Zooming into your personal data

April 9 2020
Simone Caron, IFPC

Zoom has found itself in the ultimate position! While the economy is suffering, Zoom’s share price has more than doubled and it's almost become a synonym for video conferencing however, being in the limelight means all its faults have been magnified - the most notable being it’s lack of security and privacy.

Zoombombing has become a social media phenomenon which has become a new form of cyber harassment that occurs when unidentified individuals hijack the call and spew hateful language or share inappropriate images. These security and privacy breaches have resulted in a lawsuit led by the New York Attorney General who said that he is “concerned that Zoom’s existing security practices might not be sufficient to adapt to the recent and sudden surge in both the volume and sensitivity of data being passed through its network.”

Zoom has only recently openly broached the topic of sharing it’s user’s data to third party platforms like Facebook without notifying it’s users on it’s corporate blog saying “We were made aware on Wednesday, March 25, 2020,” it wrote, “that the Facebook SDK was collecting device information unnecessary for us to provide our services.” Zoom has recently deleted the piece of code on it’s iOS app that allows Zoom to send analytics to Facebook. IT company, Motherboard carried out the investigation and when confronting Zoom on the issue, they revealed that "The data collected by the Facebook SDK did not include any personal user information, but rather included data about users’ devices such as the mobile OS type and version, the device time zone, device OS, device model and carrier, screen size, processor cores, and disk space.”

Until Thursday, Zoom was also exposed for hosting a data mining feature that revealed user’s Linkedin information. The idea behind the feature was to allow Zoom users who subscribed to Linkedin Sales Navigator to view LinkedIn profile data — like locations, employer names and job titles of the Zoom meeting participants by clicking on a LinkedIn icon next to their names. Seemingly innocent as one would be able to look up peoples names manually anyway?

The Times conducted a test that revealed that even when users signed in under a pseudonym, Zoom was still able to link the correct Linkedin profile and information to the user, preventing the user from having any form of privacy or anonymity. Zoom also sent participant’s information to its data-mining tool even when no one in a meeting had activated it. Keeping in mind that schools are using Zoom as an online teaching tool, and storing data from minor’s email addresses and information.

Most of the manners in which Zoom processes your data are not disclosed, similarly to the way they protect your data is a little more than fuzzy. Originally, Zoom claimed in it’s T’s and C’s that all calls and data were protected by end-to-end-encryption which the chief product officer Oded Gal later back tracked on, writing that "Zoom has always strived to use encryption to protect content in as many scenarios as possible, and in that spirit, we used the term end-to-end encryption. While we never intended to deceive any of our customers, we recognize that there is a discrepancy between the commonly accepted definition of end-to-end encryption and how we were using it.". What exactly does this mean? Well, Zoom is able to encrypt all calls and media through their app however, they are unable to encrypt an audio call if someone had to join a conference via phonecall or any other external providers. Furthermore, Zoom is able to encrypt calls however, they currently manage and store all of the keys involved in user data encryption in its own cloud infrastructure which means that Zoom has the capability to use the keys it stores to decrypt any call.

It seems Zoom has landed itself in deep water but will they be able to back track far enough to keep their new users?

Technology, video call, zoom, info security, cyber security