Zoom is a nine-year old company with growing pains. When I mention that I don’t use Zoom people tend to respond: “well they’ve fixed all their problems now”. Yes, they started fixing some of the problems they had for nine years after the flood of criticism started… not in any way proactively. I just want to do a run-through of why I avoid Zoom that goes further than a few “glitches”. To stop using it completely is not possible with a tool as prevalent as this, but there are ways to use Zoom more carefully – I’ll advise at the end of this post and list alternatives.
In July of last year we learned that Zoom was installing a hidden web server on mac computers. Because of it, any website could forcibly join a user to a Zoom call, with their video camera activated, without the user’s permission. The vulnerabillity was discovered by Jonathan Leitschuh and disclosed in his Medium article: Zoom Zero Day: 4+ Million Webcams & maybe an RCE? Just get them to visit your website!
July 24, 2019: Opinion: Zoom’s handling of vulnerability disclosure highlights the dark side of bug bounty NDAs
“Zoom’s handling of a cybersecurity researcher’s responsible disclosure of several serious vulnerabilities in its video-conferencing application is baffling. In March, cybersecurity researcher Jonathan Leitschuh contacted Zoom to notify the company of three major security vulnerabilities existing within its video-conferencing application for Mac computers.”
- a bug that allowed a malicious attacker to launch a denial of service (DOS) attack on a user’s machine,
- a bug that left a local web server installed on the user’s Mac even after uninstalling the Zoom application,
- and also a gravely alarming vulnerability that allowed for a malicious third-party entity to remotely and automatically enable an unsuspecting Mac user’s microphone and camera.
As outlined in Leitschuh’s blog post, he gave them the standard 90 days to fix before going public.
“In its initial response to the public disclosure on the company blog, Zoom refused to acknowledge the severity of the video vulnerability and ‘ultimately…decided not to change the application functionality.’ Although (only after receiving significant public backlash following the disclosure) Zoom did agree to completely remove the local web server that made the exploit possible”
Zoom had little interest in fixing these issues and tried to really downplay their severity.
January 20, 2020: Zoom vulnerability would have allowed hackers to eavesdrop on calls
Cybersecurity research company Check Point Research found security flaws in videoconferencing platform Zoom that would have allowed a potential hacker to join a video meeting uninvited and listen in, potentially accessing any files or information shared during the meeting. A Zoom spokesperson said the issue Check Point identified was addressed in August of 2019.
March 19, 2020: Advocacy group calls for Zoom to release a transparency report
“Publishing transparency reports is a common practice for larger tech companies. Google and Microsoft, for example, share the number of requests they get from law enforcement and from governments for user data and if they disclosed customer data as part of those requests.” Access Now published an open letter urging Zoom, given its impact and position on the global stage, do the same.
Given Zoom’s increasing role and user base, it is imperative that you issue a regular transparency report. According to your website, you are the “leader in modern enterprise video communications,” and Bernstein Research analysts reported that Zoom has gained more users so far this year than in all of 2019. This trend is likely to continue as more people rely on video conferencing services to carry on in their work and lives.
Zoom promised to publish a transparency report on June 30, but has failed to so: Zoom misses its own deadline to publish its first transparency report. They now say it will be out later this year, but have given no date.
“Though it is commendable that Zoom has taken steps over the last 90 days to update some of its security and privacy practices, the decision to delay the transparency report signals that Zoom does not prioritize reporting,” said Isedua Oribhabor, a US policy analyst for Access Now, in a statement to The Verge. “The pressure that Zoom has faced from the Chinese government to restrict accounts underscores just why a transparency report is essential — without it, users have no insight into the extent of government interference with their accounts and data or the steps Zoom takes to push back.”
We are made aware of Zoom’s attendee attention tracking feature. As Zoom describes it: “Hosts can see an indicator in the participant panel of a meeting or webinar if an attendee does not have Zoom Desktop Client or Mobile App in focus for more than 30 seconds while someone is sharing a screen. ‘In focus’ means the user has the Zoom meeting view open and active.” Users can disable the tracking feature in their account settings, but the administrator can also make this setting mandatory for all users by clicking on the lock icon.
