Zoom’s Security and Privacy Practices Kind of Zuck
In our collective scramble to turn three-foot stacks of pizza boxes, heaps of children’s toys, and last week’s laundry into credible office space, a handful of companies have gained a great many users in a short amount of time. Zoom Video usage has surged over the past two weeks, driving the company’s stock price up, but that same popularity has encouraged a good deal more scrutiny of the firm’s various privacy and security practices. Zoom isn’t coming off very well in these comparisons, and the bad news just keeps piling up.
Most recently, The Intercept revealed that Zoom doesn’t offer end-to-end encryption, despite specific promises to the contrary. End-to-end encryption is a feature Zoom claims to offer on video calls, both in its security whitepaper and in its application.
When asked if they actually implement E2E encryption, however, Zoom said it doesn’t.
“Currently, it is not possible to enable E2E encryption for Zoom video meeting,” the representative wrote. “Zoom video meetings use a combination of TCP and UDP. TCP connections are made using TLS and UDP connections are encrypted with AES using a key negotiated over a TLS connection.”
Instead of enabling end-to-end encryption, Zoom uses TLS. This is transport encryption, not end-to-end encryption. The most important difference for end-users is this: With true end-to-end encryption, like that offered by Apple via FaceTime or Signal, the company providing the service can’t access your video, audio, or text data, even if it wanted to. There’s no information to give governments who come looking for it.
Transport encryption, in contrast, allows Zoom to peek inside audio and video chat (chat messages, it turns out, are actually end-to-end encrypted in Zoom sessions, even if nothing else is). As the report points out, advertising itself as offering E2E when it doesn’t could constitute deceptive marketing and trade practices if customers chose to use Zoom as a result of these claims rather than a competitor service.
Companies cannot be allowed to dilute the definition of security terms, lest we lose their intended meanings altogether. Transport encryption is transport encryption, and it’s not the same thing as end-to-end encryption, no matter how useful Zoom finds it to pretend they are.
Encryption Isn’t Zoom’s Only Problem
If lousy encryption were the only thing Zoom had been caught doing in recent days, it would still be a significant story — the company is claiming to provide security services it doesn’t actually offer. In the last few weeks, however, a number of Zoom issues have come to light, including:
Zoom has been sharing end-user data with Facebook, even if you don’t use Facebook. On March 26, Motherboard wrote: “The Zoom app notifies Facebook when the user opens the app, details on the user’s device such as the model, the time zone and city they are connecting from, which phone carrier they are using, and a unique advertiser identifier created by the user’s device which companies can use to target a user with advertisements.” None of this was disclosed in the company’s privacy policies. (Zoom has since said it will end these arrangements.)
The EFF covered in mid-March how Zoom allows meeting hosts to monitor whether people have the window focused, which explains why I kept getting asked if I was paying attention during a recent Zoom meeting with a company I won’t identify. At the time, I found it confusing, since I was taking notes and asking questions, but it makes more sense now. Pro Tip: If I’m watching your face or your slideshow for more than a few seconds at a time, it probably means I’m not paying attention. If I’m paying attention, I’m screenshotting the slideshow for later review and taking notes in a separate application.
An investigation published just today found that Zoom has been leaking emails and photos to strangers based on how it handles personal email addresses. Zoom’s Company Directory adds individuals to the contact lists of other individuals based on a common domain name. Individuals with unusual email domain providers, however, have found themselves added to common lists of up to several thousand people, constituting all of the other users of that service who also signed up for Zoom. This problem doesn’t happen to major email address providers like Gmail or Yahoo, but if you got your service through “ExtremeMail.com,” you might find yourself on a common “Company Directory” email list with every other ExtremeMail.com customer, even though none of you have anything in common beyond your email provider. It’s also got a security problem that allows attackers to steal your login credentials on a Windows PC.
Zoom, it seems, has some house-cleaning to do before it deserves to claim the mantle of “America’s Favorite Pandemic Video Service.” It doesn’t offer end-to-end marketing for video and audio calls and it’s already been caught funneling data to Facebook even when people don’t have Facebook accounts. At a minimum, the company needs to conduct an audit of its own practices and fix such issues, pronto.
Feature image by ExtremeTech, created from Zoom marketing material and various images of Zuckerberg available at Wikimedia or by Anthony Quintano, Flickr.