Protecting Your Privacy and Data During Virtual Meetings

By M. Luke Davis, Furia Rubel Communications Intern

Like many Americans who’ve been ordered to stay at home until the COVID-19 pandemic wanes, you may have used Zoom, either to stay in touch with a group of friends, family, colleagues, or to conference call with co-workers. Zoom’s cloud-meetings app is currently one of the most popular free apps for iPhones and iPads in the United States, according to mobile app market research firm, Sensor Tower.

If you’re like me, you download apps without giving it a second thought. Maybe you’re combing through retail apps to get extra in-store discounts, or you’re anticipating your next binge-watching session on the newest social networking sensation, TikTok. Either way, many of us are installing apps left and right without really thinking about what’s going in our smartphones. We take for granted that it’s safe and don’t consider the consequences if it’s not. In the midst of coronavirus, one of those apps you downloaded is likely Zoom. But, some recent news about Zoom’s weak security, privacy issues, and “Zoombombing” now has the videoconference app under scrutiny.

What Exactly is Zoom?

Zoom was founded by current CEO Eric Yuan in 2011, so it’s been around for almost a decade. Headquartered in San Jose, CA, Zoom’s initial public offering occurred in April 2019. The company provides software that enables people to meet remotely, worldwide, by allowing users to communicate through video. According to App Annie, Zoom ranks as one of Apple’s most downloaded free apps and top grossing free apps.

Zoom is more popular than its competitors primarily because it’s easy to use and it is very reliable. Even amid the COVID-19 pandemic as the stock market plummeted, Zoom’s stock rose 26% from February 19 to March 21, 2020. CNBC recently reported that during the COVID-19 crisis when we’re all stuck inside, Zoom has become the go-to solution to connect people for school and university online class meetings, weddings, bar mitzvahs, music lessons, and yoga and meditation sessions.

Privacy Concerns with Zoom

Zoom doesn’t seem all that bad on the surface. In fact, it might be just what we needed to get through these hectic times. But don’t be fooled. Zoom’s surge in popularity has also attracted unwanted attention from news outlets and security authorities who have called out its major security flaws and brought its privacy policy into question.

To start, many recent student classroom and business meetings on Zoom have been compromised, where unauthorized individuals entered virtual meetings to stir up trouble, also known as Zoombombing. For example, one Ph.D. candidate reported that her dissertation defense was disrupted by a stranger.

In addition, Zoom’s screen-sharing feature has been hacked by internet trolls who interrupt Zoom meetings using language that’s threatening, showing images like pornography, or shouting profanities. Hackers even posted white supremacist messages during a church service and in an anti-Semitism webinar.

As a result, the FBI warned that Zoom teleconferences and online classrooms would be vulnerable to Zoombombing from hackers.

This isn’t Zoom’s only issue. Zoom has also reportedly leaked personal email addresses and pictures of thousands of individuals, giving strangers access to user information. The culprit is Zoom’s “Company Directory” feature, which syncs a user’s contact list with additional users who all have an email address under the same domain. Barend Gehrels, a Zoom user whose information was leaked, wrote on the issue in an email to Vice’s tech news site, Motherboard. He provided a screenshot to show that nearly 1,000 contacts of strangers were listed for his account in the Company Directory section, which revealed their email addresses and phone numbers. “If you subscribe to Zoom with a non-standard provider (I mean, not Gmail or Hotmail or Yahoo, etc.), then you get insight to ALL subscribed users of that provider: their full names, their addresses, their profile picture (if they have any) and their status,” said Gehrels.

Not only did Zoom expose user’s private information through shared email domains, but the Zoom iOS app fed their device data to Facebook, even if the individual doesn’t have a Facebook account. The problem was that it wasn’t clearly stated in Zoom’s privacy policy. This is important because even Facebook explained that developers must be transparent about the data it collects and sends to Facebook.

Motherboard reached out to Zoom for comment, and Zoom later confirmed the data collection in a follow-up statement, which said, “Zoom takes its user’s privacy extremely seriously. We originally implemented the ‘Login with Facebook’ feature using the Facebook software development kit (SDK) in order to provide our users with another convenient way to access our platform. However, we were recently made aware that the Facebook SDK was collecting unnecessary device data.” After Motherboard released the article, Zoom removed the tracking software code.

Zoom’s heightened traffic and suspicious privacy claims prompted New York’s Attorney General, Letitia James, to send a letter to the company in March, asking whether Zoom has instituted any new security measures to prevent hackers and to manage the increase in traffic. James acknowledged that Zoom is “an essential and valuable communications platform,” but her letter also admonished the company’s inadequate resolution of security flaws like vulnerabilities “that could enable malicious third parties to, among other things, gain surreptitious access to consumer webcams.”

