Privacy and Data Protection: What Lies Ahead for Zoom?
Cyber security intelligence firm Cyble informed Bleeping Computer about Zoom accounts being hacked and sold on Dark Web for less than a penny each, while some may be sold for free on hackers forums for Zoom-bombing and other malicious activities.
Zoom, a video conferencing App, enjoyed the stream utilisation since the outbreak of coronavirus and has become a work from home staple. With about 200 million people active on an everyday basis to stay connected during quarantine in March, the app had become the most famous tool to address academic and work-related information. However, the Zoom users soon started stacking up due to the security loopholes especially in the US, Taiwan, Germany and India. Pointing out Zoom’s vulnerability, the Cyber Coordination Centre, Ministry of Home Affairs, Government of India, issued a 16-page advisory in April, warning all Zoom users against the susceptibility of the app.
Privacy and Security Challenges
The most popular issue of Zoom has been Zoom-bombing, where the uninvited users keep featuring inappropriate content by hacking the meeting room code. Many users reported of pornography and Swastika symbol shown on the Zoom share screen through different user accounts to make it difficult for the host to block the content. A report by The Intercept came in early April, revealing the truth behind the claim of Zoom meetings to implement the use of end-to-end encryption, proving that the app is decrypted by TLS, which makes it possible for others to access the data. Without the end-to-end encryption, Zoom technicians can access the data invading the privacy of private meetings. The doubt arises as Zoom, unlike many other companies like Google, Facebook and Microsoft, do not publish its transparency report regarding the request received by governments for user’s data. Access Now, a global civil society organisation issued an open letter to Zoom, stating Zoom to present the transparency report for a better understanding of users’ data protection.
Also Read : Inside Dark World Deep Web
Further, it was revealed in Zoom’s privacy policy clause that the company has all rights to share users’ data with the third party, an investigation by motherboard further reviled that Zoom’s IOS version leaks the client’s email address on the universal folder, visible to all, and other details including the tracking of people’s movement. Moreover, the company has not mentioned it in the privacy policy. Also, along with other privacy issues, the Zoom policy doesn’t explicitly mentions anything about sharing data of Zoom users to Facebook who doesn’t have a Facebook account. Many countries like the US and Taiwan have announced a complete ban on using Zoom for video conferencing, as some data were routed through China, creating issues against national security.
Hence, they suggested the use of alternatives like Microsoft Teams, Face Time, Skype, GoToMeeting, etc.
A complaint has been filed against Zoom Video Communications Inc. in San Francisco Federal Court, accusing the company of concealing the truth about the shortcoming in the security of the software, including the disclosure of users’ private data to a third party, i.e., Facebook. Cyber security intelligence firm Cyble informed Bleeping Computer about Zoom accounts being hacked and sold on Dark Web for less than a penny each, while some may be sold for free on hackers forums for Zoom bombing and other malicious activities.
The account information includes users email ID, password, personal meeting URL and their HostKey. Also, Intelligencer informed Zoom users about install issues of Zoom app, invading the privacy of macOS, gaining root access to users’ computer, including the ability to gain users microphone and turning on the web camera.
Measures Taken by Zoom
Zoom Founder and CEO Eric S Yuan in an interview has admitted the company’s fault and said “Our service was built to serve big and large enterprise customers. However, during this COVID-19 crisis, we moved too fast…Our intentions to serve customers are good. However, there have been some missteps”. Zoom being the centre of privacy storm further made him announce feature freeze for 90 days, which will be utilised by the engineering resources to focusing on privacy and security issues.
Also Read : Privacy Or Security Covid 19 Forces To Make A Tough Choice
Zoom addressed a letter for its user stating steps taken to address all security issues. It mentioned ways to control Zoombombing such as accessing waiting room, which permits the host to control who comes in and goes out of the meeting; and rolled out a feature allowing admins to avoid using personal meeting ID while accessing meeting. Also, to access the most important feature for managing screen sharing to prevent participants from screen sharing. Further, Zoom removed the Facebook SDK in IOS clients to prevent it from collecting private information of users and updated their privacy policy, making it transparent for users.
Zoom has increased its password complexity where the basic users can now configure minimum meeting password requirement with the use of alphanumeric passwords instead of numerical password.
On 1 April, Zoom published a blog apologising for the encryption confusion and announced Zoom 5.0, an updated version providing better security upgrading AES 256-bit GCM encryption to provide the maximum amount of privacy while supporting diverse needs of clients. Zoom is yet not satisfying its previous claims to provide users with end-to-end encryption, though it is now moving in the right direction. All security issues are eventually being addressed by the company and from 9 May, Zoom hopes to eliminate all security issues with the help of basic features, allowing the app to be a trustable one, giving users a free and safe account.
In today’s world, data theft can be termed as heinous crime based on human rights approach. It can be a great threat to the national security of the country. Considering these, the Indian Government said Zoom app is not safe and issued new guidelines for all Zoom users after receiving various complaints and banned the use of Zoom by all government officials for official purpose. It further suggested security configurations to set new ID and keep chaining their passwords to avoid DOC attacks along with updating the software wherever the new update comes.