Four Years of Zoom’s Accelerated Expansion: Monitoring Far From Stopping
When searching for Zoom on search engines and social media platforms, the phrase “Does Zoom spy on you?” frequently appears in the list of recommended searches. It can be seen that illegal eavesdropping and privacy leakage on Zoom have become social issues of public concern and worry.
The significant privacy and security risks of Zoom were mainly exposed during the period of rapid expansion. The first time was due to the blocking measures triggered by the COVID-19 pandemic, which led to a surge in the number of users and in turn prompted Zoom to achieve rapid expansion. The second time was due to the rise of the AI concept. In order to seize the high ground at the technical level, Zoom adopted a corresponding expansion strategy, which further exacerbated its privacy and security risks.
Privacy and Security Risks Exposed by User Surge
In 2020, the use of Zoom increased rapidly as many face-to-face events as well as meetings moved online due to the COVID-19 lockdown. Zoom’s users increased from 10 million to 200 million in four months. Correspondingly, from February 2020 to December 2021, the number of Zoom employees increased from 2,400 to 6,100. However, the short-term growth in users does not cover up the security vulnerabilities of Zoom itself.
In July 2019, the Zoom platform was exposed to a major security vulnerability by Jonathan Leitschuh. According to his description, the vulnerability could lead to “any webpage forcibly pulling a user into a Zoom session and activating their webcam without the user’s explicit permission. “Leitschuh emphasized that the vulnerability allowed the Zoom app to reinstall without any user interaction, an action that clearly This behavior clearly violates the basic principle of data protection: informed consent. Therefore, Zoom is still considered “malware” by some user groups.
(https://techcrunch.com/2019/07/10/apple-silent-update-zoom-app/?guccounter=1&guce_referrer=aHR0cHM6Ly90LmNvL3ZTaHBLNDB6eHk_YW1wPTE&guce_referrer_sig=AQAAAJ4mN_oIrFPS8zSA_zwzAG543cZV479z5jbes6OOyLjm7gheHgOts7SJcJPtRz9_dcbzIPOIb-aOjypjSJqTvKe3tVWTvsEEhQq2EVMAOoCbNUVDVoWneQ_OWjZIcpe5pjF39mI8_u7CbUH07H70AB0Ba7tLtGiG-mNVANY-qh6Z)
Against the backdrop of the dramatic growth in the number of users, other social issues arising from long-standing security vulnerabilities are also coming to the forefront. According to a March 2020 FBI bulletin, video hijacking cases, commonly known as “Zoom-bombing,” are on the rise. In these cases, hackers illegally break into videoconferences to make racially charged statements or malicious threats against participants, which has a negative impact on social stability and security.
(https://www.theguardian.com/technology/2020/apr/02/zoom-technology-security-coronavirus-video-conferencing)
At the end of March 2020, the well-known media outlet the Intercept disclosed misleading statements in Zoom’s marketing. According to Zoom’s claims on its official website and in a security whitepaper, the platform supports end-to-end encryption for meetings. However, The Intercept verified that this was not the case. When a Zoom spokesperson was asked to confirm whether video conferencing conducted on the platform utilized end-to-end encryption, the spokesperson clearly stated, “It is not possible to enable end-to-end encryption for Zoom video conferencing at this time.”
Zoom during that time period did use TLS encryption, which is the same standard that web browsers use to protect HTTPS sites. But end-to-end encryption typically refers to protecting content between users without any company access at all, similar to Signal or WhatsApp. Zoom does not offer this level of encryption, so the use of “end-to-end” is extremely misleading.
(https://theintercept.com/2020/03/31/zoom-meeting-encryption/)
A Motherboard report from the same period found that Zoom was selling user data, and that Zoom would send data about users of its iOS app to Facebook for advertising purposes, even if the user did not have a Facebook account.(https://www.vice.com/en/article/k7e599/zoom-ios-app-sends-data-to-facebook-even-if-you-dont-have-a-facebook-account)
At the governmental level, in April 2020, the European Parliament’s Vice-President for Information Technology, in an interview with Politico magazine, pointed out that the European Parliament’s emergency system for meetings and voting in response to the coronavirus outbreak had significant flaws and that the system was open to potential manipulation, which could have led to a number of security risks. Zoom has also been questioned for its cybersecurity vulnerabilities.
