The current COVID-19 pandemic has been devastating for many companies across the globe, but one app has seen its business explode: video conferencing platform Zoom. Here at USC and at schools across the world, classes have been moved online and are being hosted by Zoom. Even business meetings, political conferences, and entertainment events have been moved to Zoom. As a result, the company’s stock skyrocketed over the past few weeks, as the app soared to the top of the iOS and Android app stores. While users have been mostly happy with the service, new concerns have come to light with regards to the security and privacy of the app.
Until recently, Zoom Video Communications Inc. was a relatively small app, and its security protocol reflected that smaller customer base. Now, with an exploding number of users with increased security needs, Zoom has had to scramble to update their security. In late March, Zoom rolled out a system update to remove the “Login with Facebook” feature, which had given Facebook access to the app and sent device details to Facebook (including model and location).
Beyond Zoom’s own security issues, there are many aspects of the app that users find unpleasant, from the presets that have allowed the recent string of “Zoombombings” to the range of data that their meeting hosts have access to (any messages sent within the app are reported to the host, as well as information about how the user is interacting with Zoom, including if they are running it in the background while doing something else on their computer). It takes some searching to find these policies, though, and it’s concerning that users aren’t notified of exactly how much data both Zoom and their meeting hosts have access to, despite being alerted whenever a meeting is being recorded. Those alerts could easily be expanded to include warnings about the storage of chat messages and other data being collected.
Zoom must reconsider their security protocols as it is being increasingly used for educational purposes. Their automatic settings allow anyone with a specific, randomly generated, 9-11 digit string of numbers to join a meeting — a method that makes it easy to simply guess numbers until a troublemaker finds one in use. “Zoombombers” then join meetings that they were not invited to and will often threaten participants, use racial slurs, and screen share pornography to viewers. These “Zoombombings” are highly disruptive and unpleasant for college-aged and adult users, but elementary, middle, and high schools are increasingly using Zoom in order to continue education during the lockdown. Exposing minors to these kinds of attacks cannot be allowed, and while Zoom has encouraged schools to change their settings to increase privacy, more should be done in order to protect users.
USC has implemented one such setting change, which now directs users into a waiting room until they are either admitted by the host into the meeting, or they log in with USC credentials. However, many professors simply admit everyone in the waiting room into their classes without checking names against their class rosters — classes are simply too big and there isn’t enough time. This is not enough to protect users, and Zoom must take action in order to be a viable option for professional settings.
The New York Attorney General has begun to look into the privacy and security measures that Zoom is taking, and the UK government has ceased use of the app pending further investigation from their own Ministry of Defense. Zoom stock has begun to drop as people take notice of these issues, and the company will have to take action in order to keep the subscriptions and clients that they have amassed in this time of crisis.