The New York’s Attorney General said he is “concerned that Zoom’s existing security practices might not be sufficient to adapt to the recent and sudden surge in both the volume and sensitivity of data being passed through its network.”
Zoom, the popular-by-necessity video conferencing platform, has seen an explosion in users as the coronavirus pandemic forces people to work from home. In a recent blog post, CEO Eric S. Yua said Zoom now has 200 million users, up from just 10 million last December.
But, with that increase in users has come greater scrutiny of Zoom’s privacy and security. With widespread reports of Zoombombing (where strangers dial in your channel with something rude and disruptive), the company’s procedures have been called into question by the New York Attorney General, and prompted a class-action lawsuit.
Until recently, Zoom’s iPhone app included software that surreptitiously funneled user data to Facebook. The lawsuit says the code allowed Facebook to target users with ads.
Zoom has been criticized for ignoring privacy before. A year ago, a researcher found four million Zoom user cameras were potentially vulnerable to remote takeover without you knowing.
The company is currently pausing all feature development and “shifting all our engineering resources to focus on our biggest trust, safety and privacy issues,” Yua said. But for many users, this isn’t good enough. They’ve already lost trust in Zoom and are searching for alternatives (which we identify below).
“Despite its ease of use, Zoom does not seem to take privacy seriously,” said Reuben Yap, Zcoin Project Steward. “Despite claims that Zoom’s video calls are [end-to-end] encrypted, this isn’t actually the case. E2E encryption means that even Zoom should not be able to view the contents of the videos or calls.”
“Instead, all Zoom provides is transport encryption, meaning that it is secured to the extent that outsiders cannot intercept the call and view it. This still means that we have to trust Zoom to not read or leak this info. Given its track record, I don’t have high hopes,” Yap said.
Yoav Degani, the founder of MyPrivacy, an app that bundles privacy protection tools such as a VPN and a password manager, said there are several privacy and security issues with Zoom. Because meetings can be recorded and uploaded to the cloud, which is not secured, people who are not on the meeting can get a recording (like your boss for example). Also, organizers can receive a text file with the transcript of the meeting chat.
“There’s also a feature available to the meeting’s host called attendee attention tracking,” said Degani. “It allows the host to monitor participants’ computers and see if someone is not active in the Zoom call for more than 30 seconds.”
You may not be officially active if, say, you put the Zoom window in the background and play some game or read some post on Facebook.
Degani said some bad guys are taking advantage of the situation and there are dozens of websites with the name “Zoom” that all of a sudden appear in search results and advertising and are used for phishing.
Locking down your video
Several people who build and develop privacy-oriented tools recommend Jitsi as a more secure alternative to Zoom.
Emil Ivov, one of the founders of Jitsi, said what sets it apart from other video conferencing services is its low friction. Creating a meeting is as simple as typing your name in, and it’s just one click to join. The company uses WebRTC, or Web Realtime Communications, which enables peer-to-peer video, data and audio communication between two web browsers. So on desktops there are no downloads and no accounts needed, said Ivov.
“We are really mindful about privacy and security,” said Ivov. “We require no personal data and fully support anonymous use. We are also open source. This is where we are truly unique. If you have any concerns about how we run our service, then you can just go and run your own! It only takes 15 minutes.”
Being open source also means anyone can scrutinize its software. But Jitsi does not feature end-to-end encryption.
“For now this is simply not possible with WebRTC, although the whole community is looking into the problem and we are hoping there will soon be solutions,” said Ivov. “For the time being, however, all your data is encrypted in-flight using DTLS-SRTP [a protocol which adds encryption and ensures message authentication and integrity] as per the WebRTC standard. None of your media content eaves your computer unencrypted.”
Jitsi is one more secure alternative, and another includes Whereby. One big drawback: Users are limited to four meeting participants in the free version. The Pro version of Whereby is $9.99 per month, and allows up to 12 participants per room in up to three meeting rooms.
Other one-to-one alternatives include Facetime, which does have end-to-end encryption, as does Signal, the privacy-focused messaging and call app.
“Products and services can be built to be both convenient and to protect privacy by design at the back-end,” says Raullen Chai, CEO of IoTeX, a Silicon Valley company that develops privacy-protecting smart devices. “Then you don’t have to worry about whether or not you trust a centralized party because it is built in what can and can’t happen with your data, returning control to the consumer. Blockchain-based key issuance allows for true end-to-end encryption without having to trust a central provider to not keep a key for themselves.”
Take all this into account, and it’s just one more indicator that yes, that meeting could probably be an email. As long as it’s one sent securely, that is.