Security and Privacy Implications of Zoom

Over the previous few weeks, Zoom’s use has exploded because it turned the video conferencing platform of choice in in the present day’s COVID-19 world. (My very own college, Harvard, makes use of it for all of its courses. Boris Johnson had a cabinet meeting over Zoom.) Over that very same interval, the corporate has been uncovered for having each awful privateness and awful safety. My purpose right here is to summarize all of the issues and speak about options and workarounds.

Normally, Zoom’s issues fall into three broad buckets: (1) unhealthy privateness practices, (2) unhealthy safety practices, and (3) unhealthy person configurations.

Privacy first: Zoom spies on its customers for private revenue. It appears to have cleaned this up considerably since everybody began paying consideration, but it surely nonetheless does it.

The corporate collects a laundry checklist of knowledge about you, together with person identify, bodily tackle, e-mail tackle, cellphone quantity, job info, Fb profile info, laptop or cellphone specs, IP tackle, and some other info you create or add. And it makes use of all of this surveillance knowledge for revenue, in opposition to your pursuits.

Final month, Zoom’s privateness coverage contained this bit:

Does Zoom promote Private Information? Relies upon what you imply by “sell.” We don’t permit advertising firms, or anybody else to entry Private Information in change for fee. Besides as described above, we don’t permit any third events to entry any Private Information we acquire within the course of offering companies to customers. We don’t permit third events to make use of any Private Information obtained from us for their very own functions, except it’s together with your consent (e.g. while you obtain an app from the Market. So in our humble opinion, we do not assume most of our customers would see us as promoting their info, as that follow is usually understood.

“Depends what you mean by ‘sell.'” “…most of our users would see us as selling…” “…as that practice is commonly understood.” That paragraph was fastidiously worded by attorneys to allow them to do just about no matter they need together with your info whereas pretending in any other case. Do any of you who “download[ed] an app from the Marketplace” bear in mind consenting to them giving your private knowledge to 3rd events? I do not.

Doc Searls has been all over this, writing concerning the surprisingly massive quantity of third-party trackers on the Zoom web site and its poor privateness practices typically.

On March 29th, Zoom rewrote its privateness coverage:

We don’t promote your private knowledge. Whether or not you’re a enterprise or a college or a person person, we don’t promote your knowledge.

[…]

We don’t use knowledge we get hold of out of your use of our companies, together with your conferences, for any promoting. We do use knowledge we get hold of from you while you go to our advertising web sites, corresponding to zoom.us and zoom.com. You could have management over your personal cookie settings when visiting our advertising web sites.

There’s tons extra. It is higher than it was, however Zoom nonetheless collects an enormous quantity of knowledge about you. And notice that it considers its dwelling pages “marketing websites,” which implies it is nonetheless utilizing third-party trackers and surveillance primarily based promoting. (Actually, Zoom, simply stop doing it.)

Now safety: Zoom’s safety is at finest sloppy, and malicious at worst. Motherboard reported that Zoom’s iPhone app was sending person knowledge to Fb, even when the person did not have a Fb account. Zoom removed the feature, however its response ought to fear you about its sloppy coding practices typically: