With the spread of COVID-19, many firms, organizations, and universities have adopted work from home policies and more people than ever are using online conferencing tools.
Zoom, one of the platforms that has gained the most popularity recently, has a number of privacy issues, including monitoring computer activity and collecting personal data.
In addition to the privacy concerns, Zoom has also failed to address security issues and vulnerabilities existing on its platform. In 2019, cybersecurity experts tried contacting Zoom to patch some serious issues, but the company did not provide an adequate and timely response, which raises doubts more about the measures they are taking to protect users’ private information.
Zoom offers the “attendee attention tracking” feature, which allows a business owner or any other person with access to this feature to monitor participants’ computers without their consent.
Put simply, “attendee attention tracking” works like this: if you are connected to Zoom call and you hover out or click away from Zoom (software client), the host or the creator of the Zoom call will automatically be notified after 30 seconds, meaning you have 30 seconds to get back to Zoom interface in order to avoid being listed as “Doing something else while on the call,” even if you are just doing routine meeting tasks. This is a clear breach of the right to privacy and a dangerous step towards digital surveillance.
Privacy issues with Zoom are not new. Last year the Electronic Privacy Information Center (EPIC) filed a complaint with the American Federal Trade Commission over the issues of Zoom’s attendee attention tracking. “Zoom intentionally designed its web conferencing service to bypass browser security settings and remotely enable a user’s web camera without the knowledge or consent of the user. As a result, Zoom exposed users to the risk of remote surveillance, unwanted video calls, and denial-of-service attacks,” the complaint stated.
Information Security Issues and Vulnerabilities.
Zoom also does not have a clear policy concerning security issues, which exposes the privacy of millions of the user’s already using this application.
According to a report by ProtonMail, an email service well known among privacy advocates, last year, a security consultant discovered that Zoom set up a local web server on a user’s Mac device, giving Zoom the ability to bypass security features in Safari 12 browser on OSX in order to function. This web server was not included or mentioned within the official documentation of Zoom. The Safari security feature asks for user permission before turning on the device’s camera. However, the web server installed by Zoom was not properly secured, which means any website could redirect or interact with it. The careless decision by Zoom allowed malicious websites to take over personal camera access without users noticing it. Malicious actors were able to observe users online, even if they were even aware of it. This issue was patched in a later release (end of July 2019) of the Zoom software.
Although Zoom has removed these remote web servers, Zoom’s disregard and neglectful management of security and privacy concerns for the sake of convenience raise important questions about trust.
This negligence was mentioned by Security Researcher Bruce Schneier,, who said that the vulnerability was originally responsibly disclosed on March 26, 2019, but Zoom only implemented the “quick fix” solution on June 24 after 90 days of waiting, which was also the last day before the public disclosure deadline.
Security Tips and Zoom Alternatives
If you decide you do not want to use Zoom, we recommend these open-source, secure alternatives:
– Jitsi: Free and open-source multiplatform voice (VoIP), videoconferencing, and instant messaging application for the web platform, Windows, Linux, Mac OS X and Android.
– Wire: An encrypted communication and collaboration app available for iOS, Android, Windows, macOS, Linux, and web browsers. Wire offers a collaboration suite featuring messenger, voice calls, video calls, conference calls, file-sharing, and external collaboration –all protected by a secure end-to-end-encryption.
If you are obliged to use Zoom, we suggest the following tips to protect your data as much:
– Use more than one device during Zoom calls to avoid the attention tracking alert.
– Avoid using Facebook to sign in to prevent Zoom from accessing your Facebook data.
– Update the Zoom app constantly to get the latest security updates.
Ragheb GHANDOUR is a Cybersecurity consultant for an Aviation industry company with a research background in risk and crisis management. He mainly focuses on cybersecurity risks and the rights to online free expression and privacy.
Abed Kataya, Digital Abed Kataya, Digital Content Manager at SMEX for Digital Rights. He is also a digital safety trainer and freelance journalist with a focus on technology, economy, and entrepreneurship. Follow him on Twitter @kataya_abd.Manager at SMEX.