Zoom privacy debacle shows the danger of our reliance on Big Tech during coronavirus lockdown

4 Apr, 2020 21:32 / Updated 5 years ago

Security vulnerabilities with video conferencing app Zoom have revealed the danger of putting blind faith in Big Tech’s coronavirus solutions. Zoom was riddled with privacy issues for years, and its competitors aren’t much better.

With more than half of humanity under some form of lockdown, those lucky enough to keep their jobs have got to grips with video conferencing apps, with Zoom the most popular. According to Zoom CEO Eric Yuan, the app had 200 million daily users in March, up from 10 million just three months earlier.

However, it didn’t take long for problems to emerge.

Also on rt.com A glimmer of hope in Italy, as fewer patients in intensive care for the first time & daily death toll declines

First, “zoom-bombers” discovered public video chats and jumped in, hijacking them with porn and racial slurs. In one case, swastika-tattooed scoundrels interrupted a classroom session to spout profanities, prompting the FBI to issue a warning

Passwords keep the Zoom-bombers out, but even savvy users aren’t safe. According to a Friday report by the Washington Post, thousands of recorded meetings and calls have been exposed online. The paper claimed to have seen people’s names and phone numbers, financial statements, and children's personal details – as well as “deeply intimate conversations” and nudity. 

These recordings weren’t exposed on Zoom’s own cloud storage service. Rather, users who saved the recordings before uploading them to other, unsecure storage sites were vulnerable, due to the fact that Zoom names every such video the same way. As such, anyone with the right search tools could scour the internet for files named, for example, ‘Zoom_1’ and find a trove of recordings.

Zoom markets itself on accessibility, and does not assign these recordings a randomized name, nor does it prompt users to rename their recordings manually. For a secure experience on Zoom, users literally have to consult online guides.

Also on rt.com ‘The worst kind of fake news’: UK government blasts 5G coronavirus conspiracy theories

The Post’s report caused waves online, and on the same day it was published, 19 Democratic lawmakers sent Yuan a letter asking the CEO to clarify the app’s data collection and sharing policies.

But the report should not come as a shock. Casual users can be expected to gloss over an app’s privacy policy and accidentally leave their recordings exposed, but employers and educators who rushed to Zoom overlooked some well-known privacy issues.

Last year, a vulnerability was discovered whereby hackers could use Zoom to trick users into sharing their video feed. Malicious actors aside, Zoom’s own privacy policy explicitly states that it shares user data with third parties. That data includes automatically generated call transcripts, "the content contained in cloud recordings, and instant messages, files, whiteboards... shared while using the service."

As of last Sunday, Zoom updated its privacy policy to state: “We do not sell your personal data.” Prior to the update, the same policy literally read“depends what you mean by ‘sell.’”

Then there were the issues that were unmentioned. Despite describing calls as “encrypted,” Zoom did not actually feature end-to-end encryption. A blog post by the company on Friday semi-admitted to this error. Furthermore, despite no mention of the practice in Zoom’s privacy policy, the iOS app sends data to Facebook, even if users don’t have a Facebook account.

In Friday’s blog post, Zoom vowed to address these issues. But those looking for alternatives to the app have a mixed bag to choose from. Skype and Google Hangouts, as well as up-and-coming apps like Jitsi and Houseparty, aren’t end-to-end encrypted, and Apple’s Facetime has its own history of privacy snafus.

On the flip side, apps that market themselves on security, like Signal, lack the ease of use and functionality of Zoom, a sticking point for companies adjusting to remote work.

Also on rt.com Russian Orthodox Church allows believers to offer confession by phone or Skype during Covid-19 shutdown

Privacy issues weren’t quite as big a deal when teleworking was an option, and when colleagues wanting secrecy could duck into a conference room instead of booting up their computers from home. But amid a raging pandemic, these issues are being pushed to the forefront. 

Congress has, in appearance at least, sided with the user. In addition to the letter sent to Yuan by the House Democrats on Friday, a group of Democratic senators grilled Apple on the data collection policy of its new coronavirus screening app and website, and sent questions to the Alphabet company about its own Covid-19 screening program. However, previous efforts by Congress to hold Facebook and Google accountable were half-hearted at best.

Moreover, think tanks and scientists have lobbied Washington to enlist tech companies to develop surveillance tools to fight the pandemic. Should the situation in the US – where more than 300,000 are infected and over 8,000 dead – worsen significantly, Washington could throw privacy concerns to the wind.

Think your friends would be interested? Share this story!