After a series of security missteps, Zoom CEO Eric S. Yuan announced a six month feature update freeze, saying the company would make privacy and security its priority. This comes as Zoom claimed its user base ballooned from 10 million to 200 million in a matter of months due to lockdowns around the world, following the COVID-19 pandemic.
What Zoom claims to do during the 90-day feature freeze period: Yuan said that the company would hire external security researchers to audit the service. The company will also remove the controversial attention tracking feature, where a call’s host can see if other participants have Zoom selected as the main window. The company will prepare a a transparency report, detailing information related to requests for data, records, or content. Yuan added that he would personally host a weekly webinar updating users on privacy-related steps being taken by the company.
Zoom’s previous privacy issues: Here are the privacy troubles Zoom has faced in recent days:

  • On April 1, researchers discovered a vulnerability where Windows users could have their operating system’s login password stolen with a malicious link sent on chat. CEO Yuan said that this issue has been patched.
  • On April 2, the New York Times reported a feature where even anonymous participants in a call could siphon off LinkedIn data about other participants without their knowledge. Zoom later removed this feature.
  • On March 31, The Intercept reported how Zoom was misleadingly claiming that calls were end-to-end encrypted, when they were not. The company later changed the language to say that “Your client connection is encrypted”.
  • On March 31, security researcher Felix Seele discovered that Zoom’s macOS installation package was working around Apple’s requirements for installing apps by just extracting a compressed archive directly into Apple computers’ Applications folder, a tactic commonly employed by malware, and not legitimate software companies. CEO Yuan responded on Twitter and a fix was rolled out two days later.
  • On March 26, a Motherboard investigation found that Zoom was sending user data to Facebook even if users were not logged in via the social media platform, or had an account there. Zoom updated the app to remove the Facebook Software Development Kit that was causing this data leak.
  • On March 24, Consumer Reports criticised Zoom’s privacy policy, saying it left the door open for the company to sell user data. The company then tightened its privacy policy, Consumer Reports said on March 30.

All this is in the last couple weeks alone. In July 2019, a flaw allowed attackers to get users’ Mac devices to open a call with their webcams switched on, leading Apple to issue a silent fix in addition to an emergency patch by Zoom.

Questions have been raised about Zoom’s privacy practises: On March 30, New York’s Attorney General Letitia James sent a letter to Zoom questioning its data privacy and security practices, the New York Times reported. She noted, among other things, that Zoom had been slow to address vulnerabilities “that could enable malicious third parties to, among other things, gain surreptitious access to consumer webcams [zoombombing].” She also questioned the categories of data that Zoom collects, and the entities with which it shares user data.

  • Zoom allows activity tracking, access to recorded calls: Apart from the phenomenon of zoombombing — where public Zoom calls have been invaded by uninvited guests — Zoom has other potential privacy issues as well. Advocacy group, Electronic Frontier Foundation had earlier pointed out that the host of Zoom calls can monitor activities of attendees while screen sharing. If a user records any calls via Zoom, administrators can access the contents of that recorded call, including video, audio, transcript, and chat files, among other things. It also allows administrators to see the operating system, IP address, location data, and device information of each participant.
  • Attention tracking feature: Zoom also has an “Attention tracking” feature that allows hosts to know when a participant does not have the Zoom window in focus during screen sharing.