NPI's Cascadia Advocate

Offering commentary and analysis from Washington, Oregon, and Idaho, The Cascadia Advocate is the Northwest Progressive Institute's unconventional perspective on world, national, and local politics.

Monday, April 6th, 2020

Zoom Video Conferencing is a privacy and security nightmare. Maybe soon, it won’t be.

As recent­ly as a few weeks ago, it was­n’t hard to find some­one who had nev­er heard of Zoom Video Com­mu­ni­ca­tions (ZM), the web con­fer­enc­ing focused com­pa­ny found­ed in 2011 by for­mer Cis­co Webex engi­neer Eric Yuan.

Although Zoom has been build­ing a loy­al user base for years, and went pub­lic on the NASDAQ about a year ago with its ini­tial pub­lic offer­ing (IPO), it only became tru­ly ubiq­ui­tous with the advent of the nov­el coro­n­avirus pan­dem­ic.

Sud­den­ly, every­one was on Zoom. In one day alone last month, it was down­loaded 343,000 times. It’s been used for class­es, group meet­ings, doc­tor’s appoint­ments, birth­day par­ties, vir­tu­al fam­i­ly reunions, and every oth­er kind of gath­er­ing you can think of in addi­tion to work­place meet­ings and pre­sen­ta­tions. The com­pa­ny’s explo­sive growth has put it in the spot­light.

Over the past few weeks, jour­nal­ists and secu­ri­ty researchers have been sub­ject­ing the com­pa­ny and its ser­vice to increas­ing scruti­ny. They have col­lec­tive­ly demon­strat­ed that Zoom is a pri­va­cy and secu­ri­ty night­mare.

It turns out that Zoom’s encryp­tion is fake, the com­pa­ny’s long­stand­ing meet­ing defaults jeop­ar­dize user pri­va­cy, and the code in their apps has vul­ner­a­bil­i­ties.

And if that weren’t bad enough, Zoom has been send­ing users’ data to social media com­pa­nies for no defen­si­ble rea­son. Sur­veil­lance cap­i­tal­ism at its finest.

Let’s round up the many prob­lems that secu­ri­ty researchers and jour­nal­ists have doc­u­ment­ed with Zoom, shall we?

Zoom’s encryption is fake

Zoom claims to offer end-to-end encryp­tion, but it turns out that it does­n’t.

Here’s Bill Mar­czak and John Scott-Rail­ton of The Cit­i­zen Lab:

Unfor­tu­nate­ly for those hop­ing for pri­va­cy, the imple­men­ta­tion of call secu­ri­ty in Zoom may not match its excep­tion­al usabil­i­ty. We deter­mined that the Zoom app uses non-indus­try-stan­dard cryp­to­graph­ic tech­niques with iden­ti­fi­able weak­ness­es. In addi­tion, dur­ing mul­ti­ple test calls in North Amer­i­ca, we observed keys for encrypt­ing and decrypt­ing meet­ings trans­mit­ted to servers in Bei­jing, Chi­na.

An app with eas­i­ly-iden­ti­fi­able lim­i­ta­tions in cryp­tog­ra­phy, secu­ri­ty issues, and off­shore servers locat­ed in Chi­na which han­dle meet­ing keys presents a clear tar­get to rea­son­ably well-resourced nation state attack­ers, includ­ing the People’s Repub­lic of Chi­na.

Yikes!

Bill and John’s thor­ough­ly researched and impec­ca­bly doc­u­ment­ed report proves that Zoom does not actu­al­ly imple­ment end-to-end encryp­tion. It is thus whol­ly unsuit­able for any group that desires to avoid being spied on. Eaves­drop­ping on Zoom meet­ings is prob­a­bly triv­ial for intel­li­gence out­fits like the Unit­ed States’ Nation­al Secu­ri­ty Agency giv­en Zoom’s lack of real encryp­tion.

The Inter­cept also pub­lished a report on this same sub­ject.