This type of automated quantitative analysis claiming to give an indication of something it really doesn’t can be extremely misleading. As a person who myself has other windows open while listening (sometimes for drawing a mindmap, sometimes for finding links and research, and for other reasons that are not anyone’s business) I know how terribly wrong these indicators can be, and the worry is of course that people in power draw the wrong conclusions and people unable to defend themselves (students and more) suffer from it.
EFF has some added words of caution:
If a user records any calls via Zoom, administrators can access the contents of that recorded call, including video, audio, transcript, and chat files, as well as access to sharing, analytics, and cloud management privileges.
For any meeting that has occurred or is in-process, Zoom allows administrators to see the operating system, IP address, location data, and device information of each participant. This device information includes the type of machine (PC/Mac/Linux/mobile/etc), specs on the make/model of your peripheral audiovisual devices like cameras or speakers, and names for those devices (for example, the user-configurable names given to AirPods). Administrators also have the ability to join any call at any time on their organization’s instance of Zoom, without in-the-moment consent or warning for the attendees of the call.
March 30, 2020: FBI Warns of Teleconferencing and Online Classroom Hijacking During COVID-19 Pandemic
During the corona outbreak and the explosive increase in usage of Zoom, even FBI had to issue a press release warning about Zoombombing:
As individuals continue the transition to online lessons and meetings, the FBI recommends exercising due diligence and caution in your cybersecurity efforts.
From the same article:
In addition, Zoom told Consumer Reports that it would stop retweeting Zoom screen captures posted by teachers that included images of students. (If you’re a teacher, don’t do that.)
Why Zoom would claim end-to-end encryption is beyond me. It’s very difficult to achieve on a video conferencing platform and for a company that has been in the video conferencing business for nine years, and whose CEO worked at developing Webex, it’s either a testament to gross negligence or intentionally misleading to state this. Anyway, they don’t claim this anymore now. After, yet again, someone on the outside pointed it out.
Honestly, isn’t this a rookie mistake? If people are on the same domain Zoom assumes you are entitled to all their personal details. They blocked this for the common personal domains like Hotmail and Gmail, but there are obviously thousands upon thousands of other email providers out there.
“I just had a look at the free for private use version of Zoom and registered with my private email. I now got 1000 names, email addresses and even pictures of people in the company Directory. Is this intentional?,”
But wait for it, it gets better: The way Zoom manages this to protect people is by self-reporting(!) and adding domains to a blacklist.
“Zoom maintains a blacklist of domains and regularly proactively identifies domains to be added,” a Zoom spokesperson told Motherboard. “With regards to the specific domains that you highlighted in your note, those are now blacklisted.” They also pointed to a section of the Zoom website where users can request other domains to be removed from the Company Directory feature.
So it’s opt-out (by a reporting process) rather than opt-in. Thanks for that Zoom.
April 4, 2020: Zoom admits some calls were routed through China by mistake
Growing so fast, Zoom forgot to check what datacenters are used to balance the load. But, it’s not like Zoom is in the habit of making mistakes that endanger people’s privacy…
Even more interesting from the same article is the reference to encryption, as pointed out by Citizen Lab:
But some questions remain. [Zoom] only briefly addresses its encryption design. Citizen Lab criticized the company for “rolling its own” encryption — otherwise known as building its own encryption scheme. Experts have long rejected efforts by companies to build their own encryption, because it doesn’t undergo the same scrutiny and peer review as the decades-old encryption standards we all use today.
Zoom certainly does seem like a company on top of things and working proactively with risk mitigation… 😬 Still waiting on that transparency report of course.
“Zoom is a company which is listed in the US on the NASDAQ, but the software appears to be developed by three companies in China, all known as Ruanshi Software, only two of which are owned by Zoom. The ownership of the third company, also known as American Cloud Video Software Technology, is unknown.
