Last Updated on
The stories about faults in Zooms data privacy have been coming thick and fast these past few months, with Zoom-bombed classes, threats to children’s privacy, and even governments banning the platform altogether.
The COVID-19 lockdowns suddenly catapulted this relatively obscure videoconferencing platform to international fame, so there were plenty of opportunities for problems to arise.
Many have been concerned about mistakes in the platform’s privacy infrastructure from day one, but now it’s not a fault that’s causing big privacy concerns, It’s by design. Zoom has come under fire after the CEO announced that the free service (which most of its users have) won’t get end-to-end encryption, specifically so the FBI can access calls.
This revelation comes after Eric Yuan, CEO and founder of Zoom, said during an analyst call that “Free users for sure we don’t want to give [encryption] because we also want to work together with FBI, with local law enforcement in case some people use Zoom for a bad purpose”
What this would mean is that end-to-end encryption would be scrapped for any free users and the sole reserve of paid plans. End-to-end encryption means only the people communicating can see the data being passed back and forth, without it there is a de facto backdoor open to anyone with the resources to see what you’re saying.
In essence, government agencies and hackers could have free reign to watch what you say and do on Zoom.
Zoom’s Unusual Privacy Developments
Whilst a striking stance to take that has no doubt vindicated many Zoom-sceptics misgivings, there are numerous things about the announcement that make it peculiar, as much in the style of delivery as in the announcement itself
Backtrack on Privacy
The timing of the announcement is surprisingly contradictory, given that it was only April when they made a strong commitment to increasing their privacy and security with the rollout of a new patch meant to combat Zoombombing and the ‘attention tracker mode’, which had been criticised as a feature which would enable employee spying.
Not only was Zoom combatting its problems, but welcoming criticism in order to improve and help its troubleshooting capabilities.
Its founder said: “These new, mostly consumer [privacy issuers] have helped us uncover unforeseen issues with our platform. Dedicated journalists and security researchers have also helped to identify pre-existing ones. We appreciate the scrutiny and questions we have been getting – about how the service works, about our infrastructure and capacity, and about our privacy and security policies.”
From such enthusiasm to a complete backtrack (and, as some have argued, a drop of pretence to privacy) is certainly creating a mixed message for users and leaving the company with a confusing brand image.
Encryption Experts, Wasted Potential?
Another seemingly hollow commitment is the recent large hiring and partnering with industry leaders in crypto security and encryption technology.
Companies such as Luta security are experts in bug bounty architecture – a system where the company pays ‘bounties’ for users who can discover and disclose vulnerabilities in the system- and have joined with Zoom to help combat and streamline the issue.
In the Luta blog announcement about the pairing, they said that “preventing the same classes of [privacy bugs] from happening over time is the deep security commitment… we want to see”.
An odd thing to commit to when Zoom intended to make their privacy issues inbuilt.
Against the Privacy Grain
What makes the backtrack of privacy even stranger is the general movement of videoconferencing services against capitulating to government agencies insisting on a ‘digital backdoor’.
Apple and Facebook, for example, have doubled down against providing access, which means Zoom is not only committing to something questionable in privacy terms but sticks out for doing so.
All Encryption Is Compromised
Despite the assertions that this will only affect the privacy of free users (already a questionable thing in of itself), many experts have pointed out that even this compartmental slack in security could compromise the entire platform.
If there is any backdoor built into the platform for agencies such as the FBI, then the likelihood that it will worm its way into the safety of other users is far higher.
Whatever the actual number of “people [who] use Zoom for a bad purpose[s]” may be, the current strategy makes everyone suffer for the misgivings of a few.
Privacy Loss for an Imaginary Issue?
Though there are doubtless users on zoom with dubious intentions -such as pernicious Zoom bombers exposing young children to inappropriate images- by and large, Zoom is a sub-optimal platform for criminal activities.
Almost all illegal activities on Zoom take the form of attacks on users themselves, Zoombombing to either disrupt or spy, implying that it is lack, not an excess of security that is really impacting the platforms privacy standards.
FBI: A Poor Partner for Privacy
Removing encryption is already a privacy red flag on its own, but openly declaring the intent to work with the FBI is a whole new matter.
The FBI has a laundry list of privacy violations, such as a recent 2019 court ruling that they violated people’s privacy by abusing access to confidential surveillance data. This is by no means an isolated incident, the bureau having a long history of abusing its access to data and disregarding digital privacy.
It’s for this reason other video conferencing services have so vehemently held out against the creation of a backdoor like the one Zoom has engineered.
Whatever the rationale for this move, Zoom has created a serious flaw in its security, something that is sure to harm user privacy.
If you still need to use the platform for work, now is the time to check out our online privacy guide to safeguard yourself, the first step to combating Zoom’s new inbuilt backdoor would be a secure VPN, but it may also be worth reconsidering using the platform at all.
From overnight fame to videoconferencing pariah, it seems that if one thing is sure with Zoom, it is its sudden, rapid changes, for better or worse.
Hi, I’m Ludovic. I created this site as a consumer resource to help fellow Canadians better understand the changing world of cybersecurity. Before creating this resource I saw two fundamental problems with the B2B consumer privacy industry. First, education – the majority of people don’t realize the importance of their own data. Second, nefarious marketing practices – there are a wide array of self-proclaimed security solutions that are doing nothing other than brokering user data without consent.