Zoom Running Afoul of Privacy & Security Concerns

Zoom’s security vulnerabilities go beyond ZoomBombing, and they are becoming hard to ignore.

Yesterday I posted about Zoom’s troubles with new/inexperienced users getting “ZoomBombed” and 9 easy ways to avoid becoming a victim yourself. [You can read that here.]

Today, I want to expand on the security concerns I mentioned in yesterday’s post.

There is mounting evidence, however, that Zoom’s privacy policy has expanded as its platform has evolved, and not necessarily in all the right directions. Anyone who follows cybersecurity was alarmed by the latest changes to the policy, with push back and horror springing up all over Twitter. (For more information, see the Consumer Reports piece from 30 March 2020.) Vice News reported that Zoom’s iOS app is sending data to Facebook—whether or not the user actually has a Facebook account. (More about FB below.)

While these changes are incredibly disappointing, they should be almost immaterial. If you are discussing highly sensitive topics over Zoom or any other platform, you are assuming a certain amount of risk no matter what the provider’s policy may be. Time and again, we see servers being hacked and sensitive data moved to the dark web, regardless of privacy policies. Some information may simply be better shared via end-to-end encrypted email,  over secure networks, between secure computers. (Yes, Zoom claims to have end-to-end encryption, but this claim has been questioned by The Intercept. Read Proton’s assessment here.)

If you are discussing highly sensitive topics over Zoom or any other platform, you are assuming a certain amount of risk no matter what the company’s policy may be—some information, simply, may be better shared via encrypted email, over secure networks, between secure computers.

After that post yesterday, Reuters reported that Elon Musk’s SpaceX has banned the use of Zoom among its employees and basically said what I said: “Please use email, text or phone as alternate means of communication.” I disagree with their recommendation to use text for secure communication unless the mobile phones are secured, and would expand on their recommendation by specifying encrypted email.

Also reported after my post, TechCrunch reported zero-day bugs: First, the Mac vulnerabilities of last summer have returned. That is, a vulnerability in Zoom can allow hackers to take over mics and webcams on Macs, allowing them a lot of access to your machine…including the ability to record your screen. Importantly, these two bugs can only be launched by a local user (that is, someone who has physical access to your machine).

At the same time yesterday, some bad news for Windows users dropped: a Zoom bug that can steal Windows passwords. The Hacker News reports today that Zoom has released a patch for this and other security bugs, so update your software!

The Hacker News offers some alternative video conferencing software:

  • Skype & Microsoft Teams (up to 50 participants)
  • Jitsi (free, encrypted, open source, up to 75 participants)
  • FaceTime and Signal for privacy

They also recommend two Google products (Hangouts Meet and Duo), but I remain unconvinced Google affords users any semblance of privacy.

And I have to agree with my early yesterday me: if you have sensitive information to discuss, encrypted email, over secure networks, between secure computers is the way to go.