How Serious Are Zoom’s Data Security Issues?

COVID-19 has fundamentally altered even the most basic facets of daily life, from business to social interactions. With varying degrees of distancing measures in effect, video conferencing has surged for work, education, and simple social interactions. Services like Zoom have experienced a boom, with its service notching 300 million daily users April. But the company may not fully be enjoying its time in the spotlight – data security issues are drawing unwanted attention, lawsuits, and criticism that some supporters believe is unfair.

A Brief Timeline of Zoom Issues

Hackers at a Dropbox-sponsored hacking competition in Singapore discovered vulnerabilities with Zoom’s Mac client in March 2019. Dropbox engineers “had come to dread” bugs like this one, which “could have allowed attackers to covertly control certain users’ Mac computers.” Zoom and Apple pushed fixes to mitigate the issue, but the incident has since been viewed as a harbinger of future problems.

The onset of COVID-19 saw users ranging from elementary school students to families to businesses small and large looking for a way to connect. Video conferencing services are the obvious choice, but the sudden surge in demand ultimately created a rash of new difficulties for Zoom. First, Motherboard reported that Zoom’s iOS app “was sending user analytics data to Facebook, even for Zoom users who did not have a Facebook account.” Then came the new phenomenon of “Zoombombings” – teleconferencing or online classroom hijacking, in the words of the FBI – that necessitated password-protection and other security mechanisms for users.

Further investigations from Motherboard and The Intercept disclosed new issues, and additional missteps were exposed. Soon, high-profile investigations were announced, including one from New York’s attorney general, who expressed concern “that Zoom’s existing security practices might not be sufficient to adapt to the recent and sudden surge in both the volume and sensitivity of data being passed through its network.” SpaceX, the United States Senate, and other organizations and governing bodies either discouraged or forbade staff from using the service, while several lawsuits were brought against the company.

Zoom’s Response

Zoom CEO Eric Yuan has not shied away from criticism, responding to concerns several times since they became public. On April 1st, he explained in a blog post that the company’s platform “was built primarily for enterprise customers – large institutions with full IT support… [not] with the foresight that, in a matter of weeks, every person in the world would suddenly be working, studying, and socializing from home.” He outlined a 90-day action plans with fixes, including a 30-day freeze on new features, and in an April 3rd blog acknowledged the needs for better encryption design.

Not long after, Yuan told NPR’s Ari Shapiro that the company recognizes it “need[s] to sort of play an IT role” for its new users that it did not anticipate. As a result, the company was now “absolutely” willing to “transform [its] business to a privacy-and-security-first mentality” over pure usability. To that end, the company hired former Facebook Chief Security Officer Alex Stamos as a security consultant after Stamos publicly defended Zoom on Twitter, as well as announced “the creation of a CISO Council and Advisory Board, which will include cybersecurity leaders from other companies.”

Fair Criticism?

Zoom’s platform has undeniably exhibited issues, but several parties beyond Stamos have emerged to defend the company from “a rising wave of mostly unfair criticism.” Well-qualified defenders have refuted that the company is malware; acknowledged that many of the negative stories amounted to “the largest, most coordinated corporate pile-on” they had witnessed; and outlined basic steps to take to avoid major issues. New York Magazine’s The Intelligencer told readers that “normal [people] with normal problems” should be concerned about the issues, but probably “[didn’t] need to worry,” as the vulnerabilities were “the sort of lax security that leaves high-value individual targets vulnerable.”

The company has also made tangible progress since they announced their 90-day plan on April 1. In addition to giving users the ability to remove participants and lock meetings, report users, and optimizing its password complexity, the company acquired secure messaging platform Keybase in early May to provide deep encryption and security expertise. Zoom also announced they would publish a detailed draft of its new cryptographic design on May 22. Not long after, New York’s Attorney General closed its inquiry into the company “without an admission of wrongdoing from the company.”

Zoom’s Future

Zoom was unprepared for a vast increase in, and diversification of, its user-ship – forcing it to address privacy and security concerns it has failed to previously invest in. Evidence is lacking that Zoom was willfully ignorant of issues or flippant with user data. It’s too early to determine if its action plan will work, but Zoom has taken unequivocal steps to address issues and criticism. The 90-day mark will present a better opportunity to evaluate – and ultimately judge – Zoom’s performance regarding data security.

Quandary Peak Research

Based in Los Angeles, Quandary Peak Research provides software litigation consulting and expert witness services. We rapidly analyze large code bases, design documents, performance and usage statistics, and other data to answer technical questions about the structure and behavior of software systems.