Zoom video calling app has boomed during the time of the pandemic. Zoom making its way on the of Android and iOS app stores as all the social interactions shifts online including office conferences to friends and family get together. Popularity and increased traffic the video calling app is now facing a huge privacy and security backlash.
Several security experts, lawmakers, privacy advocates, and the FBI have already warned the app’s default settings aren’t secure. The app has become a victim of its success. The government in the UK held several daily cabinet meetings over the app.
These security and privacy concerns are is nothing new as the app has fought similar battles before. Last year, a serious security vulnerability in the app lets attackers hijack websites Mac cameras. This led Apple to take a step in and silently remove Zoom from Macs. The rising scrutiny over the app’s security practices has intensified in the last few weeks.
Users can access a Zoom meeting using a randomly generated ID number which is between 9 to 11 digits long. Researchers found that these meeting IDs are easy to guess and even brute forceable. Allowing anyone to access a meeting or eavesdrop into meetings.
This gave rise to a new phenomenon called “Zoombombing” where pranksters join Zoom calls only to broadcast porn or shock videos. Zoom’s default settings allow participants to share their screen without encouraging a password for meetings.
On 16th April, Motherboard learned that the software vulnerability brokers are looking to sell two zero-day Zoom exploits. One is affecting clients of Windows and the other is impacting that of OS X. Zoom adjusted these default settings for education accounts to increase security and privacy for meetings. Others had to change some of their settings.
A spokesperson of Zoom said in a statement to The Intercept it is not possible to enable E2E encryption for the app’s video meetings.
Last week, Zoom Video Communications, an American tech company with its headquartered in San Jose, California confirmed that they will not enable end-to-end encryption for free calls. As the company wants to give law enforcement access to these calls if necessary.
On 2nd June, Eric Yuan, CEO of Zoom said in a meeting with investors said that the feature should be a part of the offering only for professional customers. According to the company “Free users for sure we don’t want to give [them] that, because we also want to work together with the FBI, with local law enforcement, in case some people use Zoom for a bad purpose.”
Encryption is a key issue for Zoom, which has been attempting to beef up its privacy and security after heavy usage exposed weak points during the COVID-19 pandemic. Last week, Reuters reported that the company will be rolling out end-to-end high-security encryption only for paying customers.
There are rising conversations around protecting privacy while simultaneously making it easy to catch illegal and abusive content. Congress is now considering a bill that could legally punish social media platforms using encryption. As it is hard for normal polices to find content that has strong encryption. However, it can be very valuable for people who are discussing sensitive information and are at a heightened risk of intrusion as it offers additional protection.
Yuan has further emphasized that since people can’t dial into an encrypted call, phone encryption will require practical trade-offs. This makes it likely that not many customers will use it. His comments emphasized the priorities of the Zoom app to keep law enforcement in the loop.
To elaborate more on the company’s policy, the spokesperson said in a statement, “Zoom does not proactively monitor meeting content, and we do not share information with law enforcement except in circumstances like child sex abuse. We do not have backdoors where participants can enter meetings without being visible to others. None of this will change.”
He further added that “Zoom’s end-to-end encryption plan balances the privacy of its users with the safety of vulnerable groups, including children and potential victims of hate crimes. We plan to provide end-to-end encryption to users for whom we can verify identity, thereby limiting harm to these vulnerable groups. Free users sign up with an email address, which does not provide enough information to verify identity.”