Zoom’s security scandals: what users need to know

As the videoconferencing tool gains popularity during COVID-19, we look over the privacy issues you should know about.

Zoom has announced that they are freezing all new feature development, in order to redirect their engineering resources to improving privacy and safety. This decision follows a series of controversies that date back as far as the company’s inception, and have only grown in number since the app’s recent boom in popularity.

Despite Zoom’s massive boost in sales (with new member numbers in this last month alone rivalling all its new members of the previous year) it’s not without its scandals. It has been banned outright at Google, Apple, NASA, and the UK Ministry of Defence. In Australia, MPs and Senators are banned from conducting work via the videoconferencing tool; even the New York Attorney General wrote to the company to ask for an outline of privacy and security measures they would take in future.

So why is Zoom such a privacy nightmare? The biggest reason is that the company cut back on security measures to provide greater ease of use. Unfortunately, the things that make it more useful during a lockdown than other videoconferencing tools also makes it less secure. Other popular apps are rendered less accessible due to required installations (setting up a Skype account is a notoriously arduous process), limitations on the number of videocall participants (Google Hangouts allows just 10 people to videocall at once, or 25 with a Business or Education account) or even, in the case of the Apple-exclusive Facetime, limitations on what operating systems can access it. 

By contrast, Zoom is a relative free-for-all. Any user can host a meeting of up to 100 participants, or up to 500 with the Large Meeting add-on. You are prompted to create a log-in when you accept your first meeting invitation, and (while there is a small file download), it’s smooth sailing from there. You can leave and rejoin meetings on other devices with no issues, and you can share a link to access your meeting to whomever you choose. Sounds great, right? But this ease of access comes with a major price.

The most obvious way these security issues manifest is in ‘zoombombing’, a disruptive practice where intruders hijack meetings and post pornography in shared files, hate speech in the chat, or use the shared whiteboard function to draw lewd images and offensive terms. While in rare occasions this might be achieved by hacking, but it can be done simply by searching ‘zoom.us’ on social media, or institution’s websites, to see who has posted a public link. 

Another issue that has caused consternation is the fact that while users can open private chat channels during a meeting, these so-called ‘private’ communications will be recorded in the meeting’s minutes – which are accessible to all meeting attendees. In a recent blog post, Zoom founder Eric Yuan outlined some guides on securing virtual classrooms, along with other security-focussed support and webinars, in an effort to provide education and support to users. 

These measures can help keep intruders out, and help users engage with the app in a more informed way. Other aspects of Zoom’s security failings, however, are more insidious. This year, the company came under fire for sending user data to Facebook, including analytics from users who didn’t have Facebook accounts, or hadn’t logged in via Facebook. This data transfer was not made clear in the existing privacy policy. In March 2020, Zoom removed this feature and updated their privacy policy to be more transparent.

The company’s past transgressions instil little trust: In 2019, Princeton professor Arvind Narayanan discovered that installing Zoom also installed a secret web server on users’ machines. This piece of programming could literally force a user to join a Zoom call, including camera. The server remained installed even after a user uninstalled Zoom, which allowed the company to reinstall the app without user’s interaction or consent. This truly Orwellian feature was so outrageous that Apple pushed a silent, automatic update to ensure the functionality was removed from all Apple devices. Zoom released a patched version of the app in July 2019, and the Facebook data transfer scandal has also been remedied, with a clarified privacy policy and updated terms of data transfer to Facebook. However, journalists, policymakers, and privacy experts remain critical of the company’s approach to privacy and security, both in terms of their history and trajectory.

This skepticism doesn’t seem to be affecting usage, as businesses, live events, and friendship groups alike flock to the easy-to-use platform while remote connection remains a cornerstone of our work and social lives. But as its competitors race to corner the booming videoconferencing market, the company will have to overcome a serious trust problem to retain its. Regardless of what the future holds, Zoom’s success, despite its controversies, is a huge reminder to the whole sector that what the public want, more than anything, is simplicity

Jini Maxwell is a writer and curator who lives in Naarm. They are an assistant curator at ACMI, where they also host the Women & Non-binary gamers club. They write about videogames and the people who make them. You can find them on Twitter @astroblob