Zoom doesn’t properly protect users’ contact information

Moth­er­board found out that Zoom isn’t safe­guard­ing the con­tact infor­ma­tion of peo­ple who sign up with non-work email address­es. Joseph Cox explains:

Pop­u­lar video-con­fer­enc­ing Zoom is leak­ing per­son­al infor­ma­tion of at least thou­sands of users, includ­ing their email address and pho­to, and giv­ing strangers the abil­i­ty to attempt to start a video call with them through Zoom.

The issue lies in Zoom’s “Com­pa­ny Direc­to­ry” set­ting, which auto­mat­i­cal­ly adds oth­er peo­ple to a user’s lists of con­tacts if they signed up with an email address that shares the same domain. This can make it eas­i­er to find a spe­cif­ic col­league to call when the domain belongs to an indi­vid­ual com­pa­ny.

But mul­ti­ple Zoom users say they signed up with per­son­al email address­es, and Zoom pooled them togeth­er with thou­sands of oth­er peo­ple as if they all worked for the same com­pa­ny, expos­ing their per­son­al infor­ma­tion to one anoth­er.

This is an exam­ple of bad defaults and set­tings. Zoom was orig­i­nal­ly built for enter­prise and cor­po­rate video­con­fer­enc­ing, and in those con­texts, shar­ing by default isn’t a bad thing. But the com­pa­ny has known for some time now that its plat­form was being used for much more than enter­prise col­lab­o­ra­tion, and it did­n’t tight­en up its set­tings to pro­tect users’ pri­va­cy.

Zoom has been covertly sharing its users’ data externally

Moth­er­board also found out that Zoom’s iOS app was send­ing troves of user data to Face­book with­out its users’ knowl­edge or con­sent. Here’s Joseph Cox again:

As peo­ple work and social­ize from home, video con­fer­enc­ing soft­ware Zoom has explod­ed in pop­u­lar­i­ty.

What the com­pa­ny and its pri­va­cy pol­i­cy don’t make clear is that the iOS ver­sion of the Zoom app is send­ing some ana­lyt­ics data to Face­book, even if Zoom users don’t have a Face­book account, accord­ing to a Moth­er­board analy­sis of the app.

This sort of data trans­fer is not uncom­mon, espe­cial­ly for Face­book; plen­ty of apps use Face­book’s soft­ware devel­op­ment kits (SDK) as a means to imple­ment fea­tures into their apps more eas­i­ly, which also has the effect of send­ing infor­ma­tion to Face­book. But Zoom users may not be aware it is hap­pen­ing, nor under­stand that when they use one prod­uct, they may be pro­vid­ing data to anoth­er ser­vice alto­geth­er.

“That’s shock­ing. There is noth­ing in the pri­va­cy pol­i­cy that address­es that,” Pat Wal­she, an activist from Pri­va­cy Mat­ters who has ana­lyzed Zoom’s pri­va­cy pol­i­cy, said in a Twit­ter direct mes­sage.

After the above arti­cle was pub­lished, Zoom removed the code from its iOS app that was feed­ing data to sur­veil­lance cap­i­tal­ism con­glom­er­ate Face­book.

Dis­grun­tled Zoom users wast­ed lit­tle time in fil­ing a class action law­suit.

And, with­in hours, The New York Times had pub­lished an arti­cle detail­ing how a Zoom inte­gra­tion with Microsoft-owned LinkedIn (which match­es Zoom user accounts to LinkedIn pro­files) could be uneth­i­cal­ly used for data min­ing pur­pos­es, unbe­knownst to peo­ple par­tic­i­pat­ing in meet­ings.

For Amer­i­cans shel­ter­ing at home dur­ing the coro­n­avirus pan­dem­ic, the Zoom video­con­fer­enc­ing plat­form has become a life­line, enabling mil­lions of peo­ple to eas­i­ly keep in touch with fam­i­ly mem­bers, friends, stu­dents, teach­ers and work col­leagues.

