Misleading encryption claims, misuse of personal data, ‘zoombombing’ complaints prompt public apology from CEO after millions flock to video-conferencing service during lockdown
| Sameer Desai
Zoom CEO Eric Yuan made a public apology on Wednesday, acknowledging multiple reports of security lapses and privacy loopholes in the video-conferencing app that has seen its use nearly quadruple since the outbreak of the new coronavirus as more people work from home.
In an over-two-hour-long YouTube stream, Yuan acknowledged user concerns and alarms raised by cybersecurity experts. Chief among these was a report by Citizen Lab, which found that encryption keys for Zoom calls were stored in a server in China even when neither of the participants was located there. “To be clear, this should never have happened,” Yuan said, adding that this issue had been addressed last week.
Zoom has also marketed itself as an end-to-end encrypted platform — meaning no one would be able to view or gain access to contents of a video meeting — but the company later admitted to The Intercept that this is not really the case. “Currently, it is not possible to enable E2E encryption for Zoom video meetings. Zoom video meetings use a combination of TCP and UDP,” a company spokesperson. This essentially means that a user’s connection to Zoom servers is encrypted, but the video and audio content would still be accessible to the company.
A commonly reported nuisance is ‘zoombombing’, when uninvited users join a Zoom meeting, often airing offensive comments. Security researchers were also able to develop an automated tool that could find up to 2,400 Zoom meeting IDs in a day — around 100 per hour. In the US, the Federal Bureau of Investigation (FBI) has now said that it will prosecute individuals who indulge in acts like zoombombing, which has also become a concern in other video-conferencing services.
Zoom issued several security updates to combat zoombombing, including the ability for the host to lock meetings to new entrants and to remove participants, and hiding the meeting ID from the title bar, so that screenshots shared publicly would not reveal the ID.
According to JPMorgan analyst Sterling Auty, citing third-party data, Zoom’s use has jumped by more than 300 per cent since coronavirus lockdowns saw people around the world turning to video conferencing solutions like Zoom, Google Meet, Microsoft Teams and Houseparty for work and for communicating with friends and family. Zoom is currently the most-downloaded iPhone app in India. On Android, it is second only to Aarogya Setu, the government’s Covid-19 contact-tracing app.
“Clearly we have a lot of work to do to ensure the security of all these new consumer use cases,” Yuan said during his stream. “But what I can promise you is that we take these issues very, very seriously. We’re looking into each and every one of them. If we find an issue, we’ll acknowledge it and we’ll fix it.”
Zoom has said it is putting a 90-day freeze on adding any new features, focussing this time on fixing the service’s many security and privacy issues. It also announced it is bringing in Facebook’s former head of security Alex Stamos to help steady the ship.
In light of these numerous security and privacy loopholes, BuzzFeed News reported on Wednesday that Google has banned the use of Zoom within the company. The search giant told employees in an email that if they had Zoom installed on their company provided devices, the service would no longer be accessible. Google also offers its own teleconferencing solution and Zoom rival, called Mee