As it stands, 700 employees are currently in China, which is not unusual as it can save on salaries in comparison to the US, though it does open up the firm to pressure and influence from the Chinese Government. This is not a position which will make US authorities comfortable.”
With the current friction between China and the US, these links will likely come to play an increasingly important role.
September 2, 2020: Hong Kong’s richest man – Li Ka-Shing – holds an $11 billion stake in Zoom that makes up one-third of his total wealth
After Zoom reported a 355% jump in revenue for the second quarter on Tuesday, Li’s stake gained $3.2 billion in just one day. He is now worth $32.6 billion. His venture investment firm Horizon was also an early backer of Facebook, Spotify, Apple’s digital assistant Siri, and plant-based meat manufacturer Impossible Foods.
I added this as I always find it interesting to follow the money when trying to understand who controls companies and benefits from their activities.
How Zoom fixes problems
For me it’s not only about fixing problems as they appear, but also how you fix them. There is no small amount of evidence that Zoom has issues that is has tried to downplay, and that it has appeared equally surprised(!) each and every time that they have been caught out.
Here’s how CEO Eric Yuan responds to a question from the Washington Post:
WP: There’s been a slew of reports about zoombombing — someone trolling an Alcoholics Anonymous meeting or taking their pants down during a company conference call. Did you ever anticipate when you were building Zoom that it would be abused in this way?
Eric Yuan: No. It doesn’t make any sense. Maybe it’s driven by all the online classes suddenly. It’s a wake-up call. We need to have a preconfigured package just for online school.
It. Doesn’t. Make. Any. Sense? It’s the inability to foresee abuse on platforms used for communication between people, and the guesswork in the face of it, that perhaps bothers me the most. Why would for example schools be singled out as needing a separate package to prevent abuse. Surely most tech workers are aware that abuse happens in all types of social platforms where adults convene.
Supporting Zoom means for me supporting what has been uncovered over the past year as malpractice, deception and continuous reactive fixes rather than proactive, reasoned measures. Being a global player means that users engaging with them are more at risk. I suppose I expect more. It’s now been almost three months since they promised to publish a transparency report.
Using Zoom carefully
Sometimes you do have to “hop on a Zoom call”. Me as well. Here’s my quick list of precautions.
- Don’t download the software.
- This means: Only use the web based version of Zoom. This is often referred to as Join from web browser.
- Also: use a separate browser for logged in sessions. This is generally good sense: Surf without being logged in in one browser, use another browser when you are logging in to different sites and services. I personally use Brave for being logged in, and as a chrome browser it tends to work with most online meeting platforms, including Zoom.
If you are the person inviting, you can encourage browser-use by adding a Join from web browser link to the meeting. Note: you can always join from the browser even though this link isn’t enabled but you may have to cancel opening the client first.
Other services I use
I mostly have to abide by the platforms my clients are set up with, which currently means a lot of Microsoft Teams. But when I am in control there are mainly two platforms I move between:
- Samba Live. I use it for teaching and running workshops. Has a lot of the Zoom functionality with breakout rooms and more. Based in Spain.
- Whereby. I use it for quick meetings with fewer people. All users get a unique url to their room which they can lock and unlock at will. Based in Norway.
- Jitsi. A set of open-source projects that allows you to easily build and deploy secure videoconferencing solutions. Also offers meet.jit.si, where anyone can host a Jitsi Meet instance, totally free and without creating an account. Great for breakout rooms when your platform doesn’t easy let you set that up. Or for letting students collaborate in their own time.Work on Jitsi (then SIP Communicator) started in 2003 in the context of a student project by Emil Ivov at the University of Strasbourg. The name ‘Jitsi’ comes from the Bulgarian “жици” (wires). Jitsi is fully funded by 8×8.
If you want to know more about my tips and tricks and tools for teaching online, I’ve set up this site: Teaching Online.