OK Zoomer: avoiding a privacy disaster in the post-coronavirus world
It would be an understatement to say that Covid-19 has affected practically every aspect of our lives, given the scale of the transformation. Its impact on privacy, too, is evident. Last week, this blog wrote about a rush by governments around the world to use smartphones to help enforce quarantines and carry out contact tracing. However, a problem can also be an opportunity. One technology company is not just coping with the coronavirus wave, but thriving. Almost overnight, the videoconferencing app Zoom, hitherto mainly used by companies, became an indispensable tool for life under lockdown, and its most representative social platform.
Today, Zoom is used not just for business meetings and online teaching, but increasingly for everyday applications: parties, concerts, church services, art shows, and blind dates. That’s great news for Zoom, launched nine years ago, which has taken off in a big way. It is currently valued around $31 billion. But even before its new-found popularity placed it in the spotlight, Zoom was criticised for weak security and its poor data protection practices. As Bruce Schneier put it:
Zoom spies on its users for personal profit. It seems to have cleaned this up somewhat since everyone started paying attention, but it still does it.
The company collects a laundry list of data about you, including user name, physical address, email address, phone number, job information, Facebook profile information, computer or phone specs, IP address, and any other information you create or upload. And it uses all of this surveillance data for profit, against your interests.
Doc Searls has written a series of posts looking at the details. More recently, it emerged that Zoom allowed some participants to have secret access to LinkedIn profile data about other users. As well as serious privacy issues, security problems abound. For example, a vulnerability allowed hackers to hijack people’s webcams. A flaw let attackers steal Windows login credentials. The Zoom iOS app sends data to Facebook even if you don’t have an account, something that has resulted in a class action lawsuit. Thousands of recorded Zoom meetings were kept in unsecured cloud storage.
Zoom claimed that its meetings were secure because they were end-to-end encrypted – the top standard for connected security. But it turned out that things weren’t quite what they seemed. The Intercept notes that Zoom now says:
“When we use the phrase ‘End to End’ in our other literature, it is in reference to the connection being encrypted from Zoom end point to Zoom end point,” the Zoom spokesperson wrote, apparently referring to Zoom servers as “end points” even though they sit between Zoom clients.
As The Action Network explains, that’s bad, because it means that Zoom employees could be eavesdropping on conversations. Maybe that’s unlikely, but it also means that governments can demand access to online meetings in the knowledge that it is something that Zoom could provide. The Action Network has started a new campaign that calls for Zoom to implement “default end to end encryption for all video, audio, and text chat”. Citizen Lab discovered that the encryption that is present is not optimal. Bruce Schneier even went so far as to write that this “indicates that there is no one at the company who knows anything about cryptography.” Citizen Lab also discovered the following:
Zoom, a Silicon Valley-based company, appears to own three companies in China through which at least 700 employees are paid to develop Zoom’s software. This arrangement is ostensibly an effort at labor arbitrage: Zoom can avoid paying US wages while selling to US customers, thus increasing their profit margin. However, this arrangement may make Zoom responsive to pressure from Chinese authorities.
It was also noted that some videoconferencing sessions were being routed via China. Since Zoom’s code is closed source, it’s hard to know what it is doing, or whether there are backdoors hidden in it.
Perhaps the most famous problem with Zoom is zoombombing, when unauthorized participants manage to join a videoconference, and disrupt it by displaying unsuitable material, typically pornographic or racist in nature. These privacy and security issues are so serious that organizations have started banning people from using Zoom, despite its popularity. For example, New York City forbade its schools from using it. Taiwan’s government has banned its agencies from Zoom, as have the UK’s Ministry of Defence, NASA and SpaceX.
Zoom is being sued by one of its shareholders for allegedly overstating its privacy standards, and failing to disclose that its service was not end-to-end encrypted. Eric Yuan, Zoom’s CEO, has tried to assure users that things will get better, recognising that Zoom has “fallen short of the community’s – and our own – privacy and security expectations”. As well as addressing some existing problems Yuan promised to enact a feature freeze, effectively immediately, in order to shift all the company’s engineering resources to “focus on our biggest trust, safety, and privacy issues”.
To be fair, Zoom’s growth – from 10 million meeting participants in December, to 200 million now, according to Yuan – has been so rapid that there were bound to be problems along the way. But as the above indicates, Zoom has taken a rather cavalier attitude to security for some time, preferring to concentrate on ease of use and scalability in order to drive uptake. That is no longer acceptable. Given the importance of network effects, it seems likely that Zoom will continue to gain users and consolidate its position as one of the core apps for life under lockdown, and in whatever new world we will find ourselves afterwards. Now more than ever it needs to sort out its code, otherwise Zoom could well turn out to be the first post-Covid 19 privacy disaster.
Featured image by Petr Kratochvil.