But what many peo­ple may not know is that, until Thurs­day, a data-min­ing fea­ture on Zoom allowed some par­tic­i­pants to sur­rep­ti­tious­ly have access to LinkedIn pro­file data about oth­er users — with­out Zoom ask­ing for their per­mis­sion dur­ing the meet­ing or even noti­fy­ing them that some­one else was snoop­ing on them.

The undis­closed data min­ing adds to grow­ing con­cerns about Zoom’s busi­ness prac­tices at a moment when pub­lic schools, health providers, employ­ers, fit­ness train­ers, prime min­is­ters and queer dance par­ties are embrac­ing the plat­form.

An analy­sis by The New York Times found that when peo­ple signed in to a meet­ing, Zoom’s soft­ware auto­mat­i­cal­ly sent their names and email address­es to a com­pa­ny sys­tem it used to match them with their LinkedIn pro­files.

Again Zoom was forced to respond. The com­pa­ny prompt­ly dis­abled the inte­gra­tion with LinkedIn Sales Nav­i­ga­tor and offered an apol­o­gy.

Zoom’s old privacy policy allowed monetization

In the same vein, Con­sumer Reports took a look at Zoom’s pri­va­cy pol­i­cy and con­clud­ed it had been writ­ten to allow the com­pa­ny to tar­get users with adver­tis­ing based on analy­sis of the con­tent of their meet­ing videos.

Zoom’s pri­va­cy pol­i­cy allowed the com­pa­ny to col­lect infor­ma­tion from users’ meet­ings — from videos to tran­scripts to the notes you might have shared through Zoom’s chat fea­ture.

The pri­va­cy pol­i­cy did­n’t pre­vent Zoom from using that per­son­al infor­ma­tion for tar­get­ing ads on or off the plat­form, or for oth­er busi­ness pur­pos­es.

After Con­sumer Reports pub­lished its find­ings, Zoom updat­ed its pol­i­cy. The com­pa­ny says the new pri­va­cy pol­i­cy aligns with its actu­al prac­tices.

Zoom’s apps make your computer less safe

Last year, a secu­ri­ty researcher dis­cov­ered a big vul­ner­a­bil­i­ty in Zoom’s macOS app that left Zoom users shocked (and jus­ti­fi­ably so). Here’s Jonathan Leitschuh:

A vul­ner­a­bil­i­ty in the Mac Zoom Client allows any mali­cious web­site to enable your cam­era with­out your per­mis­sion. The flaw poten­tial­ly expos­es up to 750,000 com­pa­nies around the world that use Zoom to con­duct day-to-day busi­ness.

This vul­ner­a­bil­i­ty allows any web­site to forcibly join a user to a Zoom call, with their video cam­era acti­vat­ed, with­out the user’s per­mis­sion.

On top of this, this vul­ner­a­bil­i­ty would have allowed any web­page to DOS (Denial of Ser­vice) a Mac by repeat­ed­ly join­ing a user to an invalid call.

Addi­tion­al­ly, if you’ve ever installed the Zoom client and then unin­stalled it, you still have a local­host web serv­er on your machine that will hap­pi­ly re-install the Zoom client for you, with­out requir­ing any user inter­ac­tion on your behalf besides vis­it­ing a web­page. This re-install ‘fea­ture’ con­tin­ues to work to this day.

The vul­ner­a­bil­i­ty was so egre­gious that Apple actu­al­ly pushed out a silent soft­ware update to remove the web serv­er that Zoom’s app had been qui­et­ly installing on peo­ple’s Macs with­out their knowl­edge.

Leitschuh turned down a bug boun­ty from Zoom Video Com­mu­ni­ca­tions in order to avoid sign­ing a nondis­clo­sure agree­ment (NDA) that would have pre­vent­ed him from telling the world about what Zoom had done.

