In this blog post, we look at the recent criticism of Zoom, the video conferencing application that has grown extremely popular during the 2020 coronavirus pandemic.

Background

While most businesses have been severely impaired by the current restrictions on travel and office access in order to stem the spread of COVID-19, there are also a few beneficiaries of the worldwide lockdown. One of them is video communications service provider Zoom, with its daily meeting participants count rising from about 10 million in December 2019 to almost 300 million in April 2020.

As many businesses and government authorities are encouraging their employees to work remotely from home and, therefore, daily face-to-face meetings are not possible, a need for remote ways to communicate has emerged. Zoom offers a particularly intuitive way of holding video conferences, with a number of useful, user-friendly functions. It comes as no surprise that, during recent weeks, Zoom quickly established itself as a go-to solution for businesses, government entities and schools to hold conferences or lectures.

Yet, lately, a lot of criticism has been directed towards Zoom for a range of data privacy and cybersecurity issues.

Risks to Users

  1. The interception of meeting links and passwords is an ongoing issue, allowing unauthorized individuals to quickly and easily execute automated attacks. Simple passwords can be guessed by hackers, which can allow them access to private emails and other accounts if the user has used the same password for those accounts. In several “Zoombombingcases, unauthorized individuals were able to obtain or even guess meeting IDs, allowing them to join non-public conferences that were not secured with a password. In many cases, the intruders shared lewd or obscene content, phishing messages or malware, leading the host to shut down the video conference.
  2. Zoom’s sharing of personal data with social media platforms was only discovered in late March 2020, as no hints to such sharing were given in Zoom’s privacy policy. What caused particular irritation was the fact that the data sharing took place even if the user did not have an account with the social media service. Zoom has reacted to criticism with an update which disabled this data sharing.
  3. Journalists discovered that Zoom had its own definition of “end-to-end encryption.” Zoom later apologized for making misleading statements about its encryption methods and provided insight into the actual encryption methods it uses.
  4. Zoom’s “attendee attention tracker” allowed hosts to detect whether a participant’s Zoom window was in the participant’s view or in the background and thus draw conclusions about the attention of the participant. Due to controversy that has arisen over what has been called a drastic control mechanism, Zoom disabled this feature on April 2, 2020.

Recommendations for Users

Even if Zoom has shown a commendable, timely response to the criticism, its operating mode is not yet perfect from a data protection and cybersecurity point of view.

In order to avoid any excessive sharing of personal data and to prevent unauthorized access to private conferences, Zoom users should take the following precautions:

  1. Always protect your Zoom account as well as your individual Zoom meetings with differing secure passwords, that you do not use for other accounts and applications.
    • Especially for European businesses, refer to the guidelines for GDPR-compliant passwords, published by German data protection authorities, which we summed up in an All About IP Blog post.
  2. If you are hosting a smaller conference, enable the Waiting Room feature, which will allow you to control who is entering your conference. As soon as all invited participants have joined, you can lock the meeting, which will prevent new participants from joining.
  3. Create a randomly generated ID that you share for each meeting instead of sharing your personal meeting link or your personal meeting ID.
  4. Make sure that your privacy settings share no more data than is necessary.
  5. Use email or the phone, rather than Zoom, to discuss strictly confidential topics.