Zoom Update: The Platform Continues to Struggle

Phone Zoom

We have reported on the issues that Zoom has been facing surrounding privacy and security during the corona crisis. Sadly, the issues aren’t resolved yet. Zoom’s CEO announced at the beginning of April that they are working hard to solve the problems. Zoom has become immensely popular now that people are homebound.

Former Facebook Security Head Brought on

Zoom is responding to all the criticism by taking another step towards improving the privacy and security issues. The company announced on April 8 that they have brought on the former head of Facebook security, Alex Stamos. He is going to act as an outside consultant, helping to fix the security problems. Stamos was approached by Zoom after he posted a thread on Twitter, making suggestions to solve some of their security issues.

The company has also set up an entirely new privacy and security board. Some of the members are security heads from big companies such as VMware, Netflix, Uber, and Electronic Arts. They will all play a part in advising the CEO on how to tackle the massive task that’s ahead of him.

Zoom Sued by Shareholder

One of Zoom’s shareholders sued the company for “overstating its security measures”. He claims that he has lost money after all of the bad publicity surrounding the lacking security. This media attention led to a decrease of its share price.

This is not the only lawsuit Zoom might be facing. Last month the company was sued because they had shared data with Facebook.

User Data Sent to China

Researchers found out that some Zoom user data has been handled in China. Some calls made in North-America were routed through China. That data sometimes includes encryption keys. These keys can be used to unlock conversations that have been saved. Zoom controls these encryption keys, because the platform isn’t end-to-end encrypted. Therefore it can access users’ calls.

Normally calls are connected through are nearby server. But whenever you can’t connect, because of peak usage for instance, you will go through a secondary datacenter. Zoom explained that when it was upping their server capacity it accidentally allowed two Chinese data centers to accept calls. These data centers only serve as a back-up in case of network congestion.

Zoom have implemented regulations to prevent unauthorized access to any of this content – although it should be argued that all access is unauthorized, since they are private meetings. The issue is that Chinese authorities can demand that Zoom hand over encryption keys so that the Chinese can see what’s on their servers. The issue has been fixed, but it is not clear which users, or how many, have been affected.

Schools have Banned the Platform

Growing concerns about privacy and security have resulted in a Zoom ban at several schools. Schools aren’t going to sit around and wait for all the issues to be resolved. New York City has banned Zoom completely. Instead, they are asking schools to work with Microsoft Teams. Schools in Nevada are taking similar measures to avoid an unsafe environment for their teachers and students.

It is not just US schools who have lost faith in Zoom’s security. Singapore has also suspended the use of the tool. The Ministry of Education decided on this after students had become victim to a Zoombomber.

Preventing Zoombombing

Zoom has already taken some steps to prevent “Zoombombing“. Starting April 5 people will be required to use a password to enter a meeting. Meeting IDs were often reused or even guessed, which caused people to raid other people’s meetings. Zoom has also enabled the waiting room feature by default so that everyone who wants to enter a meeting needs to be accepted by the host.

Big Companies and Government Agencies Ban Zoom

Elon Musk’s rocket company SpaceX has recently banned employees from using the platform. The company develop technology deemed vital to national security, since NASA is one of SpaceX biggest customers. This ban came after an FBI warning about Zoom’s security.

Google has also decided to ban Zoom software from employee laptops, since it does not meet their security standards. They will still allow the use of the platform through mobile apps and browsers.

Not only companies that handle secure information ban Zoom, several governments are also taking measures to ensure their security.

The US senate has told its members to not use the app anymore. Taiwan and Germany have also put restrictions on Zoom’s use. It makes a lot of sense that authorities are voicing their concerns about the platform, since the meetings are not end-to-end encrypted. Governments are afraid that their information is being left out on the street.

Cybersecurity analyst
David is a cyber security analyst and one of the founders of VPNoverview.com. Interested in the "digital identity" phenomenon, with special attention to the right to privacy and protection of personal data.