More recent­ly, anoth­er secu­ri­ty researcher — Felix Seele of VMRay — doc­u­ment­ed how Zoom’s installer mim­ics mal­ware in order to reduce the amount of user inter­ven­tion required to install it. His blog post attract­ed the atten­tion of Zoom’s founder and CEO Eric Yuan, who con­ced­ed that well, gosh, maybe Zoom’s app should­n’t behave that way. It also caught the atten­tion of many jour­nal­ists.

What about Win­dows users?

Zoom put them at risk, too.

Wang Wei:

Accord­ing to cyber­se­cu­ri­ty expert @_g0dmode, the Zoom video con­fer­enc­ing soft­ware for Win­dows is vul­ner­a­ble to a clas­sic ‘UNC path injec­tion’ vul­ner­a­bil­i­ty that could allow remote attack­ers to steal vic­tims’ Win­dows login cre­den­tials and even exe­cute arbi­trary com­mands on their sys­tems.

Such attacks are pos­si­ble because Zoom for Win­dows sup­ports remote UNC paths that con­vert poten­tial­ly inse­cure URIs into hyper­links when received via chat mes­sages to a recip­i­ent in a per­son­al or group chat.

Bleep­ing Com­put­er has more.

Zoom’s defaults make “Zoombombing” disturbingly easy

Zoom was orig­i­nal­ly con­ceived as a work­place col­lab­o­ra­tion tool, not as a uni­ver­sal elec­tron­ic meet­ing venue for fam­i­lies, com­mu­ni­ty groups, advo­ca­cy orga­ni­za­tions, or health­care providers. The com­pa­ny has his­tor­i­cal­ly pri­va­tized ease-of-use above all else. That has left Zoom users — par­tic­u­lar­ly those new to the plat­form — in a very vul­ner­a­ble posi­tion.

As you may have already heard or read, Zoom’s meet­ing defaults make it pret­ty easy to barge into a meet­ing and begin caus­ing may­hem.

Zoom meet­ing IDs can be guessed, which means meet­ings can be crashed even if hosts take great care not to pub­licly adver­tise an e‑gathering.

And, of course, meet­ings that are pub­licly adver­tised are triv­ial to dis­rupt.

Groups of imma­ture mis­chief mak­ers have even formed on social media plat­forms and mes­sage boards for the explic­it pur­pose of derail­ing Zoom meet­ings.

A com­mon “Zoom­bomb­ing” tech­nique involves enter­ing a meet­ing and using the screen-shar­ing func­tion­al­i­ty (which can be restrict­ed to hosts, but often isn’t) to share porno­graph­ic, sex­u­al­ly explic­it images and videos.

Expe­ri­enced “Zoom­bombers” know how to reen­ter meet­ings after being kicked off so that they can con­tin­ue to cause may­hem — at least, until the host decides to end the meet­ing after hav­ing lost con­trol of it.

Tools have also been devel­oped to allow peo­ple up to no good to find meet­ings to crash with­out much effort. Bri­an Krebs wrote about one such tool.

“Zoom­bomb­ing” is not good clean fun, as some juve­nile Inter­net trolls appear to believe. Law enforce­ment offi­cials have begun to speak out and warn that those who dis­rupt Zoom meet­ings could face crim­i­nal pros­e­cu­tion.

Giv­en that Zoom is nei­ther pri­vate or secure, peo­ple engag­ing in “Zoom­bomb­ing” could eas­i­ly find them­selves on the wrong end of the law.

“Zoom­bomb­ing” is large­ly pre­ventable, but not using Zoom’s old default set­tings.

Zoom’s response to all of this

To address reports of “Zoom­bomb­ing”, the com­pa­ny ini­tial­ly pub­lished a guide for its users so they could learn how to change their account and meet­ing set­tings to pro­tect them­selves, their fam­i­ly, friends, stu­dents, and col­leagues.

When that proved to be insuf­fi­cient, Zoom began invert­ing some of its defaults so that hosts would­n’t have to make those changes them­selves.

