Zoom, a videoconferencing tool, has been one of the COVID-19 success stories. With 10 million users at the end of 2019, it has already grown to over 300 million daily users, growing by over 50% in April alone.
At the same time, Zoom has fallen victim to its popularity. Its uptake of new users led to fresh security concerns, including that the platform was sending unnecessary data to Facebook and LinkedIn and had falsely claimed the application used end-to-end encryption. There was even a security flaw which left Mac users vulnerable to having webcams and microphones hijacked.
Eric Yuan, who founded Zoom in 2011, in a YouTube stream on April 8 said the company now had:
- removed code that shared information from its iOS app to Facebook;
- removed a LinkedIn feature which shared unnecessary data;
- clarified its encryption practices;
- released fixes for Mac-related issues.
Zoom also released a 90-day security plan which includes:
- pausing development of new features to focus on safety and privacy;
- conducting a review with independent experts to understand new security features needed;
- preparing a transparency report on data requests;
- developing Zoom’s bug bounty program;
- holding weekly webinars to provide privacy and security updates.
Can I trust Zoom now?
The trust has already been broken for many government officials. The security plan did not stop the Taiwanese government from holding down their ban on Zoom for government business after it was revealed Zoom traffic was previously “mistakenly” routed through China. The same concerns have led the Indian government to advise its employees not to use the app, as well as British intelligence and a raft of top companies to do the same.
“Zoombombing”, a new phenomenon where uninvited guests join video conferences, usually shouting abuse or sharing pornography, is also something a security patch cannot fix. In April, Singaporean schools banned the use of Zoom after a series of distressing attacks. Zoom may be booming, but 100 million more users will not be enough to quell the distrust already caused.
However, there are ways to mitigate these concerns: use passwords to protect your meetings and let Zoom generate a random ID for each session; keep your Zoom and operating system software up-to-date; but most importantly, do not assume what happens on Zoom stays on Zoom. As vulnerability expert Omri Herscovici points out, Zoom’s feature that allows you to record video calls and export them after the call means these files could find their way into malicious hands. This can be disabled in the participant management window, but other participants could be recording the video call too.
You can follow Zoom’s weekly security plan profess updates on their blog.