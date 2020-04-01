Zoom has grown in popularity as people turn to video calling software in the midst of the ongoing coronavirus pandemic. The moment of great growth has seen Zoom reach the top of the iOS and Android app stores as people gather around him for yoga classes, school classes and virtual night outings. Even the UK government has been holding daily cabinet meetings about Zoom.

With all of this added attention, Zoom now faces a huge privacy and security reaction, as security experts, privacy advocates, lawmakers, and even the FBI warn that Zoom's default settings aren't secure enough. Zoom now risks becoming a victim of its own success.

Zoom has faced security and privacy issues before. Apple was forced to step in and quietly remove Zoom software from Macs last year after a serious security vulnerability that allowed websites to hijack Mac cameras. In recent weeks, scrutiny of Zoom's security practices has been has escalated, and much of the concern focused on its default settings and the mechanisms that make the app so easy to use.

Each Zoom call has a 9-11 digit randomly generated identification number that participants use to access a meeting. Researchers have found that these meeting IDs are easy to guess and even gross, allowing anyone to enter meetings.

Part of this ease of use has led to the "Zoombombing,quot; phenomenon, where pranksters join Zoom's calls and stream shocking or porn videos. The fault is Zoom's default setting, which doesn't recommend setting a password for meetings and allowing participants to share their screen. Zoom adjusted these default settings for educational accounts last week, "in an effort to increase the security and privacy of meetings." For everyone else, you'll need to adjust the Zoom settings to make sure this never happens.

However, zoombombing was the first of many recent Zoom security and privacy issues. Zoom was forced to update its iOS app last week to remove the code that sent the device's data to Facebook. Zoom then had to rewrite parts of its privacy policy after users were found to be susceptible to having their personal information used to target ads. User information is also leaked due to a problem with the way Zoom groups contacts.

Perhaps the most damning topic came to light yesterday. While Zoom still claims on its website that it can "secure a meeting with end-to-end encryption," the company was forced to admit that it is actually misleading people. "It is not possible to enable E2E encryption for Zoom video meetings," a Zoom spokesperson said in a statement to The interception, after the post revealed that Zoom is actually using transport encryption instead of end-to-end encryption.

Privacy advocates have also raised issues about an attendee tracking feature that allows meeting hosts to track whether attendees have their Zoom app in view on a PC or if it's simply in the background. A digital rights advocacy group also asked Zoom to release a transparency report last month, to share the number of requests for data from users of the police and governments. Zoom has only said that the company is considering the request, and has not yet released a transparency report.

Security researchers and privacy advocates aren't the only groups expressing concern about Zoom. The FBI is warning schools about the dangers of Zoom's default setting for zombombombings, and reports suggest the UK Ministry of Defense has banned Zoom while investigating "security implications." The New York attorney general's office also sent a letter to Zoom this week asking to hear "if Zoom has undertaken a broader review of its security practices,quot; in light of recent concerns.

Zoom has not responded in detail to the latest concerns, but Zoom CEO Eric S. Yuan said last week that the company was reviewing its practices regarding Facebook's privacy concerns. "We sincerely apologize for the concern this has caused and remain firmly committed to protecting the privacy of our users," said Yuan. "We are reviewing our process and protocols to implement these features in the future to ensure that this does not happen again."

Zoom now faces lawsuits alleging that the company is illegally disclosing personal information to third parties. Earlier this week, two lawsuits were filed in California, and one seeks damages on behalf of Zoom users for alleged violations of the California Consumer Privacy Act.

As security researchers and privacy advocates continue to delve deeper into Zoom's software and practices, there are signs that more issues will need to be addressed. Some are now discovering how Zoom works around operating system constraints by using "the same tricks that macOS malware uses,quot; to get its software on Mac. "Joining a meeting from a Mac is not easy, that's why Zoom and others use this method, "says Zoom CEO Eric S. Yuan in a reply from Twitter to concerns "Your point is well taken and we will continue to improve."

Ultimately, Zoom feels the effects of a rare moment for the app. The video conferencing app was never designed for the myriad ways that consumers are using it now. Zoom doesn't require an account, it's free for 40-minute meetings, and it's reliable. Barriers to entry are so low, and the coronavirus pandemic so unusual, that Zoom is suddenly in the limelight as a crucial tool for many.

Zoom may well be forced to tweak the parts of your app that make it so appealing to consumers and businesses in the coming months. The company now faces some tough decisions about how to better balance its default settings, user privacy, and ultimately its ease of use. Zoom's appeal has been its simple approach to video conferencing, but that crucial ingredient now threatens to be its downfall unless it firmly controls the mounting concerns.