“On April 4th, 2020, Zoom will enable the Wait­ing Room fea­ture and require addi­tion­al pass­word set­tings for all Basic users on free accounts and accounts with a sin­gle licensed user, includ­ing K‑12 edu­ca­tion accounts who have the forty-minute lim­it tem­porar­i­ly waived. The new pass­word require­ments apply to both meet­ings and webi­na­rs,” the com­pa­ny announced last week.

It is not lost on Zoom’s exec­u­tives that good­will is a valu­able, intan­gi­ble asset, and they’re los­ing it fast. Many com­pa­nies and pub­lic agen­cies have already banned Zoom’s use, includ­ing the Unit­ed King­dom’s Min­istry of Defence, SpaceX, NASA, New York City Depart­ment of Edu­ca­tion, and Clark Coun­ty Schools.

Zoom CEO Eric Yuan is pledg­ing to do bet­ter. In an April 2nd blog post, he detailed how the com­pa­ny has scram­bled to respond to all the pri­va­cy and secu­ri­ty issues that researchers and jour­nal­ists have exposed in its plat­form.

He also promised that Zoom would become more secure and pri­vate.

Over the next nine­ty days, we are com­mit­ted to ded­i­cat­ing the resources need­ed to bet­ter iden­ti­fy, address, and fix issues proac­tive­ly. We are also com­mit­ted to being trans­par­ent through­out this process. We want to do what it takes to main­tain your trust.

This includes:

  • Enact­ing a fea­ture freeze, effec­tive­ly imme­di­ate­ly, and shift­ing all our engi­neer­ing resources to focus on our biggest trust, safe­ty, and pri­va­cy issues.
  • Con­duct­ing a com­pre­hen­sive review with third-par­ty experts and rep­re­sen­ta­tive users to under­stand and ensure the secu­ri­ty of all of our new con­sumer use cas­es.
  • Prepar­ing a trans­paren­cy report that details infor­ma­tion relat­ed to requests for data, records, or con­tent.
  • Enhanc­ing our cur­rent bug boun­ty pro­gram.
  • Launch­ing a CISO coun­cil in part­ner­ship with lead­ing CISOs from across the indus­try to facil­i­tate an ongo­ing dia­logue regard­ing secu­ri­ty and pri­va­cy best prac­tices.
  • Engag­ing a series of simul­ta­ne­ous white box pen­e­tra­tion tests to fur­ther iden­ti­fy and address issues.
  • Start­ing next week, I will host a week­ly webi­nar on Wednes­days at 10 AM Pacif­ic Time to pro­vide pri­va­cy and secu­ri­ty updates to our com­mu­ni­ty.

This seems like a good start.

But Zoom can and should do more.

Our friends at Fight For The Future have begun a cam­paign call­ing on Zoom to imple­ment true end-to-end encryp­tion so that its users can enjoy the pri­va­cy that Zoom has been false­ly claim­ing to offer all this time. Said Evan Greer:

We don’t need Zoom’s apolo­gies. We need them to actu­al­ly imple­ment the type of secu­ri­ty mea­sures need­ed to keep peo­ple safe. They’ve said that they are piv­ot­ing to focus on user pri­va­cy and secu­ri­ty, and I want to believe them. It’s time for them to take their pre­vi­ous­ly mis­lead­ing claims and make them true.

Zoom imple­ment­ing end-to-end encryp­tion by default is per­haps the sin­gle biggest thing that any com­pa­ny could do right now to pro­tect people’s online safe­ty dur­ing the COVID-19 cri­sis.

I hope the engi­neers who work there real­ize the pow­er that they have and the impor­tance of the deci­sions they make over the next sev­er­al weeks. Strong encryp­tion saves lives.

It’s need­ed now more than ever. Zoom has a chance to lead the way. I hope, for the sake of the chil­dren using this for school, the ther­a­pists using this to treat patients, the health offi­cials using this to share con­fi­den­tial infor­ma­tion, that they do the right thing.

