Zoom privacy concerns in the spotlight

While many businesses are suffering during the global COVID-19 pandemic, one has benefitted immensely: Zoom. As countries across the world have implemented measures to confine people to their homes, the videoconferencing app has become a popular way for families, friends and colleagues to communicate. But as it is invited into more people's homes and used to facilitate high-profile government meetings, several privacy experts have raised concerns over the safety of the app.

Zoom has been a popular app for several years, offering more competitive pricing and faster and higher quality streams than several of its rivals, alongside ease of use and fun products like virtual backgrounds. It was launched in 2013 by Eric Yuan, a former lead engineer for the videoconferencing software WebEx, which was later sold to Cisco.

The coronavirus outbreak has graduated Zoom from a business platform to a consumer one. It is being used by schools to teach virtual lessons, by DJs to livestream sets, by doctors to conduct 'telehealth' consultations, and as a socialising tool for friends. Mobile app tracking firm Apptopia reports that the Zoom app was downloaded 2.4 million times on Wednesday (March 25)—up from 56,000 global downloads in January. Zoom’s shares are up more than 100% since the beginning of the year.

But its recent use within governments has brought safety concerns to the surface. The UK's Ministry of Defence told the BBC on Friday (March 27) that it found no reason not to use Zoom for conversations "below a certain classification", such as cross-government chats, but that it had never been used for high-security meetings. It clarified its stance after UK Prime Minister Boris Johnson shared a photo of Thursday's (March 26) G20 'summit' that was held over video conference. However, the video summit was not held over Zoom, but a rival video conferencing tool.

In parallel to this, a Motherboard investigation found that the iOS version of the Zoom app was sending to Facebook information such as when a user opened the app, their timezone, city, and device details, without explicity asking users for consent to do so. One day after Motherboard published the results of its analysis, Zoom issued an update saying it had removed the Facebook code after it was "made aware that the Facebook SDK was collecting unnecessary device data".

Zoom made some clarifying updates to its privacy policy on Sunday (March 29) to make it "more clear, explicit, and transparent", in response to concerns raised by the community regarding its privacy policy.

“Zoom takes its users’ privacy extremely seriously," a spokesperson said in a statement. "Zoom collects only the data from individuals using the Zoom platform required to provide the service and ensure it is delivered effectively under a wide variety of settings in which our users may be operating. This data includes basic technical information, such as the user’s IP address, OS details, and device details. Zoom has implemented safeguards to protect our users’ privacy, which includes robust and validated controls to prevent unauthorized access to any content that users share during meetings, including – but not limited to – the video, audio, and chat content of those meetings. Importantly, Zoom does not mine user data or sell user data of any kind to anyone.”

The video conferencing app has grappled with several security issues over the years. Last year, security researcher Jonathan Leitschuh uncovered a critical vulnerability that allowed attackers to gain access to users’ webcams on Macs with the Zoom client installed. Zoom fixed the vulnerability, but was criticised for taking several months to do so.

In January, Check Point published research which found that hackers could guess Zoom Meeting IDs, enabling them to listen in on meetings that were not password protected. Zoom has since put in place measures to address this.