Zoom’s Privacy Issues Explained

3 people having a video conference together. Two in the same room, the other on a laptop screen.

In the wake of the COVID-19 pandemic, Zoom Video Communications experienced a significant explosion in its userbase with the platform’s daily average users skyrocketing from 10 million daily users to over 200 million.

This significant increase in attention has lead to Zoom entering the spotlight following rising privacy and security concerns discovered by security industry leaders and privacy-conscious users. As organizations continue to accommodate remote working and determine the best ways to manage a remote workforce, news about security issues regarding the applications needed to support them will be a significant concern.

In this bite-sized article we will cover:

What is Zoom?
Zoom’s Privacy and Security Issues
How Has Zoom Responded to Privacy and Security Concerns?
Alternatives To Zoom Video Conferencing

What is Zoom?

Zoom Video Communications is an American cloud-based video conferencing company. It was founded by Eric Yuan in 2011 and is based in San Jose, California. Zoom offers free and paid tiers of its platform and attendees can join a Zoom meeting without downloading an application or making a dedicated account, making it a popular choice for convenient video conference meetings for both enterprise and personal use.

Zoom’s Privacy and Security Issues

Controversies surrounding Zoom’s privacy and security issues have caused many organizations to outright ban the use of the platform. As the situation evolves and Zoom continues to work to address the discovered issues these companies may consider allowing the platform.

Organizations That Have Banned Zoom Video Conferencing:

New York City Department of Education
SpaceX
NASA
Taiwan’s Government Agencies
The Australian Defence Force

Zoom Bombing

The phenomenon known as “Zoom Bombing” involves unwelcome users gaining access to meeting rooms and sharing grotesque content with unsuspecting users. This practice has been especially troubling for new users that have begun using Zoom to keep in touch with family members partaking in mandated social distancing throughout the COVID-19 pandemic.

How Zoom Bombing Happens:

Brute Force: Zoom relies on both randomly generated video meeting IDs that consist of a series of numbers. Unfortunately, malicious hackers have figured out how to use brute force methods to guess meeting IDs of random users as a method of gaining access to rooms that are not password protected.
Social Media: Meetings IDs shared publicly on social media are susceptible to being discovered by strangers. Meeting IDs intended for private use can also be maliciously shared on public forums and social media websites.

Once inside a Zoom meeting room, the malicious hackers shout profanities and share grotesque content with meeting attendees by taking advantage of Zoom’s default settings that allow new users to share their screens. This is especially troubling for Zoom’s pre-defined and reusable Personal Meeting IDs (PMI) as users of the Free tier cannot change their PMI by default, leaving future meetings susceptible to abuse when bad actors illicitly share their PMI.

Is Zoom Safe To Use?

With some adjustments, Zoom is safe to use for most people as the latest influx of controversy (such as Zoom Bombing) has stemmed primarily from abuses made possible by the default privacy and security settings of the platform.

For enterprise users, security considerations for using Zoom are entirely different. Concerns surrounding claims that Zoom is not end-to-end encrypted as advertised and a formerly unpatched UNC vulnerability that had allowed hackers to steal Windows credentials have lead security-conscious enterprises to question if the platform meets their cybersecurity needs.

How To Use Zoom Safely

Do not share sensitive information over Zoom
Do not use your Personal Meeting ID (PMI) for public events
When using cloud storage to share Zoom meeting recordings, beware that the default naming conventions for Zoom video recordings make it easy for strangers to find files that have been made accessible to anyone with the URL.
To prevent Zoom Bombing, require the use of a password to enter your meeting
Consider using the Waiting Room feature to control when new visitors are allowed to join your meeting
Modify the default settings so that participants cannot share their screen
Familiarize yourself with the key features of the platform so that you can comfortably manage participants that are disrupting meetings
Keep your Zoom apps and software up-to-date with the latest security patches

How Has Zoom Responded to Privacy and Security Concerns?

To address the incoming wave of privacy and security concerns from privacy-conscious users and enterprise customers alike, Zoom has released a statement to its customers about the steps they will be taking to improve the security of their platform.

Highlights: What Zoom is Doing To Fix Security Issues

For the next 90 days, Zoom has diverted all resources that were being used for feature improvement to instead make changes that address privacy and security concerns.
White box penetration tests to identify and address issues.
Enhancing their current “bug bounty” program to increase the potential for the discovery of security flaws that can be fixed.
Passwords are now enforced if a user tries to enter a meeting using only the meeting ID rather than the meeting invite link.
The Waiting Room feature is now enabled by default – meeting hosts will have to manually bring users from the virtual waiting room to the main meeting room.

As the situation continues to evolve there are likely to be several new features and adjustments to Zoom’s default settings. If you would like to stay up to date with the latest Zoom security and privacy updates, the CEO and Founder of Zoom (Eric Yuan) has started hosting weekly webinars on Wednesdays at 10am PT from their website.

Alternatives To Zoom Video Conferencing

If security and privacy concerns surrounding Zoom have you searching for alternatives, the below list of Zoom competitors are suitable options video conferencing.

Cisco Webex (Free + Paid)

Designed with enterprise users in mind, Cisco Webex provides features for teleconferencing, interactive webinars, cloud calling, and team collaboration. Their offerings have recently been updated to enhance the features of their free plan to address the need for video conferencing options following social isolation orders related to COVID-19.

Microsoft Teams/Skype (Free + Paid)

Microsoft offers two video conferencing products – Microsoft Teams and Skype. Skype is best for personal video calls with family and friends, and Microsoft Teams is recommended for schools or enterprises looking for added collaboration features for remote learning and the management of project teams.

