Zoom security slammed
Video conferencing app Zoom has apologised for security gaps.
Millions of people are flocking to the app as a way to connect with others under COVID-19 lockdown, but the spike in popularity is leading to a wave of scrutiny.
Issues with Zoom's privacy protections have been raised by users, security researchers and US authorities.
New York Attorney General Letitia James recently sent a letter to Zoom asking whether the company “is taking appropriate steps to ensure users' privacy and security”.
The company says is working to address the questions.
“Zoom takes its users' privacy, security, and trust extremely seriously,” a spokesperson for the company said in a statement.
“During the COVID-19 pandemic, we are working around-the-clock to ensure that hospitals, universities, schools, and other businesses across the world can stay connected and operational. We appreciate the New York Attorney General's engagement on these issues and are happy to provide her with the requested information.”
The FBI says it has seen numerous examples of users entering meetings or virtual classrooms to shout profanities and share pornography.
Zoom founder and CEO Eric Yuan says this is often because of users not enabling security features such as meeting passwords and additional privacy controls.
“We will enforce these settings in addition to training and blogs,” he said.
“We also recently updated the default screen sharing settings for our education users so teachers by default are the only ones who can share content in class.”
The company has also been criticised for sharing user data with Facebook.
Zoom originally allowed users to log into its iOS app using a Facebook account, but this shared details with Facebook about the user's device, including its timezone, language, model number and IP address.
Facebook accesses this kind of data because the tool it gives developers to integrate with their apps is designed to do so.
Class action lawsuits have been filed against Zoom in a Northern California district court, one of which alleged the company “failed to safeguard the personal information of the increasing millions of users of its software”, while the other claimed users had “no opportunity to express or withhold consent to Zoom's misconduct”.
Additionally, the app does not employ “end-to-end encryption for all meetings” as it claims to do.
Instead, Zoom uses transport encryption, which only secures the message between a video chat device and the company’s servers.
This means Zoom could technically access and store any data transferred by its users.