Graphics by Rose Lee
The BRB Bottomline: Zoom has surged in popularity during the COVID-19 pandemic due to its accessibility and nationwide social distancing measures. However, a recent investigation into Zoom has led to scrutiny over its security measures. Here, we attempt to demystify Zoom’s security flaws and what it has done to rectify this.
Zoom (NASDAQ: ZM) is a video conferencing software which has been widely adopted by businesses, schools, and other institutions as a means of communicating during the COVID-19 pandemic and quarantine. Relatively unknown prior to the pandemic, its convenience (45-minute meetings are free) and friendly user interface have led to Zoom skyrocketing in popularity from around 10 million users in December 2019 to over 200 million users in March 2020, solidifying its domain amongst competitors such as Discord, Google Hangouts, Microsoft Teams, and Skype. As a result, Zoom’s stock price has increased by roughly 109% from January 31to March 23, the time period when many businesses and schools moved their operations online. However, Zoom’s sudden popularity has led to many scrutinizers who have uncovered a multitude of glaring security flaws in its code.
Many privacy experts have expressed concerns that the widespread use of Zoom for everything from business meetings to university lectures presents a dangerous possibility of unauthorized surveillance and data mining. The Federal Bureau of Investigation (FBI) has revealed Zoom has access to everything from IP addresses to biometric data, causing concern of potential Family Educational Rights and Privacy Act (FERPA) violations. FERPA is a federal law designed to protect the personally identifiable information found in students’ educational records. This is the law that allows students above the age of 18 the right to privacy regarding grades and billing information and determines how state agencies can transmit testing information to federal agencies. However, Zoom has argued its program is “FERPA-compliant” and abides by “Protecting data in transit by TLS 1.2 and at rest using 256-bit Advanced Encryption Standard (AES-256).”
Additionally, Zoom marketed that its product provides “end-to-end encryption,” implying that user data is secured in a way that only the sender and recipient(s) are able to decrypt and read them, preventing the intrusion of hackers and cybercriminals for the most part. However, an investigation into this claim found that Zoom misled its consumers through untruthful and unethical marketing. In fact, Zoom “has the technical ability to spy on private video meetings and could be compelled to hand over recordings of meetings to governments or law enforcement in response to legal requests.” This issue would normally be problematic in and of itself, as it reveals a major breach in consumer data and infringes on the right to privacy. However, unlike Microsoft, Google, and Facebook, which operate servers in America, Zoom operates servers in China, meaning it isn’t necessarily bound to the same federal laws to protect consumer data that apply to American technology companies. For example, American technology giants Microsoft, Google, and Facebook, while having a history of privacy breaches themselves, must reveal how many government requests for user data they have received and from which countries, and whether they have complied with these requests or not. On the other hand, Zoom is able to circumvent these practices and does not publish any transparency reports, leaving its users uninformed and unaware of potentially unethical practices.
Another example of a glaring security flaw is Zoom’s peculiar behavior regarding its server locations. Zoom has servers across the world ranging from the United States to China to England, and it connects its users with the nearest server to provide faster data transfer and higher quality user experiences. Curiously, Zoom has been caught diverting its consumer’s data to China. In fact, “researchers at the University of Toronto also found Zoom’s encryption used keys issued via servers in China, even when call participants were outside of China.” This finding, of course, has raised national security concerns, leading to technology powerhouses such as Tesla and NASA, both of whom possess national security contracts with the United States federal government, to ban their employees from using Zoom.
The implications of these investigations are vast. Zoom has ballooned to over 200 million users in mere months and has been revealed to possess a multitude of security flaws and data/privacy concerns. Data and intelligence from casual conversations with friends to high-stakes business meetings and secretive national security briefings may now be fair game for Zoom’s nefarious purposes. Although Zoom has attempted to address its end-to-end encryption (E2EE) issues by planning to begin an “early beta of the E2EE feature in July 2020,” end-to-end encryption will still be at the discretion of the meeting’s host.
Zoom has tread on the cusp of FERPA violations, misled millions of its users through false marketing of supposed end-to-end encryption, failed to publish any transparency reports regarding its use of data, and has even been caught diverting user data to China even when users are not geographically near China. With each new investigation into Zoom, more evidence is revealed that Zoom may not be as trustworthy as previously believed. Already, established and critical American companies are settling on alternative methods to video conferences. Is it finally time to zoom past Zoom?