Use of the popular videoconferencing service Zoom has skyrocketed as schools and workplaces remain closed during the COVID-19 pandemic. However, the increased traffic has also put a spotlight on potential security and privacy problems.
Zoom went from 10 million daily meeting participants at the end of December to more than 200 million in March, according to parent company Zoom Video Communications. But Zoom’s higher profile has brought scrutiny and made it a target for hackers and pranksters.
One major problem has been “Zoom-bombing,” when an uninvited participant enters a string of random numbers and joins a Zoom conference that’s not protected by a password. In some cases, uninvited Zoom-bombers have broadcast pornography to meeting participants.
In early April, the attorneys general for Connecticut, New York, and Florida announced an investigation into Zoom’s privacy practices that focused on Zoom-bombing. Connecticut Attorney General William Tong said he recently was on a videoconference bombed by “hundreds of profane and racist comments.”
The experience prompted Tong to question Zoom about its privacy and security practices, he added. “Whether on Zoom or any other digital platform, hateful and racist speech is not OK — not now, not ever,” he said. “Our world is confronting an unprecedented threat, and there are trolls who seek to exploit our fear to turn us against one other.”
In addition to the three attorneys general, a group of Democrats in Congress, including Sens. Amy Klobuchar of Minnesota and Michael Bennet of Colorado, have called on the Federal Trade Commission to investigate Zoom’s privacy and security practices.
Privacy advocates have also called on Zoom to clarify its use of encryption after accusations surfaced that the company overstated its use of end-to-end encryption.
Zoom has responded to concerns by advising users to take several steps to protect their privacy, including requiring passwords to join meetings and limiting screen sharing. CEO Eric Yuan addressed Zoom-bombing and encryption confusion in an April 1 blog post. The company has also published a guide for using Zoom with virtual classrooms and announced a 90-day plan to deal with privacy and security issues.
“Our platform was built primarily for enterprise customers — large institutions with full IT support,” he wrote. “However, we did not design the product with the foresight that, in a matter of weeks, every person in the world would suddenly be working, studying, and socializing from home. We now have a much broader set of users who are utilizing our product in a myriad of unexpected ways, presenting us with challenges we did not anticipate when the platform was conceived.”
Starting April 5, Zoom enabled passwords and virtual waiting rooms by default for its Free Basic and Single Pro users. It also changed the default settings for education users enrolled in its K-12 program to enable virtual waiting rooms to ensure teachers are the only ones who can share content in class, a spokeswoman added.
“We have been deeply upset by increasing reports of harassment on our platform and strongly condemn such behavior,” she said. “We are listening to our community of users to help us evolve our approach and help our users guard against these attacks.”
Some security experts praised Zoom for responding to the concerns. The waiting room and password-by-default features will help protect against Zoom-bombing, said Ilia Sotnikov, vice president of product management at Netwrix, a data security vendor.
Also, the company has “stopped developing new features to fix gaps that threaten customer data security,” he added. “This means that the company is caring about its users, which is essential in the current market situation.”
“For some reason, there has been a fixation on this one immensely flawed videoconferencing service,” he said. “In reality, the business model and capabilities are not exclusive to Zoom: People can just switch platforms if they are concerned about Zoom’s ability to keep their private information safe.”
Better encryption could improve Zoom’s privacy stance, “but really, people should just switch to a different service,” he added.
