The Zoom controversy: Privacy flaws and data shared with third parties

Popular app has issues

Isabell Rivera OW Contributor | 5/14/2020, midnight
Since the “new normal” translates into practicing sheltering-at-home and social..

Since the “new normal” translates into practicing sheltering-at-home and social distancing, many people are now working from home, or applying for jobs online, and experiencing new techniques and technologies.

With apps such as Skype, FaceTime, and Zoom, the “face-to-face” interview process, or conference call is easy. But is the user’s information private?

Since March, Zoom has seen a 535 percent increase in traffic on its website. It’s so trusted and popular that even politicians—such as former U.S. Federal Reserve Chair Alan Greenspan and British Prime Minister Boris Johnson—use it to make conference calls.

 However, according to experts, the user’s information is not private. Individuals need emails in order to sign in and join a conference call. Zoom has stirred up some privacy concerns and is being sued for “selling” email addresses to third parties.

Sound familiar?

Yes, Facebook also received similar scrutiny for a data breach incident in 2018 regarding privacy. Although Facebook doesn’t necessarily “sell” user’s data, it lets third parties have access to it, by signing into Spotify or Uber via Facebook instead of using a private email address.

Technically, any app or website on the internet will “sell” data or store users’ information when it asks for permission. Users grant permission when a little window pops up explaining that the site uses “cookies.” If the user likes the content and wants to proceed, the individual accepts those “cookies,” which grants that website permission to sell users data to third parties.

According to “Vox Media,” “cookies are pieces of information saved about you when you’re online, and they track you as you browse.”

Furthermore, “Vox Media” states: “There are first-party cookies that are placed by the site you visit, and then there are third-party cookies, such as those placed by advertisers to see what you’re interested in and in turn serve you ads — even when you leave the original site you visited. (This is how ads follow you around the internet.)”

Ironically, Zoom sold analytic data to Facebook recently. Afte a class-action lawsuit filed by a user on the data breach of information to facebook, Zoom then updated the app version of its iOS (operating system for mobile devices).

The lawsuit states: “Zoom appears to have taken no action to block any of the prior versions of the Zoom App from operating. Thus, unless users affirmatively update their Zoom App, they likely will continue to unknowingly send unauthorized personal information to Facebook, and perhaps other third parties. Zoom could have forced all iOS users to update to the new Zoom App to continue using Zoom but appears to have chosen not to.”

A Zoom spokesperson told “Motherboard” that it takes the privacy of its users seriously and that Zoom originally executed the “Login with Facebook” feature provided by the Facebook SDK (Software Development Kit) to give its users another option to access their platform without a hassle. But as of recently, they weren’t aware of the fact that Facebook’s SDK collects more data than necessary.

In a statement, Zoom confirmed the “Motherboard” research by stating: “We will be removing the Facebook SDK and reconfiguring the feature so that users will still be able to login with Facebook via their browser. Users will need to update to the latest version of our application once it becomes available in order for these changes to take hold, and we encourage them to do so. We sincerely apologize for this oversight, and remain firmly committed to the protection of our users’ data.”

Eric Yuan, Zoom CEO, acknowledged the issue and apologized on a Zoom blog post.

“We recognize that we have fallen short of the community’s—and our own—privacy and security expectations,” Yuan said. “For that, I am deeply sorry.”

As “VICE Media” reported, Zoom has sold email addresses and private photos from thousands of users. The Zoom’s “Company Directory” settings, where the flaw is located, apparently systematically adds other individuals to a user’s list of contacts, if the email they signed up with has the same domain. This can be an easy tool if you work for a company and would like to search for a colleague. However, many individuals say they signed up to Zoom with personal email addresses and their information was exposed and shared with hundreds of unknown persons.

“If you subscribe to Zoom with a non-standard provider (I mean, not Gmail or Hotmail or Yahoo, etc), then you get insight to ALL subscribed users of that provider: their full names, their mail addresses, their profile picture (if they have any) and their status. And you can video call them,” said Barend Gehrels, A zoom user who voiced his concerns to the media.

However, the other person still has to accept the incoming video call.

Although Zoom has fixed major privacy issues, its security software still needs some help. According to “Wired,” hackers can easily target Zoom and get user’s information that will then be sold on the darknet.

Jonathan Leitschuh, a security researcher, told “Wired” that the effortless way of video chatting comes with easy access for hackers, especially for Apple users. Apparently, they could even get access to users’ webcams.

Hackers can easily set up malware via a call and lure users into joining the conference call and gain access to their video feed, as well as the user’s office or room, according to Leitschuh. Even the Federal Bureau of Investigation (FBI) issued a warning of so-called “Zoom-bombing,” which is when hackers take over a public video call. Some hackers have interrupted conference calls with threats and racist slurs. Victims should report any incidents of possible “video hijacking” to the FBI.

“We will enforce these settings in addition to training and blogs,” Yuan tweeted.

A spokesperson of Zoom stated, to be “deeply upset to hear about the incidents involving this type of attack.” The company advised that users host large video call meetings, should enable additional privacy settings and only the host should share their screen.

The spokesperson then continued with, “We also recently updated the default screen sharing settings for our education users so teachers, by default, are the only ones who can share content in class.”