Zoom has now become the go-to video conferencing app since the coronavirus pandemic became all-embracing, but its continuing popularity has now brought much closer scrutiny. The US-based app allows people to sign up for free and talk remotely both with friends and colleagues, but deficiencies have now appeared in its privacy and security credentials. It was found to be sharing data with Facebook, and recently admitted that it doesn’t provide end-to-end encryption on video meetings.
Now the app has just become the subject of a class action lawsuit in California, the UK government defended using it for Cabinet meetings. The American lawsuit accusing the company of ‘improperly sharing personal data’ and was filed on Monday. It alleges that despite Zoom announcing its ‘appreciation for the importance of maintaining its users’ privacy,’ it includes coding in the Zoom app that allowed undisclosed sharing of personal information to Facebook and other third parties. The suit, obtained by DailyMail.com, states that information is shared when a user installs the Zoom app and each time it is opened.
That information includes the user’s mobile operating system type and version, the device time zone, model and unique advertising identifier that allows companies to target the user with specific advertising.
Meanwhile, a government spokeswoman defended Boris Johnson’s use of the app to conduct meetings during the coronavirus lockdown. Boris Johnson left his Zoom meeting ID visible (Twitter) ‘In the current unprecedented circumstances, the need for effective channels of communication is vital,’ the spokeswoman told BBC News. She then added that Zoom, which was founded in 2011 and has an HQ in San Jose, great advantage is that it is quick to set up between the varying systems used by different government departments.
ID number of Zoom Cabinet Meeting
Somewhat amusingly, the prime minister accidentally revealed the ID number for his Zoom meeting when he posted a picture of it online. He posted a picture with government ministers – including Dominic Raab, Michael Gove and Jacob Rees-Mogg – reminding the public to ‘stay at home, protect the NHS, save lives’ and people on Twitter quickly noticed the Tory leader left the Zoom meeting ID number in the top left corner of the screenshot, as well as the usernames of some ministers taking part.
A Downing Street spokesman said new IDs were being generated each time the software was used and No 10. is ‘following all necessary security procedures. He added: ‘I am happy to say with confidence we were satisfied it was secure’. How safe is Zoom?
Zoom is being examined by cyber security experts worldwide currently and many of them are explaining basic things that users can do to keep themselves safe. ‘Many controversies now exist around Zoom’s security and privacy, though it is extremely far from dominating the plethora of emerging security risks,’ said Ilia Kolochenko, founder & CEO of web security company ImmuniWeb. ‘Few attackers will ever bother to intercept Zoom communications, even fewer will extract any value from the alleged data sharing with Facebook. ‘Instead, they will bet on the skyrocketing number of poorly configured VPNs and RDP technologies, abandoned servers and unprotected cloud storage, exposed databases and shadow IT resources that widely open the door to companies’ crown jewels.
‘Others will hone their skills in large-scale phishing and BEC campaigns. Unfortunately, most of their attacks will likely be tremendously successful.’ He added ‘Since the commencement of the coronavirus, only a few organisations have successfully shifted all their workforce to securely work from home. ‘Those organisations are erecting emergency infrastructure around the clock to enable remote work, but frequently disregarding even the basic security and privacy aspects, let alone compliance with industry standards and internal policies that are ill-suited for such an unprecedented and devastating crisis.’
‘Organisations of all sizes should urgently update and promulgate among their employees information security policies, adopted to mitigate COVID19 risks and threats. ‘Once everyone has a clear and coordinated cybersecurity strategy, it is essential to implement continuous attack surface monitoring enhanced with surveillance of Dark Web that will likely show an unusual abundance of newly stolen data for sale. Employees’ security awareness programs, and IT asset discovery and management top the emergency To-Do list, being indispensable to secure businesses amid the havoc.’
After the emergency
Zoom has been a hugely beneficial resource for countless millions of people during this international emergency. We are no longer surprised at attending virtually a Church service, a funeral, a meeting with colleagues or clients, even a trial or morale boosting chatting & laughing session with mates from the Rugby Club, or between groups of ladies whose friendships are now long-distance.
As I personally now start to organise a monthly but now virtual Sci-Fi evening with friends this very evening, watching the same latest programmes simultaneously, should I worry that longer term I am compromising my future privacy & security in ways that non-specialists simply haven’t the remotest conception of?