Using Zoom? Here are the privacy issues you need to be aware of

An illustration of Zoom's attendee attention tracking.

Zoom has seen a flood of new users as the COVID-19 outbreak forces more and more employees to transition to working from home. Zoom’s big selling point is its near-frictionless video calls.

However, new users should be aware of the company’s privacy practices. By looking through its privacy policy and some of its support documents, you quickly discover that Zoom shares the copious amounts of data it collects with third parties and has already had a major security vulnerability. An investigation by The Intercept has called into doubt Zoom’s claim of end-to-end encryption on its video calls. And online trolls have also taken advantage of default Zoom settings to “Zoombomb,” public conference calls and disrupt them.

We believe it’s important for our community who may be switching to Zoom in their workplace during the coronavirus outbreak to be aware of these issues, and this post looks at each of them in detail. At the end, we’ll offer some suggestions for what you can do to protect yourself while using Zoom.

Zoom privacy regarding your data

Zoom not only tracks your attention, it tracks you.

According to the company’s privacy policy, Zoom collects reams of data on you, including your name, physical address, email address, phone number, job title, employer. Even if you don’t make an account with Zoom, it will collect and keep data on what type of device you are using, and your IP address. It also collects information from your Facebook profile (if you use Facebook to sign in) and any “information you upload, provide, or create while using the service.”

Some of this data you enter yourself when you are signing in (for example, to join a call online, you must give your email), but much of it is collected automatically by the Zoom app.

In its privacy policy, under the entry “Does Zoom sell Personal Data?” the policy says, “Depends what you mean by ‘sell.’” To summarize Zoom’s policy, they say they don’t sell personal data for money to third parties, but it does share personal data with third parties for those companies’ “business purposes.” In its privacy policy, it gives the example that it may pass your personal information to Google.

An article in Vice pointed out that the Zoom iOS app shared a substantial amount of user data with Facebook, even if the user does not have a Facebook account. However, two days after this story was published, Zoom removed the code that sent data to Facebook. In a statement to Vice, Zoom explained it was unaware that the Facebook software development kit (SDK) used to implement the “Login with Facebook” feature in its app was collecting unnecessary data. The statement also listed the types of device data the Facebook SDK had collected, including the mobile operating system (OS) type and version, the device time zone, device OS, device model and carrier, screen size, processor cores, and disk space.

Zoom is now facing a class action lawsuit from a California resident who alleges that Zoom violated the California Consumer Privacy Act by not getting users’ consent before sharing their data with Facebook. Also, the New York Attorney General’s office recently sent a letter to the company, expressing concern that Zoom’s existing security practices fail to secure its users’ data. The Attorney General’s primary concern is that Zoom may not be doing enough to meet the state’s requirements to protect student data. Zoom recently increased the number of participants allowed on its free calls to help teachers and schools reach students at home.

Zoom does not use end-to-end encryption

Zoom used its own definition for end-to-end encryption (E2EE), one that is likely to mislead many of its users. Despite both Zoom’s website and its security white paper claiming calls that use “computer audio” are end-to-end encrypted, The Intercept found that Zoom only uses transport layer security (TLS) encryption, the same encryption that protects all websites that use HTTPS.

TLS encryption protects Internet connections from being eavesdropped on by third parties, but in this case, it does not protect the data from Zoom itself. This is different from E2EE services like ProtonMail. With true E2EE, a message (or video chat) is encrypted on a user’s device and then cannot be decrypted until it reaches the recipient’s device. No one can decrypt or access unencrypted data between the two end users.

A Zoom spokesman clarified that E2EE to Zoom means, “the connection [is] encrypted from Zoom end point to Zoom end point.” Here “end point” refers to the Zoom server, not the Zoom app. This is not true E2EE.

In response to this reporting and the widespread confusion, Zoom put out a blog post that acknowledged, “there is a discrepancy between the commonly accepted definition of end-to-end encryption and how we were using it.”

Zoom has since announced that it will make true end-to-end encryption available for all users.

Zoombombing

Online trolls have disrupted numerous online conference calls, by sharing disturbing or pornographic material using a Zoom screen share feature. This has become known as “Zoombombing,” and it is a widespread problem.

