Zoom has seen a flood of new users as the COVID-19 outbreak forces more and more employees to transition to working from home. Zoom’s big selling point is its near-frictionless video calls.
We believe it’s important for our community who may be switching to Zoom in their workplace during the coronavirus outbreak to be aware of these issues, and this post looks at each of them in detail. At the end, we’ll offer some suggestions for what you can do to protect yourself while using Zoom.
Zoom knows if you are paying attention to the call
Whenever you host a call, you have the option to activate Zoom’s attendee attention tracking feature. This feature alerts the call’s host anytime someone on the call “does not have Zoom Desktop Client or Mobile App in focus for more than 30 seconds.” In other words, if you are on a Zoom call and you click away from Zoom, the host of the call will be notified after 30 seconds, regardless of whether you minimized Zoom to take notes, check your email, or respond to a question on another app.
This feature only works if someone on the call is sharing their screen. It is unclear whether the attendees of a call are notified if attention tracking is being used on a call. When we tested it, the attendees did not receive any indication that their attention was being tracked.
Of course, just because you are not viewing the Zoom screen does not mean you are not paying attention or doing work. Furthermore, this feature cannot always reliably gauge if you have clicked away from the call. It only works on version 4.0 or later of Zoom apps and is not as reliable if you attend a Zoom call through your web browser rather than an app.
You should also be aware that if a host decides to record the call so it can be played later, Zoom saves a TXT file of the chat messages from the meeting and shares it with your boss. According to its support page on the subject, “the saved chat will only include messages from the host and panelists to all participants.” However, it does not clarify what will happen to direct messages between attendees.
Zoom privacy regarding your data
Zoom not only tracks your attention, it tracks you.
Some of this data you enter yourself when you are signing in (for example, to join a call online, you must give your email), but much of it is collected automatically by the Zoom app.
An article in Vice pointed out that the Zoom iOS app shared a substantial amount of user data with Facebook, even if the user does not have a Facebook account. However, two days after this story was published, Zoom removed the code that sent data to Facebook. In a statement to Vice, Zoom explained it was unaware that the Facebook software development kit (SDK) used to implement the “Login with Facebook” feature in its app was collecting unnecessary data. The statement also listed the types of device data the Facebook SDK had collected, including the mobile operating system (OS) type and version, the device time zone, device OS, device model and carrier, screen size, processor cores, and disk space.
Zoom is now facing a class action lawsuit from a California resident who alleges that Zoom violated the California Consumer Privacy Act by not getting users’ consent before sharing their data with Facebook. Also, the New York Attorney General’s office recently sent a letter to the company, expressing concern that Zoom’s existing security practices fail to secure its users’ data. The Attorney General’s primary concern is that Zoom may not be doing enough to meet the state’s requirements to protect student data. Zoom recently increased the number of participants allowed on its free calls to help teachers and schools reach students at home.
Zoom does not use end-to-end encryption
Zoom used its own definition for end-to-end encryption (E2EE), one that is likely to mislead many of its users. Despite both Zoom’s website and its security white paper claiming calls that use “computer audio” are end-to-end encrypted, The Intercept found that Zoom only uses transport layer security (TLS) encryption, the same encryption that protects all websites that use HTTPS.
TLS encryption protects Internet connections from being eavesdropped on by third parties, but in this case, it does not protect the data from Zoom itself. This is different from E2EE services like ProtonMail. With true E2EE, a message (or video chat) is encrypted on a user’s device and then cannot be decrypted until it reaches the recipient’s device. No one can decrypt or access unencrypted data between the two end users.
A Zoom spokesman clarified that E2EE to Zoom means, “the connection [is] encrypted from Zoom end point to Zoom end point.” Here “end point” refers to the Zoom server, not the Zoom app. This is not true E2EE.
Online trolls have disrupted numerous online conference calls, by sharing disturbing or pornographic material using a Zoom screen share feature. This has become known as “Zoombombing,” and it is a widespread problem.
Zoom, by default, allows anyone to share their screen with the participants of a call without permission from the call’s host. If a call is public, anyone with the URL to the call can join. This has allowed malicious actors to sneak into calls using publicly shared links and then take over by sharing their screen and showing the audience offensive material.
The camera hacking bug
Last year, security consultant Johnathan Leitschuch discovered that Zoom set up a local web server on a user’s Mac device that allowed Zoom to bypass security features in Safari 12. This web server was not mentioned in any of Zoom’s official documentation. It was used to bypass a pop-up window that Safari 12 would show before it turned on your device’s camera.
However, this remote web server was also not adequately secured. Pretty much any website could interact with it. The result was that Zoom allowed malicious websites to take over your Mac’s camera without ever alerting you.
This led Electronic Privacy Information Center to file an FTC complaint against Zoom, alleging that Zoom “intentionally designed its web conferencing service to bypass browser security settings and remotely enable a user’s web camera without the knowledge or consent of the user.”
While Zoom has since removed these remote web servers, its cavalier approach to getting user permission and its repeated disregard for security and privacy concerns in the pursuit of convenience raise serious questions about trust.
How you can protect your data
As Zoom becomes the standard video conferencing tool, there are some steps you can take to keep your data safe.
- Use two devices during Zoom calls: If you are attending a Zoom call on your computer, use your phone to check your email or chat with other call attendees. This way, you will not trigger the attention tracking alert.
- Do not use Facebook to sign in: It might save time, but it is a poor security practice and dramatically increases the amount of personal data Zoom has access to.
- Keep your Zoom app updated: Zoom removed the remote web server from the latest versions of its apps. If you recently downloaded Zoom, there’s no need to be concerned about this specific vulnerability.
- Prevent intruders and Zoombombing on your calls: Before you set up a public Zoom call, go to Settings and turn Screen Sharing to “Host only,” disable “Join Before Host,” disable “Allow Removed Participants to Rejoin,” and disable “File Transfers.” If practical, you should also protect your conference call with a password.
We recognize that working from home is going to require a reconfiguring of how companies, offices, and employees work. However, workers’ personal privacy should not be sacrificed in this transition.
Now that offices are closed, it is more important than ever that workers remember security guidelines. We have resources that can help you stay safe. Our IT security ebook, with its email security and IT security best practices lists, can help employees maintain their security and privacy while working from home.
UPDATE March 27, 2020: This article was updated to incorporate the news that Zoom’s iOS app shares data with Facebook.
UPDATE March 30, 2020: This article was updated after Zoom removed the code that shared users’ device data with Facebook.
UPDATE April 1, 2020: This article was updated after the New York Attorney General requested security information from Zoom and a California resident filed a class action suit against the company. It also incorporates new information discovered about Zoom’s false claims regarding end-to-end encryption and new reporting on Zoombombing.
You can get a free secure email account from ProtonMail here.
We also provide a free VPN service to protect your privacy.
ProtonMail and ProtonVPN are funded by community contributions. If you would like to support our development efforts, you can upgrade to a paid plan or donate. Thank you for your support.