Zoom’s video conferencing platform, saw its global users shoot up from 10 million in December to more than 200 million daily users in March. The radical jump in users can be attributed to the Covid-19 lockdowns, which have forced most companies to work from home and meetings being held via virtual platforms.
However, it would seem that Zoom did not account for the wormholes this phenomenal rise would open up in terms of ‘security flaws’ that have prompted one of its investors to file a suit in San Francisco on Tuesday.
The California-based tech firm has been accused of “hiding security flaws” in its video-conferencing app in a class-action suit led by investor Michael Drieu, which contends that Zoom had failed to disclose a series of flaws, which have been made public in recent weeks.
With Zoom’s share prices tumbling, following an all-time peak last month due to the rising concerns in the flaws being exposed, the company’s CEO, Eric S. Yuan, put out a formal message on the company blog, apologising for having fallen short of the community’s privacy and security expectations.
Zoom has been banned by Google and many other entities have followed suit. So what are these massive security defects and how has Zoom tackled them.
Got to give it to the trolls who have ensured that they continue to take over lives and screens in all the Covid-19 chaos. ‘Zoomboming’ is a term that was coined to describe the action of trolls and hackers who took over Zoom’s screen-sharing feature to hit other people in the meeting with videos on everything from violence to hardcore pornography.
According to Zoom, this can now be avoided by using protective features such as waiting rooms, passwords, muting controls, and limiting screen sharing. In a blog post, the company says that the “first rule of the Zoom Club is that you do not give up control of your screen.”
It also adds that you should not use personal meeting identities to host public events. You can also use ‘lock the meeting feature’ that will allow the host to close the meeting once the event begins. Among other things, you can turn off file transfers and disable private chats and of course allow only signed-in users into the meeting.
DATA MINING BY FACEBOOK
Facing a lawsuit that alleged that Zoom did not inform their users of data being sent to Facebook (allowing Facebook to collect the said data), Zoom decided to do away with the Login with Facebook software development kit (SDK) for iOS, a feature tied to data sharing.
According to Yuan’s blog post, the ‘Login with Facebook’ feature was originally implemented to provide users with another convenient way to access the platform. “However, we were made aware, that the Facebook SDK was collecting device information unnecessary for us to provide our services.”
The information collected by the Facebook SDK did not include information and activities related to meetings such as attendees, names, notes, etc., but rather included information about devices such as the mobile OS type and version, the device time zone, device OS, device model and carrier, screen size, processor cores, and disk space.
LACK OF END-TO-END ENCRYPTION
Among the many claims made, reports started to surface that there was no end-to-end encryption feature enabled for its meetings function. These reports were verified with a statement from the company’s chief product officer Oded Gal admitting that the data was indeed not end-to-end encrypted. Apologising for this, he added that while it is not end-to-end encrypted, the encrypted video, audio, screen-sharing and chat contents are not decrypted by the platform at any point before it reaches from one user to another.
THE ATTENTION TRACKING FEATURE
In a blog post, Zoom CEO confirmed that they had permanently removed the attendee attention tracker feature, which allowed the hosts to track a participant and know if he was away from the screen for more than 30 seconds.
MAC USERS HACKED
In response to security researcher Patrick Wardle’s discovery that Zoom user’s microphone and webcam could be hacked and used to gain control of Mac devices, the company confirmed that it had fixed both the Mac-related issues.
DARK WEB & ROUTING CALLS THROUGH CHINA
Among other allegations floating around, are that there are Zoom accounts on the dark web and that the company was routing its call through China.
As of yesterday, Zoom rolled out yet another update to ensure that all privacy and security concerns were being met. The Security icon has been added to the Zoom meeting controls, which will now allow hosts to “quickly find and enable many of Zoom’s in-meeting security features”.
According to the blog post, this will be visible only to hosts and co-hosts of Zoom meetings and they will be able to access features such as ‘Lock the meeting’, ‘Remove participants’, and ‘Restrict participants’ ability to share their screens, Chat in a meeting, Rename themselves…’
In his post made on April 1, Zoom’s Yuan admitted that they did not design the product with the foresight that, in a matter of weeks, every person in the world would suddenly be working, studying, and socialising from home. “We now have a much broader set of users who are utilising our product in a myriad of unexpected ways, presenting us with challenges we did not anticipate when the platform was conceived.”
The fact remains that people will continue to use Zoom as countries remain in lockdown mode without an end date in sight and the sooner the company and its ilk fix their flaws, the better and safe it will be for rest of us trying to make sense of an increasingly digital conversation-led world.