Originally published in the Honolulu Star-Advertiser, July 14, 2020
Zoom, the videoconferencing application, has experienced a meteoric rise in usage through the pandemic, as many folks work from home. It has come under fire, however, for privacy and security concerns. Do you need to be worried?
Zoom seemingly came out of nowhere to overtake more established peers such as Cisco’s Webex and Logmein’s GotoMeeting. Gaining popularity largely due to its simplicity and the fact that the free version provided greater capacity than the competition, Zoom became the videoconferencing tool of choice at the outset of the pandemic.
With its popularity came greater scrutiny. The CEO of publicly traded, Silicon Valley-based Zoom Communications, Eric Yuan, was born in China, moved to the U.S. in 1997 and became a U.S. citizen in 2007. This alone was enough to raise some eyebrows with the current anti-China sentiment in the U.S. Since this is a tech column and not a political column, we’ll leave it at that.
Technically, Zoom found itself in hot water for a couple of issues. First is its somewhat loose interpretation of end-to-end encryption. E2EE is a well-defined standard and, in the context of videoconferencing, simply means that the video is encrypted from your device all the way through to everyone else.
Zoom says your video is encrypted from you to Zoom, unencrypted, and then re-encrypted out from Zoom to everyone else, thereby potentially exposing your video and associated data to Zoom resources. Zoom claims it doesn’t do anything with the data while it is unencrypted, but just the fact that there is a period of time when it is not encrypted gives some pause.
Zoom got into hotter water when, after being confronted with this potential hole, it announced it would provide real E2EE, but only for the paid version of its product, not the free version. It has since changed that stance, stating that E2EE will be in the free version, with limitations.
Interestingly enough, this promises to be very similar to Cisco’s Webex. Previously the market leader in videoconferencing, to the point where it became a common term in corporate speak (“we’ll get on a webex to hash this out”), Webex has limitations if you want true E2EE. For example, certain types of devices can’t be used and certain features are disabled.
How important is E2EE? According to the Mozilla Foundation, currently only Webex and GotoMeeting use it. It’s up to you to gauge the trustworthiness of the vendor and what it might do with your data. We’ve all seen what Facebook has done with data, and by all accounts, its initial mission was NOT to become a huge marketplace for its user’s data.
Speaking of Facebook, its involvement was the other significant complaint for Zoom. In earlier versions, Zoom was found to be sharing data with Facebook. Data was being sent from mobile devices to Facebook, regardless of whether users had Facebook accounts or not. Further, this sharing was not made apparent in Zoom’s privacy policies.
Zoom actually ’fessed up to this, although it claimed it was never its intent to provide data to Facebook. Its claim, along the lines of “it’s not a bug, it’s a feature,” actually seems to hold up from a technical perspective. And, within a couple of days of being notified of this issue, Zoom corrected it and no longer shares data with Facebook.