With the spread of COVID-19, many firms, organizations, and universities have adopted work from home policies and more people than ever are using online conferencing tools.
Zoom, one of the platforms that has gained the most popularity recently, has a number of privacy issues, including monitoring computer activity and collecting personal data.
In addition to the privacy concerns, Zoom has also failed to address security issues and vulnerabilities existing on its platform. In 2019, cybersecurity experts tried contacting Zoom to patch some serious issues, but the company did not provide an adequate and timely response, which raises doubts more about the measures they are taking to protect users’ private information.
Privacy Concerns
Zoom offers the “attendee attention tracking” feature, which allows a business owner or any other person with access to this feature to monitor participants’ computers without their consent.
“Hosts can see an indicator in the participant panel of a meeting or webinar if an attendee does not have Zoom Desktop Client or Mobile App in focus for more than 30 seconds,” explains the company in their privacy policy. “‘In focus’ means the user has the Zoom meeting view is open and active.”
Put simply, “attendee attention tracking” works like this: if you are connected to Zoom call and you hover out or click away from Zoom (software client), the host or the creator of the Zoom call will automatically be notified after 30 seconds, meaning you have 30 seconds to get back to Zoom interface in order to avoid being listed as “Doing something else while on the call,” even if you are just doing routine meeting tasks. This is a clear breach of the right to privacy and a dangerous step towards digital surveillance.
Because Zoom can track whether or not user is focusing on the app for more than 30 seconds, it may also be able to track the other applications you are using and collect the usage data. The company’s privacy policy states “We may also gather some Personal Data from third-party partners. Sometimes, other companies who help us deliver the service (our service providers) and may collect or have access to information on our behalf when you use our Products.
Privacy issues with Zoom are not new. Last year the Electronic Privacy Information Center (EPIC) filed a complaint with the American Federal Trade Commission over the issues of Zoom’s attendee attention tracking. “Zoom intentionally designed its web conferencing service to bypass browser security settings and remotely enable a user’s web camera without the knowledge or consent of the user. As a result, Zoom exposed users to the risk of remote surveillance, unwanted video calls, and denial-of-service attacks,” the complaint stated.
Zoom admits in their privacy policy that they collect personal data from and about you. The issue is that, even if they specify the type of data collected, the company confirms that “whether you have a Zoom account or not,” they collect “personal data from or about you when you use or otherwise interact with our products.” Zoom collects a wide range of personally identifiable information, such as your name, physical address, email address, phone number, job title, employer, credit card, device identifiers, and Facebook information if you use your profile to sign in.
Zoom also states that it will keep track of the data gathered directly from you, your devices, or those who communicate with you using Zoom services. The company defines personal data in its privacy policy as “any information that can be used to identify or is reasonably linkable to a specific person.”
Information Security Issues and Vulnerabilities.
Zoom also does not have a clear policy concerning security issues, which exposes the privacy of millions of the user’s already using this application.
According to a report by ProtonMail, an email service well known among privacy advocates, last year, a security consultant discovered that Zoom set up a local web server on a user’s Mac device, giving Zoom the ability to bypass security features in Safari 12 browser on OSX in order to function. This web server was not included or mentioned within the official documentation of Zoom. The Safari security feature asks for user permission before turning on the device’s camera. However, the web server installed by Zoom was not properly secured, which means any website could redirect or interact with it. The careless decision by Zoom allowed malicious websites to take over personal camera access without users noticing it. Malicious actors were able to observe users online, even if they were even aware of it. This issue was patched in a later release (end of July 2019) of the Zoom software.
Although Zoom has removed these remote web servers, Zoom’s disregard and neglectful management of security and privacy concerns for the sake of convenience raise important questions about trust.
This negligence was mentioned by Security Researcher Bruce Schneier,, who said that the vulnerability was originally responsibly disclosed on March 26, 2019, but Zoom only implemented the “quick fix” solution on June 24 after 90 days of waiting, which was also the last day before the public disclosure deadline.
Security Tips and Zoom Alternatives
We recommend that all users read the privacy policy and terms of service before using any communication service.
If you decide you do not want to use Zoom, we recommend these open-source, secure alternatives:
– Jitsi: Free and open-source multiplatform voice (VoIP), videoconferencing, and instant messaging application for the web platform, Windows, Linux, Mac OS X and Android.
– Wire: An encrypted communication and collaboration app available for iOS, Android, Windows, macOS, Linux, and web browsers. Wire offers a collaboration suite featuring messenger, voice calls, video calls, conference calls, file-sharing, and external collaboration –all protected by a secure end-to-end-encryption.
If you are obliged to use Zoom, we suggest the following tips to protect your data as much:
– Use more than one device during Zoom calls to avoid the attention tracking alert.
– Avoid using Facebook to sign in to prevent Zoom from accessing your Facebook data.
– Update the Zoom app constantly to get the latest security updates.
Ragheb GHANDOUR is a Cybersecurity consultant for an Aviation industry company with a research background in risk and crisis management. He mainly focuses on cybersecurity risks and the rights to online free expression and privacy.
Abed Kataya, Digital Abed Kataya, Digital Content Manager at SMEX for Digital Rights. He is also a digital safety trainer and freelance journalist with a focus on technology, economy, and entrepreneurship. Follow him on Twitter @kataya_abd.Manager at SMEX.