Zoom, by default, allows anyone to share their screen with the participants of a call without permission from the call’s host. If a call is public, anyone with the URL to the call can join. This has allowed malicious actors to sneak into calls using publicly shared links and then take over by sharing their screen and showing the audience offensive material.

The camera hacking bug

Last year, security consultant Johnathan Leitschuch discovered that Zoom set up a local web server on a user’s Mac device that allowed Zoom to bypass security features in Safari 12. This web server was not mentioned in any of Zoom’s official documentation. It was used to bypass a pop-up window that Safari 12 would show before it turned on your device’s camera.

However, this remote web server was also not adequately secured. Pretty much any website could interact with it. The result was that Zoom allowed malicious websites to take over your Mac’s camera without ever alerting you. 

This led Electronic Privacy Information Center to file an FTC complaint against Zoom, alleging that Zoom “intentionally designed its web conferencing service to bypass browser security settings and remotely enable a user’s web camera without the knowledge or consent of the user.”

While Zoom has since removed these remote web servers, its cavalier approach to getting user permission and its repeated disregard for security and privacy concerns in the pursuit of convenience raise serious questions about trust. 

How you can protect your data

As Zoom becomes the standard video conferencing tool, there are some steps you can take to keep your data safe.

  • Do not use Facebook to sign in: It might save time, but it is a poor security practice and dramatically increases the amount of personal data Zoom has access to. 
  • Keep your Zoom app updated: Zoom removed the remote web server from the latest versions of its apps. If you recently downloaded Zoom, there’s no need to be concerned about this specific vulnerability.
  • Prevent intruders and Zoombombing on your calls: Before you set up a public Zoom call, go to Settings and turn Screen Sharing to “Host only,” disable “Join Before Host,” disable “Allow Removed Participants to Rejoin,” and disable “File Transfers.” If practical, you should also protect your conference call with a password.

We recognize that working from home is going to require a reconfiguring of how companies, offices, and employees work. However, workers’ personal privacy should not be sacrificed in this transition.

Now that offices are closed, it is more important than ever that workers remember security guidelines. We have resources that can help you stay safe. Our IT security ebook, with its email security and IT security best practices lists, can help employees maintain their security and privacy while working from home.

UPDATE March 27, 2020: This article was updated to incorporate the news that Zoom’s iOS app shares data with Facebook.

UPDATE March 30, 2020: This article was updated after Zoom removed the code that shared users’ device data with Facebook.

UPDATE April 1, 2020: This article was updated after the New York Attorney General requested security information from Zoom and a California resident filed a class action suit against the company. It also incorporates new information discovered about Zoom’s false claims regarding end-to-end encryption and new reporting on Zoombombing.

UPDATE May 4, 2020: This article was updated to show that Zoom removed its attendee attention tracking feature, which alerted the hosts of a call if you minimized or clicked away from your Zoom window for 30 seconds. It also now includes Zoom’s explanation for why it was using “end-to-end encryption” in its marketing.

UPDATE June 9, 2020: This article was updated after Zoom announced it would make end-to-end encryption available only for paying users.

UPDATE June 25, 2020: This article was updated after Zoom backtracked from its original stance that it would only offer end-to-end encryption to paying users. It has since announced that E2EE will be available to all users, including those on a free plan.

You can get a free secure email account from ProtonMail here.

We also provide a free VPN service to protect your privacy.

ProtonMail and ProtonVPN are funded by community contributions. If you would like to support our development efforts, you can upgrade to a paid plan or donate. Thank you for your support.

About the Author

Richie Koch

Prior to joining Proton, Richie spent several years working on tech solutions in the developing world. He joined the Proton team to advance the rights of online privacy and freedom.

 

Leave a Reply

Your email address will not be published.

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>

55 comments on “Using Zoom? Here are the privacy issues you need to be aware of

  • Our school is forcing us to use Zoom to follow courses and interact with the teachers since the pandemic, we have no choice. We should have a right to not use proprietary spyware :(.

    Reply
    • Hi,

      Signal offers video calling and is very secure.
      Jitsi is also a good option. It is open source and you do not need to log in to use it. Meet.jit.si does not require a preset account, letting you use it privately.
      However, depending on your threat model, Zoom should be a good option as long as you keep in mind the steps we mention to protect your data.

      Thanks!

