The popular video conferencing application Zoom has been having a Moment during the Covid-19 pandemic. But it’s not all positive. As many people’s professional and social lives move completely online, Zoom use has exploded. But with this boom has come added scrutiny from security and privacy researchers—and they keep finding more problems, including two fresh zero day vulnerabilities revealed Wednesday morning.
The debate has underscored the inherent tension of balancing mainstream needs with robust security. Go too far in either direction, and valid criticism awaits.
“Zoom has never been known as the most hardcore secure and private service, and there have certainly been some critical vulnerabilities, but in many cases there aren’t a lot of other options,” says security researcher Kenn White. “It’s absolutely fair to put public pressure on Zoom to make things safer for regular users. But I wouldn’t tell people ‘Don’t use Zoom.’ It’s like everyone is driving a 1989 Geo and security folks are worrying about the airflow in a Ferrari.”
Zoom isn’t the only video conferencing option, but displaced businesses, schools, and organizations have coalesced around it amid widespread-shelter-in place orders. It’s free to use, has an intuitive interface, and can accommodate group video chats for up to 100 people. There’s a lot to like. By contrast, Skype’s group video chat feature only supports 50 participants for free, and live streaming options like Facebook Live don’t have the immediacy and interactivity of putting everyone in a digital room together. Google offers multiple video chat options—maybe too many, if you’re looking for one simple solution.
At the same time, recent findings about Zoom’s security and privacy failings have been legitimately concerning. Zoom’s iOS app was quietly—and the company says accidentally—sending data to Facebook without notifying users, even if they had no Facebook account. The service pushed a fix late last week. Zoom also updated its privacy policy over the weekend after a report revealed that the old terms would have allowed the company to collect user information, including meeting content, and analyze it for targeted advertising or other marketing. And users have been creeped out by Zoom’s attention-tracking feature, which lets the meeting host know if an attendee hasn’t had the Zoom window in their screen’s foreground for 30 seconds.
During the pandemic, a type of online abuse known as Zoombombing, in which trolls abuse Zoom’s default screen-sharing settings to take over meetings—often with racist messages or pornography—has also spiked. Zoom offers tools to protect against that sort of assault, specifically the option to password-protect your meeting, add a waiting room for vetting attendees, and limit screen sharing. Some paid and free speciality versions of the service, like Zoom for Education, also have different screen sharing defaults. But in general the service doesn’t highlight these options in a way that would make them intuitive to enable.
“It’s as though, in suddenly shifting from the office to work from home, we didn’t so much move the conference room into our kitchens as into the middle of the public square,” says Riana Pfefferkorn, associate director of surveillance and cybersecurity at Stanford’s Center for Internet and Society. “Enterprise platforms are now seeing the same abuse problems that we’ve long been used to seeing on Twitter, YouTube, Reddit, etc. Those platforms were inherently designed to let strangers contact other strangers—and yet they had to tack on anti-abuse features after the fact too.”
Perhaps most jarring of all, the service has a security feature that it falsely described as being “end-to-end encrypted.” Turning on the setting does strengthen the encryption on your video calls, but does not afford them the protection of being completely encrypted at all times in transit. Achieving full end-to-end encryption in group video calling is difficult; Apple memorably spent years finding a way to implement it for FaceTime. And for a service that can support so many streams on each call, it was always unlikely that Zoom had actually achieved this protection, despite its marketing claims.
