Controversy Over Zoom’s Poor Security and Privacy Safeguards

Updating your Zoom application often is the best way to prevent security and privacy risks.

Zoom has become one of the main ways that students at Moravian connect with peers and professors. 

However, its parent company, Zoom Video Communications, Inc., has been in hot water lately. After a wave of officials and organizations banned their members from using it, the general public started to look a little more closely at the troubles that the application presents.

The two main criticisms that Zoom faces are its poor privacy agreement and holes in its security. 

Privacy Agreement

Zoom Video Communication was founded in 2011 and began offering services in 2013. From the beginning, the company was criticized for its poor privacy agreement and its habit of information mining. 

According to Forbes, Zoom actively collects all information involved in every call made over Zoom; that includes video, instant messages, voice audio, files, and whiteboard drawings. This information is stored on its own servers, only notifying their “consenting” users by including a clause in the often ignored privacy statement. 

This is a big red flag for many people using Zoom. While we may think that little of what we say is important for Zoom and would do little damage if this information was leaked, big organizations and companies are greatly at risk to competitors, driving many of them to abandon the software entirely. 

The FBI has also weighed in on the issue. The agency issued a statement saying that the collecting and sharing of student information (grades, academic standing, etc., which are all things that we often discuss with our advisors and professors over Zoom) is against the Family Education Rights and Protection Act (FERPA). While Zoom has responded to the issue, assuring customers that their company is FERPA-compliant, not many people have taken their assurance to heart. It is no surprise, considering that Zoom has been called dishonest after a big security scandal. More on that in a minute. 

Zoom faced backlash this March when it was revealed that their iOS app was sending device analytics to Facebook, even if the Zoom account was not linked to a Facebook profile. When questioned, Zoom said that they were simply sending device information, such as device model type and iOS version. People were outraged because the information seemed unuseful and irrelevant, which begged the question why were they collecting it in the first place. Plus, Zoom did not tell anyone about its data mining. 

Later in March, Zoom was sued for illegally disclosing personal information about users to third parties. Supposedly, Zoom patched both of these problems with a software update. 

A similar scandal broke earlier this month when the Android app was sending emails and accounts to LinkedIn, supposedly to connect Zoom accounts with possible LinkedIn accounts. Once again, Zoom never announced this to its users, which sparked more outrage in the public. Again, Zoom patched it up. 

Security Risks

Zoom’s practices of information gathering are exacerbated by its poor security, both as a company and on user devices. 

Moravian students have experienced “Zoombombing,” a now common-place practice that consists of students’ popping into meetings when they are not supposed to be there. 

There are many ways to Zoombomb, but often students just use the URL or code that the professor shares to the class to enter the meeting. This can happen many different ways, but it often includes a student sharing it intentionally or on accident, which allows outsiders into their meetings. There are less scrupulous ways of Zoombombing, but that is the most common one in college. Occasionally, hackers hijack the meeting, then post hate speech, pornography, and other offensive messages. Even the FBI warned users against the distracting nature of Zoombombing.

Zoombombing is not the only way that students could have their classes invaded. 

In July of last year, a scandal surfaced where Zoom’s security let through a hack that easily allowed outsiders to turn on the camera of any computer that had the Zoom application installed. Zoom had to work hard to fix the hack, but the scandal broke the trust of many of its users. 

Zoom was criticized heavily by the public after its “dishonest” advertising told users that its service was end-to-end encrypted, which meant that as the messages moved from one computer to another, the entire path was encrypted and protected from outside influence. However, this was a lie. 

In fact, the company had a lot of holes in their software that allowed for outsiders to hack in and steal whatever information was being sent from one user to another. Once again, the company faced a lawsuit over false advertising. 

It was one scandal in particular, however, that drove away many big business users.

Zoom confessed that it was accidentally sending messages and video signals through mainland China, which notoriously conflicts with the U.S.’s internet security laws. This meant that any conversations or information being transmitted through Zoom in any form was able to be tracked and collected by the Chinese government. 

When public outrage over these two issues gained traction, Zoom once again patched its software but chose to allow only paid subscribers to opt to not have their information routed through China.

This lack of proper encryption software and the political conflict with China caused a number of big companies and organizations to leave Zoom, such as the Australian Defense Force, the German Ministry of Foreign Affairs, the Indian Ministry of Home Affairs, Google, SpaceX, and the New York City Department of Education. 

A number of others have abandoned the software as well, some even forcing all employees to uninstall the device on their company hardware entirely. 

The College’s Response

What does this mean for Moravian, which has been a paid users of the software since I was a freshman in 2017, particularly as we now rely on it to conduct classes and communicate with each other?

Is it safe for us to use Zoom?

Thankfully, the school was already aware of Zoom’s security issues and of the concerns that students and faculty had. David Brandis, Moravian’s Chief Information Officer, sent out two emails regarding these troubles to faculty on April 5 and 9. 

In short, Brandis and the College have adjusted the security settings on all of Moravian’s Zoom accounts to help prevent the possibility of Zoombombing, such as enabling waiting rooms, among other fixes. 

Furthermore, many of the criticisms against Zoom were indeed patched by the Zoom software itself, which was not something that Moravian could control. Brandis urges students and staff alike to keep updating Zoom as new security measures are announced.

In general, Brandis writes, “In my professional opinion, there is no reason to stop using Zoom,” which is a reassurance to many of the students and staff at Moravian.

While it is scary think about the many ways that information can be leaked through Zoom, the College is doing everything it can to keep our learning experience safe and secure.

Now, it’s Zoom’s turn.