      Reply
    • Hi,

      Signal offers video calling and is very secure.
      Jitsi is also a good option. It is open source and you do not need to log in to use it. Meet.jit.si does not require a preset account, letting you use it privately.
      However, depending on your threat model, Zoom should be a good option as long as you keep in mind the steps we mention to protect your data.

      Thanks!

      Reply
  • Would love a similar analysis to HouseParty. Installing the app in my browser asked for permissions to see my browser history (what?) and skimming the terms it meant they were able to use and share that data with 3rd parties. Seemed shady to me.

    Reply
    • Unfortunately, Signal does not yet support group/conference calls. It can only be used for calls between two individuals.

      Jitsi is also a good option. It is open source and you do not need to log in to use it. Meet.jit.si does not require a preset account, letting you use it privately.

      Reply
    • You are correct about Signal.
      And don’t forget Jitsi is open source. It is a good alternative for video conference calls that lets you have more control of your privacy.

      Reply
  • Great read, thanks for putting this together. I was wondering what people thought of Webex?
    I see Webex used a lot for business even before covid-19. Just wondering if anyone has done a privacy analysis of it.
    Personally I like webex a lot more than zoom… but I haven’t reviewed the privacy policy as either option is usually forced on me due to business.

    Reply
  • Hi,
    thank you for the article. It would be great to have a similar analysis for microsoft teams and google hangouts-meet.

    Reply
    • Thank you. We’re glad you found it instructive. We’ll consider looking into Microsoft Teams and Google Hangouts in the future.

      Reply
  • The other day, I was on my first Zoom call ever, and the presenter unmuted my mic. Usually people expect to control their own mute status, so I’d say this qualifies as a privacy violation to be aware of. I was watching & repeatedly re-muted myself until the presenter gave up, so at least there’s some way to counter it. After that, I flipped my hardware mute switch. I don’t know whether the presenter can also unmute video.

    Reply
  • I’ll add that I just received a Zoom invitation. Instead of adding the same ICS that allows you to have the event in your calendar, it requires you to give access to Zoom app to your Google Calendar. This is absolutely unnecessary and frankly a bit frightening.
    You can still download the ICS file, but the you need to import it manually in the calendar.
    Each other conferencing app just have the invitation email that puts a “tentative” calendar item in. Stop. No need to give permission to my calendar.

    Reply
  • for privacy or secure my chat i m using signal they have good features of privacy like best part is that it has a lot of advanced features like ‘disappearing messages’, ‘screen lock’, ‘incognito keyboard’, ‘read receipts’, ‘message trimming’ etc.

    Reply
  • I recently began utilizing Proton Mail and have been very pleased with your communication and security practices! Thank you for extending your security conscious expertise and providing insight on a growing trend!

    Reply
  • A very informative article. Mostly all people are using Zoom app for meeting or webinars. I read the whole article and i think i should just keep these things in my mind. It’s very useful for our privacy. This article will be very helpful to all. I will share this blog with my team. Keep sharing your ideas.

    Reply
  • Zoom also uses Inteliquent aka (Onvoy/ANPI/Broadvox/Voyant/Vitelity/Phaxio/..) a major VoIP/SMS provider in the U.S, the same company that was involved in T-Mobile Fake Ring Tone scheme in 2019. Most phone calls in/to the U.S flows through Onvoy networks, including the ones from major carriers.

    Inteliquent networks are managed by shady people in Ukraine with ties to Russia. Onvoy also employs folks in Russia. They hide it so well and lie, their executives are reckless and in bed with FCC for maximum profit and power. They don’t care about U.S. public safety.

    Russia intelligence may already capable of interfering U.S. communications at any time –through Inteliquent Voice, SMS and even 911. The irony in the US is that their own NSA was seen as violation of privacy to analyze Call Detail Records for national security intelligence, whereas their Congress and FCC continues to allow companies like Inteliquent to abuse and hand over critical communication access to foreign countries. Russia may already have easy access not only to the phone call logs but also capable of full control.

    I am glad I don’t live in the U.S. but the impact is global.
    #DOJ #NSA #DHS #Congress should investigate deeper before U.S or Global communication cripples by reckless companies.

