Zoom has lately become the go-to video conferencing platform (sorry Skype and Hangouts) as more people are now working remotely while they practise self-isolation during the coronavirus lockdown. However, Zoom has also been mired in some worrying security issues in the past few days. And despite the company assuring users that the platform is secure, there are a few lapses due to mismanagement of user data than can expose the personal information of users. Also, Zoom seems to indicate that it offers end-to-end encryption for everything, but in reality, only text chats are end-to-end encrypted on its platform.
Zoom’s folly, user’s tragedy
Multiple users have pointed out that they can see the email address of random people and even their photos on their respective Zoom profiles. Exposing email address to strangers is an open invitation to spam in your inbox, but there is a more worrying aspect here. One can actually start a video call with a random person whose profile appears in their contacts, without never actually knowing them. So, how did this happen?
@zoom_us I just had a look at the free for private use version of Zoom and registered with my private email. I now got 1000 names, email addresses and even pictures of people in the company Directory. Is this intentional? #GDPR pic.twitter.com/bw5xZIGtSE
— Jeroen J.V Lebon (@JJVLebon) March 23, 2020
Zoom actually maintains something called ‘Company Directory’ where are all email addresses with the same domain name (save for generic ones like Gmail and Yahoo) are listed together. Zoom apparently perceives similar domain name endings as people working in the same company, but apparently, this method has its own flaws. If your email address has been added to one such ‘company directory’, mistaking you as a colleague of hundred others, random strangers can see your photos and even call you.
Here is a screenshot of the issue. This user signed up with a personal email address, but Zoom is automatically adding everyone else who used the same email service as one of their contacts
— Joseph Cox (@josephfcox) March 31, 2020
When Zoom was made aware of the issue, the company blacklisted those domains. “Zoom maintains a blacklist of domains and regularly proactively identifies domains to be added. With regards to the specific domains that you highlighted in your note, those are now blacklisted”, a Zoom spokesperson was quoted as saying. Moreover, if your email address has also been compromised by a faulty listing in Zoom’s directory, you can actually request Zoom to get it removed. Zoom says on its website that owners or admins can also choose to turn off the directory inclusion feature.
No, Zoom video calls are not end-to-end encrypted
“Zoom’s solution and security architecture provides end-to-end encryption and meeting access controls so data in transit cannot be intercepted” says Zoom on its website. The statement makes one believe that Zoom calls are end-to-end encrypted, but that’s not really the case. “Currently, it is not possible to enable E2E encryption for Zoom video meetings.
Zoom video meetings use a combination of TCP and UDP. TCP connections are made using TLS and UDP connections are encrypted with AES using a key negotiated over a TLS connection,” a Zoom spokesperson was quoted as saying by The Intercept. The only content that is end-to-end encrypted on Zoom is the text in chats.
What this means is Zoom can access the unencrypted video and audio content of users’ meetings. This is not the definition of end-to-end encryption. End-to-end encryption is when the content of a text or multimedia conversation can only be accessed and decrypted by the sender and receiver because they have the decryption keys, and not the service provider itself.
This is what happens when you use apps such as Signal and WhatsApp, but that is not the case with Zoom. In broad terms, a third-party can’t eavesdrop on your Zoom video or audio conversation, but the company itself can access the contents. Of course, Zoom claims to abide by the privacy norms put in place, but the way Zoom explains the security aspect of the platform on its website is a bit misleading.