While these are disturbing issues, one of Zoom’s biggest problems that emerged was its previous lack of end-to-end encryption. It’s important in preventing others from accessing your information, such as messages while its transferred from one device to another. Zoom has made several statements addressing this along with other privacy concerns, which it has apologized for.

It has also now improved many features in its Zoom 5.0 update that released on April 27, such as adding a more secure AES 256-bit GCM encryption, new password requirements, a “report a user” feature, enhanced data center information, and improvements to ending/leaving meeting settings.

However, new features like the new GCM encryption won’t be entirely effective until all users have Zoom 5.0. Users will be required to update to Zoom 5.0 on May 30 if they want to continue using Zoom. In the meantime, your businesses’ private information may still be at risk of personal data breaches and information stealing for another month.

Ways to Protect Your Privacy

While Zoom tightens loose ends through its additional features and may prove to be a more safe and reliable app down the road, it’s important to ensure that your business and private information are protected in the meantime.

Create a Unique Password

Start by making a different password for each app that you use, and don’t use features to sign into an app through other apps like Facebook and Google. “Always create a unique username and password per each platform, including Zoom,” says Kristina Podnar, a digital policy consultant and expert in cybersecurity. “By keeping that data separate, you at least create a wall that keeps the data separate and makes it harder for companies to understand every detail about you.”

Use Two-Factor Authentication

Along with creating unique passwords, it is crucial that you set up two-factor authentication (2FA) security measures on all of your devices. This essentially gives you a second way to verify yourself. A prime example of this would be Apple’s Face ID, but the verification can also come in the form of a numeric code sent to your phone. Every time someone tries to log in from an unfamiliar device, a text will be sent to your phone with a code that can only be used once. If you want to be even safer, you can verify login attempts through an authenticator app. This links all your accounts to the app, and it rotates new codes that you can use interchangeably throughout all of your accounts. The best part is that you can require multiple types of codes simultaneously. You can use a QR code on one device and a six-digit code on another.

Control Your Settings

No matter what device you use Zoom with, take advantage of its more secure settings. For example, set screen-sharing settings to host only. This prevents invasive users from displaying inappropriate images, videos or text and eliminates Zoombombing. Also, always use Zoom’s waiting room feature and make sure the rooms are private. Even after updating to Zoom 5.0, the old encryption will remain a setting option. Check these settings and make sure the new GCM encryption is enabled.

Update Your Software

Software updates are often effective at fixing security issues, so always update every app, program or software to the current version, regardless of the system or device it is used on. Don’t forget to also update your Zoom software to Zoom 5.0 if you are using it anytime from now until May 30.

Use a Separate Device and Email for Zoom

You can also use Zoom on a device that doesn’t contain private business or financial information. That way, you’re not taking any chances with having your important devices hacked. Another option is to create a separate email from your work and personal email, so that none of your private conversations and transactions can be traced.

Extra Guidelines

Recently, the FBI released its own set of guidelines on combating video teleconferencing (VTC) hijacking and Zoombombing, which can be found here.

Zoom Alternatives

If you’re worried about the safety of your firm or organization’s information, there are many video chatting service apps that would suffice as safe alternatives to Zoom.

Group FaceTime

Apple’s Group FaceTime can hold up to 30 callers and has high quality features that make it significantly more secure than Zoom. Unlike Zoom, FaceTime supports end-to-end encryption, which makes it increasingly difficult for hackers to access and steal your information. Unfortunately, the app is not cross-platform, which means that everyone has to use it on the same type of device.

Signal

Another highly secure app is Signal. Its service is similar to WhatsApp, and like WhatsApp, it provides video chatting. Signal is free, and it also supports end-to-end encryption. Its biggest downside is that it doesn’t offer group chats, so it can only be used for private, one-on-one conversations.

Skype and Microsoft Teams

For more options, try Skype and Microsoft Teams, which are both video chat apps offered by Microsoft. While Skype is a casual chatting alternative to Zoom, it doesn’t offer to end-to-end encryption. This is why many businesses utilize Microsoft Teams, which offers (2FA) and data encryption. Not to mention, it meets numerous industry standards in security compliance regulations.

Houseparty

Houseparty has garnered headlines during COVID-19 after rumors floated around about a hacking scandal. These rumors were proven false, and Lukas Stefanko, an ESET security researcher, informed Forbes that the app did not have security issues to worry about. Unlike Zoom, Houseparty is more transparent and has laid out all details in its privacy policy. However, it doesn’t incorporate end-to-end encryption.

Stay Safe

In today’s digital age, you can never be too careful about the apps and websites you are using. Be proactive. Take the necessary precautions to safeguard virtual meetings, prevent data breaches and information stealing from hackers, and keep your company safe.

For more coronavirus resources, please visit our Coronavirus (COVID-19) Crisis & PR Resource Center.