Every cloud has a silver lining, it is said...well that being the case, it's certainly proving true for the video conferencing software company, Zoom, during these days of social isolating and working from home.

However, as serious concerns have been raised about a multitude of issues with the app and particularly it’s data handling, it does appear that the worm may have started to turn!

Started in 2011 by Eric Yuan, who emigrated from the PRC to the USA when 27,  Zoom has grown into a forerunner in the vid-conferencing field and proven to be a keen competitor to the likes of Microsoft Teams and Skype.

And although Zoom has become a much better known service since the world went into lockdown, it has, in fact, seen its star rising for many years. When it debuted on the stock market last year, it was valued at $15bn and that had risen to as much as $38.5bn before the virus hit the markets.

However, amidst all of this supposedly good news for the company there has been an increasing slew of bad PR generated in some part inadvertently. For instance, when the First Minister of England was diagnosed as positive for Covid-19, he took to Zoom as a means to continue to conduct Cabinet business. Needless to say there was uproar from the cyber-security community into which even the UK's MoD (Ministry of Defense) were drawn. This in turn led the BBC to investigate the claims and the whole thing blew up spectacularly online and in public.

Zoom is in everyone’s living room - how safe is it?
It may have got everyone chatting but some are talking about whether it is actually safe.

Zoom has had many security issues in the past, these have included a flaw that allowed the removal of attendees from meetings without their knowledge or permission, spoof messages from users, the hijacking of shared screens, Mac users being forced into calls without their knowledge and having their webcams turned on without their permission.

It even made an unwanted appearance on the recently added segment on Chris Cuomo’s CNN show entitled ‘Ameri-cans and Ameri-cants’ where he highlights the good and the less good things happening presently in the USA. Zoom were called out for a flaw in their operating set up (as opposed to a code or hack issue) that allowed 3rd parties in inject unsolicited content into Zoom broadcasts.

Trolls exploit Zoom privacy settings as app gains popularity
‘Zoombombers’ broadcast explicit imagery or abuse other users in video hangouts

Many have felt for a while that the company has demonstrated a somewhat blase attitude towards security.

"Zoom has had a chequered history, security-wise, with a number of instances where one has had to question whether it really gets it when it comes to users' privacy and security"

Stated cyber-consultant Graham Cluley recently.

However, these 'mechanical' issues aside, the real concern revolves around the fact that according to Zoom’s privacy policy (which so few of us ever bother to read...ignorance is no defense, people!) the company collects loads of data from you and that could include name, address, email address and cell number,

Even if you don’t have an account with Zoom, but use their service, they will still collect and keep data on you like your device type and IP address.

The company collects information from your Facebook profile (if you use Facebook to sign into it) and any “information you upload, provide, or create while using the service.”

Some of the data you provide yourself when you sign up (for example, to join a call, you must do so by giving your email) but much is collected automatically by the Zoom app.

Zoom iOS App Sends Data to Facebook Even if You Don’t Have a Facebook Account
Zoom’s privacy policy isn’t explicit about the data transfer to Facebook at all.

The Zoom iOS app has then been sharing a significant amount of your data with Facebook, (even if the user doesn’t even have a Facebook account). This includes your device’s unique advertiser identifier. Companies and online trackers use this piece of information to target you with ads. And this is all part of Zoom's cozy arrangement with so-called adtech!

So what do they need to fix?

Here’s the thing: Zoom doesn’t need to be in the advertising business, least of all in the part of it that lives like a vampire off the blood of human data. If Zoom needs more money, it should charge more for its services, or give less away for free. Zoom has an extremely valuable service, which it performs very well—better than anybody else, apparently. It also has a platform with lots of apps with just as absolute an interest in privacy. They should be concerned as well. (Unless, of course, they also want to be in the privacy-violating end of the advertising business.)

So stated Dr Serle on his weblog dated March 27th 2020

Zoom needs to clean up its privacy act
[This is the first in a series of posts. If you’re interested in the topic, please read all of them. The one that follows this is More on Zoom and Privacy.] As quarantined millions gather vir…

What they are doing about it

Company CEO, Eric Yuan, has stepped up to the plate and not only instigated a bold defense of his company's security protocols (mainly by citing all the other large corporations and national security agencies that use his service...however, we'll look at that another time) but by setting about deactivating the Facebook data sharing.

Zoom’s Use of Facebook’s SDK in iOS Client - Zoom Blog
Zoom takes its users’ privacy extremely seriously. We would like to share a change that we have made regarding the use of Facebook’s SDK.

So we say, it's a good start, well done, now can you sort all the other stuff whilst you're on a roll?

Thank you!

Zoom Removes Code That Sends Data to Facebook
The change comes after Motherboard found the Zoom iOS app was sending analytics information to Facebook when users opened the app.

it is only right that we suggest an alternative system for your use, so how about good old FaceTime,  or Nextcloud (more on this app in the Privacy Cookbook this coming Friday) or any of the following privacy-focused messengers: Discord, Riot or Signal...all have a vid-conf feature.