admins to do, one of which is attention tracking.
If someone in a chat is screen-sharing, Zoom will alert the meeting’s host if one of the participants hasn’t had the Zoom meeting view open for more than 30 seconds.
Creepier still is the ability of admins to access other users’ recorded Zoom meetings.