By Rosnel Leyva ’22
It seems like it was only yesterday when the world was filled with face to face board meetings and school lessons were taught in classrooms. In a sudden change of events, the world today has been overrun by video-conferencing softwares to substitute these routine meetings. Above all video conferencing softwares out there, Zoom stands alone as it’s exponential user spike grossed the company’s CEO a whopping $4 billion U.S. dollars. Inevitably like any other big tech company, Zoom has its own fair share of privacy breaches, which in this world-wide pandemic proves to be more consequential than ever before.
According to security and privacy experts from CNET that have analyzed Zoom’s software, it is essentially a “privacy disaster,” with the poor handling of user data being their main crime. Zoom user data from its iOS and Android apps have been proven to be sold by Zoom to Facebook for advertising purposes. This is all despite the fact that users in most cases did not even have a Facebook account and therefore could not consent to their data being sold. This vulnerability was taken to federal court in California which claimed that, “Zoom [is] failing to ‘properly safeguard the personal information of the increasing millions of users’ on its platform… ‘While Zoom has remediated specific reported security vulnerabilities, we would like to understand whether Zoom has undertaken a broader review of its security practices… ’ ”. Selling user data without consent is the least of Zoom’s problems though, with more than noticeable software vulnerabilities stacking up against it.
A zero-day, which is what security professionals and hackers use to refer to a security breach, was discovered in Zoom’s software on July 8th, 2019. But this was only officially acknowledged by the company in early March 2020. The exploit allowed unauthorized users to remotely access keyboard functionality and webcam streams from a victim’s machine using Zoom’s own web server. The way Zoom streams video to a user in a conference is by using their own server to display each person’s video. This server however also allows for users with elevated privileges to remotely control other participants’ computers. Arvind Narayanan, an associate computer science professor at Princeton University commented on this specific flaw in Zoom and was deeply disappointed, stating that, “…the number of security issues with Zoom in the past make it as bad as malicious software… ‘Zoom is malware.’”
Despite all of the deeply technical flaws that shroud the majority of the discussion on Zoom’s technical shortcomings, one such flaw that plagues students specifically is the overly feverrent surveillance that the program presents as “features”. Perhaps you are a student yourself and your teacher has called you out for doing something other than paying attention to class during your Zoom meeting and more likely than not you’re probably not using the Zoom window. The paranoia is actually well founded though because of Zoom’s widely criticized, “ ‘attention tracking’ feature, which allows a host to see if a user clicks away from a Zoom window for 30 seconds or more. This feature would allow employers to check if employees are really tuned into a work meeting or if students are really watching a classroom presentation remotely.” Despite the strong criticism, Zoom has continued to allow this feature with rumors speculating a future update could allow hosts to see what program participants are focusing on instead of Zoom. Many students and employees, including myself, see this as a grotesque invasion of privacy.
Looking to the future, how can we learn from Zoom’s mistakes and make video conferencing more secure? Alternatives are already online with Facetime, Google Meet and Skype being some of the free options available right now. Given the current state of Zoom’s security and their nonchalant disregard for user data and privacy, it would not be advisable for any organization, governmental, corporate, or educational to use Zoom in any capacity. Zoom is an amazing software with many useful features for connecting with others, however the risks of using it do not outweigh the benefits.
Citation
Neate, Rupert. “Zoom Booms as Demand for Video-Conferencing Tech Grows.” The Guardian, Guardian News and Media, 31 Mar. 2020, www.theguardian.com/technology/2020/mar/31/zoom-booms-as-demand-for-video-conferencing-tech-grows-in-coronavirus-outbreak.
Paul, Kari. “’Zoom Is Malware’: Why Experts Worry about the Video Conferencing Platform.” The Guardian, Guardian News and Media, 2 Apr. 2020, www.theguardian.com/technology/2020/apr/02/zoom-technology-security-coronavirus-video-conferencing.
Leitschuh, Jonathan. “Zoom Zero Day: 4 Million Webcams & Maybe an RCE? Just Get Them to Visit Your Website!” Medium, InfoSec Write-Ups, 25 Sept. 2019, medium.com/bugbountywriteup/zoom-zero-day-4-million-webcams-maybe-an-rce-just-get-them-to-visit-your-website-ac75c83f4ef5.
Hodge, Rae. “Zoom Security Issues: Zoom Could Be Vulnerable to Foreign Surveillance, Intel Report Says.” CNET, www.cnet.com/news/zoom-security-issues-zoom-could-be-vulnerable-to-foreign-surveillance-intel-report-says/.
Neate, Rupert. “Zoom Booms as Demand for Video-Conferencing Tech Grows.” The Guardian, Guardian News and Media, 31 Mar. 2020, www.theguardian.com/technology/2020/mar/31/zoom-booms-as-demand-for-video-conferencing-tech-grows-in-coronavirus-outbreak.
Staff, TMZ. “Zoom Sued Over ‘Zoom Bombing,’ Privacy and Security Issues.” TMZ, TMZ, 8 Apr. 2020, www.tmz.com/2020/04/08/zoom-sued-class-action-lawsuit-zoom-bombing-privacy-security-issues/.