    Reply
  • This is good to know about Zoom. Will consider whether we use their paid for service for work meetings. Would appreciate it if Richard Koch were to look into Spike’s new videoconferencing tool and see if it really is private and secure?

    https://video.spike.chat/

    · Secured with SRTP encryption
    · No ads, no private data collected

    Reply
  • Since the Zoom security vulnerabilities hit the mainstream media, our team has been looking hard for an alternative for VTC (video teleconferencing). Security of our conversations is a top priority, due to the nature of our business. We’ve experimented with Signal, which is great for one-to-one (but has issues with voice and video quality, compared to Zoom)
    It’s really hard to find, maybe near-impossible, an un-biased, balanced review of the existing platforms. Seems you either get the Microsoft-phobes, who hate anything made or owned by MS, including Teams, or the Google-philiacs who blindly love anything promoted by Alphabet, etc, etc.
    Your article is balanced and unbiased, and I so appreciate it. We’ve been using all the suggested options available to make Zoom as secure as possible, but the shortcuts taken by the company make it hard to trust their product anymore.
    What would say is the best high-security option? Unfortunately, there is no offering from Protonmail, because we KNOW we could trust it!!

    Reply
  • Protect the struggling people that can’t afford or have any resources to prevent these parociets that target ant exploit people that simply are under a massive amount of pressure to try to prevent these cermet when are financially better of than there victims grow some balls jelly fishes and target those who have gold star insurance internet protection that’s not affordable the the little people and target them I’m not saying target anyone but if you must get a spine jelly fish we might see you walk threw the security doors in general population in jail Youse are now recognised and informed of your nature and deal with real caring individuals that care for or constable ones being targeted because there to gutless to stand up to someone that stands there ground please stay strong all you wonderfull people keep fighting the good fight the end game favours us believe it JEHOVAH has proven it’s near a men scott

    Reply
  • i feel like at this point we need protonmail to make its own video chat feature btw i cant access protonvpn here at almaty for some reason

    Reply
  • I use Zoom a lot untill I discovered security issues with the app. Hence, our company shifted to something secured as security was a must for our online meetings and sessions. We shifted to on premise R-HUB HD video conferencing servers for all our online meetings and conferencing needs. It works from behind the firewall, hence better security.

    Reply
  • Thanks for this comprehensive roundup of the privacy issues regarding Zoom. One suggestion: the updates made to the post should be listed right at the top, just before the main article text begins, rather than at the bottom, with the newest update being listed first (reverse chronological order). This will let readers know right away that the post has been updated with the latest information.

    Reply
  • This topic came up at other places and I was curious to learn what can be done. Thanks for sharing action items with us!

    Reply
  • Signal not only needs your phone number, it accesses your contacts and lets everyone there know you are on Signal. This notification to everyone in your contacts is not optional when using Signal. For secure communication do not use the device default contacts feature anyhow. For privacy, I agree that as of August 2020, jitsi is The best Video communication option, based on the Privacy Security & OSINT and Linux Unplugged podcasts.
    This article from ProtonMail and Richie Koch seems really good. Recently I was required to sign up for a Zoom account in iOS and was asked to confirm my birth date which really felt like a violation of privacy. However the app stated it would not save this information. I believe there’s a better than 50% chance that they it’s true that they don’t. I guess they need to ask because Zoom has 16 years old minimum age and if that’s the real reason they ask, there’s no reason to save the data and that would also explain why no one here is complaining about this. This article lays out how to use Zoom relativity safely, by not signing in with Facebook. Let’s try to do a reality check and keep that in mind for those of us who need to use Zoom because of other people’s choices but also realize that only a few people know what the Zoom app is doing on your device because that’s the nature of proprietary software, so use jitsi if it’s not too hard to setup and if you have a choice. I’ll look at using Matrix for secure communication which interfaces with lots of other communication and social media apps and defaults to jitsi for video communication. I think the Matrix default client, AKA app, was called Riot.im but changed it’s name to Element after BLM became prominent. I’m not sure so please research if interested. Stay safe Everyone

    Reply
  • Hi, Thanks for all you do to protect people’s privacy!! Is there another option for on-line group meetings other than Zoom that might be more secure? Thanks, Jess

    Reply
    • Hi Jessica,

      Signal offers video calling and is very secure.
      Jitsi is also a good option. It is open source and you do not need to log in to use it. Meet.jit.si does not require a preset account, letting you use it privately.
      However, depending on your threat model, Zoom should be a good option as long as you keep in mind the steps we mention to protect your data.

      Thanks!

      Reply