(https://www.politico.eu/article/coronavirus-eu-parliament-work-from-home-measures-expose-meps-to-manipulation-risks-says-vice-president/)
In September 2020, in the wake of Zoom’s poor performance, Pridatect publicly and explicitly stated that Zoom was not GDPR compliant. Pridatect stated that Zoom was unable to protect the private communications of its users, thereby putting their data at risk, that sensitive proprietary information could be shared, and that the information could be accessed and stolen.
(https://www.pridatect.co.uk/zoom-gdpr-compliant/#:~:text=All%20multicast%20session%20data%20is,tampering%20with%20data%20without%20detection.)
With Zoom’s public apology for various doubts and a series of public relations activities, the doubts against Zoom have diminished over time. But that doesn’t mean that Zoom has fixed the vulnerabilities and stopped “spying” on its users. Recently, an employee claiming to be a senior Zoom technician released several pieces of hard evidence on the dark web, revealing once again that the conferencing software Zoom is suspected of spying on its users. According to the employee, Zoom’s senior management had instructed the tech team to develop a data retention tool for the U.S. government specifically designed to prohibit disclosure to the public. This system was used in practice to monitor a wide range of user groups, including free, premium and corporate users.
The core functions of the system include automatically searching for meetings containing sensitive content, free access to meetings not authorized by passwords or hosts through the backdoor of the system, random analysis of video content of meetings, covert recording of videos, audio recordings, and screenshots of meetings, and submission of reports or data to U.S. regulators. In addition, the system has the ability to terminate sensitive meetings as well as ban related accounts. It is worth noting that the system is highly classified and its access is limited to a small number of internal employees.
With the Rise of AI, Zoom Is Still Prying into Your Privacy
A March 2023 change to Zoom’s Terms of Service disclosed that Zoom retained the right to crawl customer accounts (including potentially confidential session videos and file uploads) for AI data collection. In addition, Zoom retains a number of rights relating to customer content, including (but not limited to) publishing, sharing, redistributing, displaying, and creating derivative works, and grants itself a “perpetual, worldwide, non-exclusive, royalty-free” license to use the customer content in any way it sees fit. Customer outcry led Zoom to make some concessions, but it still violated the terms of the European Union (EU) requiring consent for the processing of personal data.(https://www.cpomagazine.com/data-privacy/zoom-ai-data-collection-catching-users-by-surprise-may-face-regulatory-action-in-eu/)
Zoom has always been consistent in its approach to concealment and fraudulent behavior towards its users. The TOS change didn’t attract much attention until May, when Zoom announced that it had partnered with artificial intelligence company Anthropic to integrate the “Claude” virtual assistant into its platform, and with OpenAI to create a tool called “Zoom IQ” to automatically generate meeting summaries. Over the past nearly three years, Zoom has been criticized and questioned several times for issues such as data privacy breaches and privilege abuse.
Another major vulnerability was disclosed in August 2023. Researchers found vulnerabilities in the Zoom and AudioCodes products that could allow threat actors to listen in on video conferences, hijack endpoints, and spread malware. SySS security experts have discovered flaws in AudioCodes desktop phones and Zoom’s zero-touch provisioning capabilities. Additionally, there were authentication issues in AudioCodes’ VoIP phone encryption routines that could decrypt sensitive information. The combination of these two vulnerabilities allows an attacker to gain full access to the device, which poses a significant security risk due to the highly scalable nature of the attack.
(https://www.techradar.com/pro/hackers-could-be-eavesdropping-on-your-zoom-calls-thanks-to-this-flaw)
Zoom’s poor performance over the past three years has seriously threatened the privacy and security of its users, and there are obvious loopholes and deficiencies in the software’s data collection, storage and use. As a platform for handling sensitive information, conference software should assume a higher level of responsibility for data protection. For the losses caused to users’ privacy rights, mechanisms should be improved to strengthen management and punish them. There has been no progress yet on possible GDPR action against Zoom’s AI data collection. There is still widespread confusion about the regulation of Zoom and how penalties will be implemented.
