Inside Zoom’s Likely Privacy And Data Protection Breaches

0
202

While most companies across the world are struggling to outlive the Coronavirus Pandemic which has wrecked havoc on the global economy, Zoom Video Communications Inc., the developers of the until now, little known, Video Conferencing App – Zoom, are basking in overnight business triumph.

Thanks to the Virus which has effectively forced people to stay in their homes, limited movement and physical interactions, Zoom’s user traffic has gone through the roof and its stock prices have more than doubled (67%).

Mobile App Market Research firm, Sensor Tower says the App is the most downloaded on Apple’s App store and the second most downloaded on Google’s Android.

Zoom, originally designed, according to its CEO and Founder, for ‘large institutions with Full IT support’ such as financial services, government agencies, universities, health care organisations, and other enterprises of such kind, has ever since the Coronavirus Outbreak attracted, out of necessity, a broader user market.

” We did not design the product with the foresight that in a matter of weeks, every person in the world would suddenly be working, studying, and socializing from home” Mr Eric Yuan, the CEO, said in a Blog article.

” As at the end of December last year, the maximum number of daily meetings participants, both free and paid, conducted on Zoom was approximately 10Million.

” In March this year, we reached more than 200 Million daily meeting participants, both free and paid ” He added, for perspective.

In Uganda, Non Governmental Organisations (NGOs), Government institutions, lawyers and other professionals use the App to coordinate both private and public communications within their firms, institutions or organisations and in some cases to arrange public video chats involving other stake holders over topical issues.

” I have used it personally. For small and large meetings” Confirms Ms Pheona Wall, the Chief of Legal Services at National Water and Sewerage Corporation  (NWSC).

Many analysts and experts believe the sudden surge in Zoom’s users is responsible for its data security and privacy problems.

” The rapid update of teleconference platforms such as Zoom without proper vetting potentially puts trade secrets and human rights defenders at risk” Cyber Lab says in a report quoted by Bloomberg Law.

Indeed, confirms the Company’s CEO, after public claims that the company routed data through China and used her developers by saying the data was sent by mistake as the Company tried to deal with a “massive increase” in demand.

Dr Elly Karuhanga, a Senior Lawyer and Partner at Kampala Associated Associates posted a picture of himself engaged in a video conference ostensibly ‘observing COVID-19 Regulations’ on Twitter on 26th March/Photo: Elly Karuhanga

On Wednesday, an investor sued the Company for fraud claiming it had hidden security flaws within its video conferencing App which could potentially harm business prospects as users may turn away from the tool.

Earlier, on Monday, 30th a user sued the Company for sharing private information. The user claims the Company collects information when a user installs or opens the Zoom application and shares it with third parties especially Facebook without proper notice to the user or data subject.

What exactly are these breaches?

End to End Encryption 

End to End Encryption is a system that secures communication so that it can only be picked up by the users or participants involved.

Zoom has been falsely advertising itself as using end to end encryption and has ever since apologised “incorrectly” suggesting the opposite.

Technology Lawyer, Kenneth Muhangi of KTA Advocates in Kampala says Zoom’s lack of end to end encryption would have been okay in the case of ‘routine’ meetings – those between people known to each other.

But ” if someone can tap into your meeting, they may plant spyware in your system ” He explains.

At the moment, Zoom doesn’t have end to end encryption but has undertaken to put it in place within 3 months (90 days).

Zoom Bombing

The issue of lack of end to end encryption is closely tethered to what has come to be known as “Zoom bombing” which means participants will sometimes during a meeting be interrupted by strangers or internet trolls that usually broadcast pornography, nude women, child abuse and a series of other disturbing content which Kenneth Muhangi collectively calls ‘Nuisance’

This vulnerability also allows malicious strangers to access user’s webcams and microphones.

Illegal Data Transfers and Sale

On March 26th, Motherboard, a Technology Publication after an investigation revealed that Zoom’s iOS  App (for Apple devices) was sending user data to Facebook for advertising purposes, even if the user did not maintain a Facebook account.

Initially Zoom used Facebook’s Software Development Kit (SDK) a feature that would enable users sign in with their Facebook accounts obviously inorder to tap more users.

Zoom has denied any illegal data transfers and sales although has announced removal of the feature.

Data Security

Last year, it was revealed that Zoom had installed a hidden server on user’s devices that could allow a user to be added to a call without their permission even when the user uninstalled the App.

And last week, it was revealed that the company had installed a bug whic would enable trolls or hackers tap into a user’s webcam and microphone on Macbooks (Apple laptops).

Surveillance

Zoom has also been criticised for attention tracking where the App allows a host to see if a user is paying attention as long as the user clicks away from a Zoom window for about 30 seconds.

This means a host such as an employer can tell if his or her employees are attentive in a meeting.

What does the Law say?

Under Uganda’s Data Protection and Privacy law, any person (and this can be a company) outside Uganda, who collects and holds data relating to Ugandan citizens must do so upon proper notice to and with the prior consent of the data subject (a person to whom the data relates).

Such data must be collected, held and processed in a manner that doesn’t infringe on the privacy of the data subject whose right to privacy is guaranteed under Article 27 of the Constitution.

A data collector, in this case, Zoom, must undertake measures to ensure the integrity of User’s data in its possession or control by preventing the unlawful access or unauthorised processing of that data.

These measures must be appropriate, reasonable, technical and organizational.

Zoom remains the most popular video conferencing tool at the moment largely out of necessity arising out of the Coronavirus restrictions on movement and physical interaction.

The App is also easy to use and free for meetings involving less than 100 participants under 40 minutes.

Most of its users are certainly unaware of these data problems largely because of their technical nature.

Asked whether she had noticed any of Zoom’s data weaknesses, Ms Pheona Wall says she has not.

” Most of the Zoom meetings I have attended have had protection and restrictions on attendance, so No,” adding:

” I have not seen it though I have heard of it”

However, given the rate at which these data issues are snowballing against Zoom, many people may start looking at other alternatives if the Company doesn’t transparently address them.

” We have ever since switched to Microsoft teams” says Kenneth Muhangi who currently serves as Managing Partner at KTA Advocates.

” So our recommendation is to use more secure platforms” He concludes.


 

Leave a reply