Google Hangouts (Free + Paid)

Free users of Google Hangouts can have group calls of up to 10 people. With multi-platform support for Android, iOS, and the web, the free version is suitable for small virtual social gatherings, though participants will need a Gmail or Googlemail email address to participate. The paid tier of Google Hangouts (Google Hangouts Meet) is included as part of existing GSuite subscriptions. To help businesses and schools during COVID-19, Google is offering all tiers of GSuite customers access to the video conferencing features that were previously only available for enterprise customers – Up to 250 participants per call, live streaming for up to 100,000 viewers, and the ability to record meetings and save them to Google Drive

Sai Kit Chu

Sai Kit Chu is a Product Manager with CurrentWare. He enjoys helping businesses improve their employee productivity & data loss prevention efforts through the deployment of the CurrentWare solutions.

Cookie	Duration	Description
__cfruid	session	Cloudflare sets this cookie to identify trusted web traffic.
cookielawinfo-checkbox-advertisement	1 year	Set by the GDPR Cookie Consent plugin, this cookie is used to record the user consent for the cookies in the "Advertisement" category .
cookielawinfo-checkbox-analytics	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checkbox-functional	11 months	The cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checkbox-necessary	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-others	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
cookielawinfo-checkbox-performance	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".
JSESSIONID	session	The JSESSIONID cookie is used by New Relic to store a session identifier so that New Relic can monitor session counts for an application.
LS_CSRF_TOKEN	session	Cloudflare sets this cookie to track users’ activities across multiple websites. It expires once the browser is closed.
OptanonConsent	1 year	OneTrust sets this cookie to store details about the site's cookie category and check whether visitors have given or withdrawn consent from the use of each category.
viewed_cookie_policy	11 months	The cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.

Cookie	Duration	Description
__cf_bm	30 minutes	This cookie, set by Cloudflare, is used to support Cloudflare Bot Management.
_zcsr_tmp	session	Zoho sets this cookie for the login function on the website.

Cookie	Duration	Description
_calendly_session	21 days	Calendly, a Meeting Schedulers, sets this cookie to allow the meeting scheduler to function within the website and to add events into the visitor’s calendar.
_gaexp	2 months 11 days 7 hours 3 minutes	Google Analytics installs this cookie to determine a user's inclusion in an experiment and the expiry of experiments a user has been included in.

Cookie	Duration	Description
_ga	2 years	The _ga cookie, installed by Google Analytics, calculates visitor, session and campaign data and also keeps track of site usage for the site's analytics report. The cookie stores information anonymously and assigns a randomly generated number to recognize unique visitors.
_ga_GY6RPLBZG0	2 years	This cookie is installed by Google Analytics.
_gcl_au	3 months	Provided by Google Tag Manager to experiment advertisement efficiency of websites using their services.
_gid	1 day	Installed by Google Analytics, _gid cookie stores information on how visitors use a website, while also creating an analytics report of the website's performance. Some of the data that are collected include the number of visitors, their source, and the pages they visit anonymously.
CONSENT	2 years	YouTube sets this cookie via embedded youtube-videos and registers anonymous statistical data.

Cookie	Duration	Description
_opt_expid	past	Set by Google Analytics, this cookie is created when running a redirect experiment. It stores the experiment ID, the variant ID and the referrer to the page that is being redirected.
IDE	1 year 24 days	Google DoubleClick IDE cookies are used to store information about how the user uses the website to present them with relevant ads and according to the user profile.
NID	6 months	NID cookie, set by Google, is used for advertising purposes; to limit the number of times the user sees an ad, to mute unwanted ads, and to measure the effectiveness of ads.
test_cookie	15 minutes	The test_cookie is set by doubleclick.net and is used to determine if the user's browser supports cookies.
VISITOR_INFO1_LIVE	5 months 27 days	A cookie set by YouTube to measure bandwidth that determines whether the user gets the new or old player interface.
YSC	session	YSC cookie is set by Youtube and is used to track the views of embedded videos on Youtube pages.
yt-remote-connected-devices	never	YouTube sets this cookie to store the video preferences of the user using embedded YouTube video.
yt-remote-device-id	never	YouTube sets this cookie to store the video preferences of the user using embedded YouTube video.
yt.innertube::nextId	never	This cookie, set by YouTube, registers a unique ID to store data on what videos from YouTube the user has seen.
yt.innertube::requests	never	This cookie, set by YouTube, registers a unique ID to store data on what videos from YouTube the user has seen.

Cookie	Duration	Description
_dc_gtm_UA-6494714-6	1 minute	No description
_gaexp_rc	past	No description available.
34f6831605	session	No description
383aeadb58	session	No description available.
663a60c55d	session	No description available.
6e4b8efee4	session	No description available.
c72887300d	session	No description available.
cookielawinfo-checkbox-tracking	1 year	No description
crmcsr	session	No description available.
currentware-_zldp	2 years	No description
currentware-_zldt	1 day	No description
et_pb_ab_view_page_26104	session	No description
gaclientid	1 month	No description
gclid	1 month	No description
handl_ip	1 month	No description available.
handl_landing_page	1 month	No description available.
handl_original_ref	1 month	No description available.
handl_ref	1 month	No description available.
handl_ref_domain	1 month	No description
handl_url	1 month	No description available.
handl_url_base	1 month	No description
handlID	1 month	No description
HandLtestDomainName	session	No description
HandLtestDomainNameServer	1 day	No description
isiframeenabled	1 day	No description available.
m	2 years	No description available.
nitroCachedPage	session	No description
organic_source	1 month	No description
organic_source_str	1 month	No description
traffic_source	1 month	No description available.
uesign	1 month	No description
user_agent	1 month	No description available.
ZCAMPAIGN_CSRF_TOKEN	session	No description available.
zld685336000000002056state	5 minutes	No description