Using Zoom? Here are the privacy issues you need to be aware of

An illustration of Zoom's attendee attention tracking.

Zoom has seen a flood of new users as the COVID-19 outbreak forces more and more employees to transition to working from home. Zoom’s big selling point is its near-frictionless video calls.

However, new users should be aware of the company’s privacy practices. By looking through its privacy policy and some of its support documents, you quickly discover that Zoom allows your boss to track your attention during calls, shares the copious amounts of data it collects with third parties, and has already had a major security vulnerability.

We believe it’s important for our community who may be switching to Zoom in their workplace during the coronavirus outbreak to be aware of these issues, and this post looks at each of them in detail. At the end, we’ll offer some suggestions for what you can do to protect yourself while using Zoom.

Zoom knows if you are paying attention to the call

Whenever you host a call, you have the option to activate Zoom’s attendee attention tracking feature. This feature alerts the call’s host anytime someone on the call “does not have Zoom Desktop Client or Mobile App in focus for more than 30 seconds.” In other words, if you are on a Zoom call and you click away from Zoom, the host of the call will be notified after 30 seconds, regardless of whether you minimized Zoom to take notes, check your email, or respond to a question on another app.

This feature only works if someone on the call is sharing their screen. It is unclear whether the attendees of a call are notified if attention tracking is being used on a call. When we tested it, the attendees did not receive any indication that their attention was being tracked.

Of course, just because you are not viewing the Zoom screen does not mean you are not paying attention or doing work. Furthermore, this feature cannot always reliably gauge if you have clicked away from the call. It only works on version 4.0 or later of Zoom apps and is not as reliable if you attend a Zoom call through your web browser rather than an app.

You should also be aware that if a host decides to record the call so it can be played later, Zoom saves a TXT file of the chat messages from the meeting and shares it with your boss. According to its support page on the subject, “the saved chat will only include messages from the host and panelists to all participants.” However, it does not clarify what will happen to direct messages between attendees. 

Zoom privacy regarding your data

Zoom not only tracks your attention, it tracks you.

According to the company’s privacy policy, Zoom collects reams of data on you, including your name, physical address, email address, phone number, job title, employer. Even if you don’t make an account with Zoom, it will collect and keep data on what type of device you are using, and your IP address. It also collects information from your Facebook profile (if you use Facebook to sign in) and any “information you upload, provide, or create while using the service.”

Some of this data you enter yourself when you are signing in (for example, to join a call online, you must give your email) but much of it is collected automatically by the Zoom app.

In its privacy policy, under the entry “Does Zoom sell Personal Data?” the policy says, “Depends what you mean by ‘sell.’” To summarize Zoom’s policy, they say they don’t sell personal data for money to third parties, but it does share personal data with third parties for those companies’ “business purposes.” In its privacy policy, it gives the example that it may pass your personal information to Google.

However, a recent article in Vice pointed out that the Zoom iOS app shares a substantial amount of user data with Facebook, even if the user does not have a Facebook account. This data includes the time you open the app, details on the device you are using, the time zone and city you are connecting from, which phone carrier you are using, and your device’s unique advertiser identifier. Companies and online trackers use this last piece of information to target you with ads. Zoom does not mention sending data to Facebook anywhere in its privacy policy.

The camera hacking bug

Last year, security consultant Johnathan Leitschuch discovered that Zoom set up a local web server on a user’s Mac device that allowed Zoom to bypass security features in Safari 12. This web server was not mentioned in any of Zoom’s official documentation. It was used to bypass a pop-up window that Safari 12 would show before it turned on your device’s camera.

However, this remote web server was also not adequately secured. Pretty much any website could interact with it. The result was that Zoom allowed malicious websites to take over your Mac’s camera without ever alerting you. 

This led Electronic Privacy Information Center to file an FTC complaint against Zoom, alleging that Zoom “intentionally designed its web conferencing service to bypass browser security settings and remotely enable a user’s web camera without the knowledge or consent of the user.”

While Zoom has since removed these remote web servers, its cavalier approach to getting user permission and its disregard for security and privacy concerns in the pursuit of convenience raise serious questions about trust. 

How you can protect your data

As Zoom becomes the standard video conferencing tool, there are some steps you can take to keep your data safe.

