The coronavirus outbreak has seen millions of people ordered to stay in their homes flock to Zoom, using the video conference app for everything from brunches and birthday parties to religious events and even a UK cabinet meeting. But the spike in popularity is leading to a wave of scrutiny, particularly around privacy.
While video chat apps in general have seen a surge in usage, including Microsoft (MSFT)’s Skype and Teams platforms and Cisco’s Webex, Zoom (ZM) has emerged as the go-to contender thanks to its ability to host a large number of users — up to 100 in the free version — and fun social features such as customizable photo backgrounds. The company’s stock price has nearly doubled in the past two months.
But that surge in growth and the company’s widespread usage have surfaced several concerns.
In the last week alone, issues with Zoom’s privacy protections have been flagged by users, security researchers and US authorities. The increased attention highlights a new front in the global debate over privacy and security as a result of the global pandemic, as millions of people adapt to working remotely and using technology that could potentially expose their data.
New York Attorney General Letitia James sent a letter to Zoom on Monday asking whether the company “is taking appropriate steps to ensure users’ privacy and security,” a spokesman for James’s office told CNN Business.
In a statement, Zoom said it would address James’s questions. “Zoom takes its users’ privacy, security, and trust extremely seriously,” a spokesperson for the company said in a statement. “During the COVID-19 pandemic, we are working around-the-clock to ensure that hospitals, universities, schools, and other businesses across the world can stay connected and operational. We appreciate the New York Attorney General’s engagement on these issues and are happy to provide her with the requested information.”
On Monday, the FBI issued a warning against “Zoom-bombing,” where hackers or trolls hijack a public video call. The agency cited examples of users entering meetings or virtual classrooms to shout profanities and share pornography. The FBI urged victims of “teleconference hijacking” to report any incidents to the agency.
Zoom founder and CEO Eric Yuan addressed some of those issues in a tweet on Friday, saying they stem from users not enabling some security features such as meeting passwords and additional privacy controls.
“We will enforce these settings in addition to training and blogs,” he said.
A Zoom spokesperson said the company was “deeply upset to hear about the incidents involving this type of attack.”
Users hosting large public meetings should review their settings to make sure only the hosts can share their screen, and activate additional privacy controls, the spokesperson added. “We also recently updated the default screen sharing settings for our education users so teachers by default are the only ones who can share content in class.”
Founded nine years ago, Zoom has found itself suddenly become a vital social and professional lifeline for millions around the world. But that rapid growth has led to it already being hit by the kind of controversies that far larger tech companies like Facebook (FB) and Google (GOOGL) frequently grapple with.
“They’ve gone from interesting new startup product to part of the global infrastructure in days. And I think the many gaps in maturity are becoming painfully clear,” Jules Polonetsky, CEO of the Future of Privacy Forum and the former chief privacy officer of AOL, told CNN Business in an interview. “Some of them range from just stupid stuff that maybe doesn’t create risk to most users, to other things that are going to create legal liability for them.”
Another recent issue, first reported by Motherboard, involves Zoom’s sharing of user data with Facebook. Zoom originally allowed users to log into its iOS app using their Facebook accounts, but the feature it was using to do so shared details with Facebook about the user’s device, including its timezone, language, model number and IP address. (Facebook offers the tool to any developer to integrate with their apps.)
The revelation led to two Zoom users separately filing class action lawsuits against the company in a Northern California district court this week, with one suit alleging that the video app “has failed to safeguard the personal information of the increasing millions of users of its software” and the other claiming it gave them “no opportunity to express or withhold consent to Zoom’s misconduct.” The lawsuits accuse Zoom of collecting users’ personal information and sharing it with third parties, including Facebook, without properly notifying the users.
Zoom declined to comment on the lawsuits, but directed CNN Business to a recent blog post in which it says it removed the code that allows the data sharing with Facebook to occur. Facebook did not respond to a request for comment.
Instead, Zoom uses something called transport encryption, which only secures the message while it’s en route from a video chat to the company’s servers, according to David Kennedy, founder of cybersecurity firm TrustedSec and a former cyberwarfare specialist with the United States Marine Corps. That means Zoom effectively functions as a middleman in all video conversations on its platform and has access to those conversations, he said.
A report by The Intercept first identified the shortcoming.
The Zoom spokesperson acknowledged that the company collects “basic technical information” such as IP addresses and device details, but stressed that it has strict privacy controls to protect against unauthorized access.
“Importantly, Zoom does not sell user data of any kind to anyone,” the spokesperson added.
Without end-to-end encryption on video, Kennedy says video conversations on Zoom could technically be accessed and stored by the company.
“Zoom doesn’t seem to be very clear on what they record, what they don’t record,” he said. “There’s a lot of things that Zoom is doing that is particularly alarming and concerning, because they’re not using the right language and terminology.”