Now that we're all stuck at home thanks to the coronavirus pandemic, video calls have gone from a novelty to a necessity. Zoom, the popular videoconferencing service, seems to be doing better than most and has quickly become one of, if not the most, popular option going.
But should it be?
Zoom's recent popularity has also shone a spotlight on the company's security protections and privacy promises. Just today, The Intercept reported that Zoom video calls are not end-to-end encrypted, despite the company's claims that they are.
And Motherboard reports that Zoom is leaking the email addresses of "at least a few thousand" people because personal addresses are treated as if they belong to the same company.
It's the latest examples of the company having to spend the last year mopping up after a barrage of headlines examining the company's practices and misleading marketing. To wit:
Apple was forced to step in to secure millions of Macs after a security researcher found Zoom failed to disclose that it installed a secret web server on users' Macs, which Zoom failed to remove when the client was uninstalled. The researcher, Jonathan Leitschuh, said the web server meant any malicious website could activate Mac webcam with Zoom installed without the user's permission. The researcher declined a bug bounty payout because Zoom wanted Leitschuh to sign a non-disclosure agreement, which would have prevented him from disclosing details of the bug.
Zoom was quietly sending data to Facebook about a user's Zoom habits — even when the user does not have a Facebook account. Motherboard reported that the iOS app was notifying Facebook when they opened the app, the device model, which phone carrier they opened the app, and more. Zoom removed the code in response, but not fast enough to prevent a class action lawsuit or New York's attorney general from launching an investigation.
Zoom came under fire again for its "attendee tracking" feature, which, when enabled, lets a host check if participants are clicking away from the main Zoom window during a call.
On the bright side and to some users' relief, we reported that it is in fact possible to join a Zoom video call without having to download or use the app. But Zoom's "dark patterns" doesn't make it easy to start a video call using just your browser.
Zoom has faced questions over its lack of transparency on law enforcement requests it receives. Access Now, a privacy and rights group, called on Zoom to release the number of requests it receives, just as Amazon, Google, Microsoft and many more tech giants report on a semi-annual basis.
Then there's Zoombombing, where trolls take advantage of open or unprotected meetings and poor default settings to take over screen-sharing and broadcast porn or other explicit material. The FBI this week warned users to adjust their settings to avoid trolls hijacking video calls.
There are many more privacy-focused alternatives to Zoom. There are several options, but they all have their pitfalls. FaceTime and WhatsApp are end-to-end encrypted, but FaceTime works only on Apple devices and WhatsApp is limited to just four video callers at a time. A lesser known video calling platform, Jitsi, is not end-to-end encrypted but it's open source — so you can look at the code to make sure there are no backdoors — and it works across all devices and browsers. You can run Jitsi on a server you control for greater privacy.
In fairness, Zoom is not inherently bad and there are many reasons why Zoom is so popular. It's easy to use, reliable and for the vast majority it's incredibly convenient.
But Zoom's misleading claims give users a false sense of security and privacy. Whether it's hosting a virtual happy hour or a yoga class, or using Zoom for therapy or government cabinet meetings, everyone deserves privacy.
Now more than ever Zoom has a responsibility to its users. For now, Zoom at your own risk.