  • Use two devices during Zoom calls: If you are attending a Zoom call on your computer, use your phone to check your email or chat with other call attendees. This way you will not trigger the attention tracking alert.
  • Do not use Facebook to sign in: It might save time, but it is a poor security practice and dramatically increases the amount of personal data Zoom has access to. 
  • Keep your Zoom app updated: Zoom removed the remote web server from the latest versions of its apps. If you recently downloaded Zoom, there’s no need to be concerned about this specific vulnerability.

We recognize that working from home is going to require a reconfiguring of how companies, offices, and employees work. However, workers’ personal privacy should not be sacrificed in this transition.

Now that offices are closed, it is more important than ever that workers remember security guidelines. We have resources that can help you stay safe. Our IT security ebook, with its email security and IT security best practices lists, can help employees maintain their security and privacy while working from home.

UPDATE March 27, 2020: This article was updated to incorporate the news that Zoom’s iOS app shares data with Facebook.

You can get a free secure email account from ProtonMail here.

We also provide a free VPN service to protect your privacy.

ProtonMail and ProtonVPN are funded by community contributions. If you would like to support our development efforts, you can upgrade to a paid plan or donate. Thank you for your support.

About the Author

Richie Koch

Prior to joining Proton, Richie spent several years working on tech solutions in the developing world. He joined the Proton team to advance the rights of online privacy and freedom.

 

Leave a Reply

Your email address will not be published.

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>

22 comments on “Using Zoom? Here are the privacy issues you need to be aware of

  • Our school is forcing us to use Zoom to follow courses and interact with the teachers since the pandemic, we have no choice. We should have a right to not use proprietary spyware :(.

    Reply
    • Hi,

      Signal offers video calling and is very secure.
      Jitsi is also a good option. It is open source and you do not need to log in to use it. Meet.jit.si does not require a preset account, letting you use it privately.
      However, depending on your threat model, Zoom should be a good option as long as you keep in mind the steps we mention to protect your data.

      Thanks!

      Reply
    • Hi,

      Signal offers video calling and is very secure.
      Jitsi is also a good option. It is open source and you do not need to log in to use it. Meet.jit.si does not require a preset account, letting you use it privately.
      However, depending on your threat model, Zoom should be a good option as long as you keep in mind the steps we mention to protect your data.

      Thanks!

      Reply
  • Would love a similar analysis to HouseParty. Installing the app in my browser asked for permissions to see my browser history (what?) and skimming the terms it meant they were able to use and share that data with 3rd parties. Seemed shady to me.

    Reply
    • Unfortunately, Signal does not yet support group/conference calls. It can only be used for calls between two individuals.

      Jitsi is also a good option. It is open source and you do not need to log in to use it. Meet.jit.si does not require a preset account, letting you use it privately.

      Reply
    • You are correct about Signal.
      And don’t forget Jitsi is open source. It is a good alternative for video conference calls that lets you have more control of your privacy.

      Reply
  • Great read, thanks for putting this together. I was wondering what people thought of Webex?
    I see Webex used a lot for business even before covid-19. Just wondering if anyone has done a privacy analysis of it.
    Personally I like webex a lot more than zoom… but I haven’t reviewed the privacy policy as either option is usually forced on me due to business.

    Reply
  • Hi,
    thank you for the article. It would be great to have a similar analysis for microsoft teams and google hangouts-meet.

    Reply
    • Thank you. We’re glad you found it instructive. We’ll consider looking into Microsoft Teams and Google Hangouts in the future.

      Reply
  • The other day, I was on my first Zoom call ever, and the presenter unmuted my mic. Usually people expect to control their own mute status, so I’d say this qualifies as a privacy violation to be aware of. I was watching & repeatedly re-muted myself until the presenter gave up, so at least there’s some way to counter it. After that, I flipped my hardware mute switch. I don’t know whether the presenter can also unmute video.

    Reply
  • I’ll add that I just received a Zoom invitation. Instead of adding the same ICS that allows you to have the event in your calendar, it requires you to give access to Zoom app to your Google Calendar. This is absolutely unnecessary and frankly a bit frightening.
    You can still download the ICS file, but the you need to import it manually in the calendar.
    Each other conferencing app just have the invitation email that puts a “tentative” calendar item in. Stop. No need to give permission to my calendar.

    Reply
  • for privacy or secure my chat i m using signal they have good features of privacy like best part is that it has a lot of advanced features like ‘disappearing messages’, ‘screen lock’, ‘incognito keyboard’, ‘read receipts’, ‘message trimming’ etc.

    Reply