We agree. Zoom is wide­ly used (includ­ing by our staff and board at NPI) in large part because it “just works”. Unlike com­peti­tors, Zoom offers apps for users on GNU/Linux desk­tops and lap­tops run­ning Ubun­tu or oth­er dis­tri­b­u­tions. Even its Black­Ber­ry 10 app still works, allow­ing peo­ple who refuse to give up their Black­Ber­rys (like me) to use Zoom with­out hav­ing to switch to anoth­er device.

Zoom’s video qual­i­ty, app inter­face, and advanced screen shar­ing and audi­ence inter­ac­tion capa­bil­i­ties are also part of the ser­vice’s appeal.

But Zoom’s pri­va­cy and secu­ri­ty track record is more than unset­tling. It’s alarm­ing. The com­pa­ny has dug itself into a deep hole by mak­ing a lot of bad prod­uct design deci­sions and mak­ing decep­tive mar­ket­ing claims.

It now needs to piv­ot towards being a pri­va­cy and secu­ri­ty ori­ent­ed ser­vice. The com­pa­ny already has mil­lions of peo­ple and firms signed up as pay­ing sub­scribers to its pro plans, so it has a means of gen­er­at­ing rev­enue that does­n’t depend on sur­veil­lance cap­i­tal­ism (where the users are the prod­uct).

It appears that Zoom is head­ing down the right path. That’s encour­ag­ing. But actions speak loud­er than words. The proof will be in the pud­ding. Zoom needs to deliv­er for its users, and soon. It needs to go beyond the steps announced by its CEO. More meet­ing defaults and shar­ing set­tings need to be changed, par­tic­u­lar­ly for accounts on Zoom’s free tier, which are less like­ly to be enter­prise users.

And most impor­tant­ly of all, Zoom needs to deliv­er real end-to-end encryp­tion for its users. That might require some hard work on Zoom’s part.

But it will be worth it. The com­pa­ny must enlist the help of lead­ing secu­ri­ty researchers and tech­nol­o­gists to get the job done. If it can do that, then it will be able to win back a lot of the trust that it has jeop­ar­dized or squan­dered.

Adjacent posts

  • Enjoyed what you just read? Make a donation


    Thank you for read­ing The Cas­ca­dia Advo­cate, the North­west Pro­gres­sive Insti­tute’s jour­nal of world, nation­al, and local pol­i­tics.

    Found­ed in March of 2004, The Cas­ca­dia Advo­cate has been help­ing peo­ple through­out the Pacif­ic North­west and beyond make sense of cur­rent events with rig­or­ous analy­sis and thought-pro­vok­ing com­men­tary for more than fif­teen years. The Cas­ca­dia Advo­cate is fund­ed by read­ers like you and trust­ed spon­sors. We don’t run ads or pub­lish con­tent in exchange for mon­ey.

    Help us keep The Cas­ca­dia Advo­cate edi­to­ri­al­ly inde­pen­dent and freely avail­able to all by becom­ing a mem­ber of the North­west Pro­gres­sive Insti­tute today. Or make a dona­tion to sus­tain our essen­tial research and advo­ca­cy jour­nal­ism.

    Your con­tri­bu­tion will allow us to con­tin­ue bring­ing you fea­tures like Last Week In Con­gress, live cov­er­age of events like Net­roots Nation or the Demo­c­ra­t­ic Nation­al Con­ven­tion, and reviews of books and doc­u­men­tary films.

    Become an NPI mem­ber Make a one-time dona­tion

One Comment

  1. Pri­va­cy is the most impor­tant thing for our data. While using Zoom or oth­er video call­ing app we have to care about our data pri­va­cy. After read­ing this post, I now know what to be mind­ful of when using Zoom. Thank you for shar­ing!

    # by Maria Baeza :: April 8th, 2020 at 7:50 PM