Deputy Editor Giorgia Guantario takes a look at Zoom’s bumpy road to popularity and how user experience is too often valued more than users’ privacy.
Zoom has quickly become everyone’s favourite pandemic video meeting solution. As of the beginning of April, Zoom had a market cap of US $31.73 billion, which made it worth more than American Airlines ($7.91B), Expedia ($4.35B) and Hilton ($18.26B) combined.
Zoom massively grew in popularity due to the COVID-19 pandemic and the necessity to adopt remote working to mitigate the spreading of the virus. Its use, however, goes beyond professional or educational meetings – people have been using the teleconference solution for all kinds of reasons: from group quizzes and yoga sessions, to weddings ceremonies. Back in December Zoom had about 10 million participants, while that number rose to 200 million participants daily by March. The numbers are staggering – and so are its many issues.
It’s safe to say that the rise to success wasn’t without bumps, so brace yourself because there is a lot to talk about.
Zoom’s problems started about a year ago, way before the pandemic hit most countries across the globe. In July 2019, security researcher Jonathan Leitschuh disclosed a pretty serious vulnerability for the Zoom app on Apple Macs. Basically, this vulnerability would have allowed any website to “forcibly join a user to a Zoom call, with their video camera activated, without the user’s permission.”
This is my #ZeroDay #PublicDisclosure of a security vulnerability impacting 4+ Million of @zoom_us‘s users who have the Zoom Client installed on Mac.
Zoom had 90-days + two weeks to resolve this #vulnerability and failed to do so.https://t.co/hvsoS79bos
— Jonathan Leitschuh (@JLLeitschuh) July 8, 2019
The vulnerability was partly due to a Zoom’s setting that would install a web server on Macs, and that would not be removed once the app was uninstalled – the web server would then be running on the background and would be able to re-install Zoom for users without requiring any user interaction besides visiting a webpage. In a statement to The Verge, Zoom said at the time that it developed the web server to “save the user some clicks” in order to improve user experience (we’ll get back to that later).
To confirm the severity of the issue, a few days after Leitschuh’s post, TechCrunch reported that Apple stepped in to issue a silent update to remove Zoom’s web server from any Mac with Zoom’s software installed. While no one likes Apple getting into our Macs deleting stuff, it seemed necessary to avoid any further issues.
At the time, Zoom’s problems seemed to have ended there, and the web seemed to have forgotten about the issue – at least until COVID-19 started spreading around the world and the videoconferencing app’s success rose to new highs.
A few weeks ago, users started to report that uninvited guests were disrupting private online meetings. The phenomenon, called “Zoombombing or “Zoom raiding”, was unveiled by a New York Times’ analysis which found hundreds of social media accounts and private chats, as well as several active message boards on Reddit and 4Chan, where users got together to organise Zoom harassment campaigns by sharing meeting passwords and IDs.
On top of that, Zoom’s meeting IDs, a number between 9 to 11 digits long used to identify a meeting, are very easy to guess thanks to an automated tool called “war-dialing” – this tool would allow anyone to access any meeting by just continuously guessing numbers until finding a correct one.
If Zoombombings sound disturbing, they were just the tip of the iceberg.
At the beginning of April, Vice reported that thousands of users’ personal information, including email addresses and photos, were being leaked to strangers on Zoom. The issue stems from Zoom’s “Company Directory” setting, which helps users find specific colleagues on the platform by automatically adding other people using the same email address domain to a user’s contact list. Although this might sound like a nice little feature to have, according to Vice many users who signed up with personal emails from non-standard providers (i.e. not Gmail, Hotmail or Yahoo) found their contact details pooled together with thousands of other strangers – strangers who could video call whoever on that “company directory” and access their full name, email address, profile picture and status.
Vice was also behind another Zoom issue that sparked controversy over the internet in the past few weeks. According to Vice’s Joseph Cox, Zoom and its privacy policy don’t make clear that the iOS version of the Zoom app is sending some analytics data to Facebook – even if Zoom users don’t have a Facebook account.
While data transfer to Facebook is quite common, as many apps use Facebook’s software development kits (SDK) to implement features, Zoom did not make clear to its users this was happening. Fortunately, on March 27th Zoom CEO and Founder Eric S. Yuan said the company removed the code that sent data to Facebook and updated its privacy policy two days later.
The last issue I want to address (even though there are a few more concerning ones, like the LinkedIn Sales Navigator data-mining feature, or evading MacOS administrator controls) is Zoom’s claim of end-to-end encryption. End-to-end encryption means messages are encrypted by the sender until they reach the receiver, and the third-party platform does not have the means to decrypt them, and only stores encrypted files. While Zoom marketed its solution as protected by end-to-end encryption, the company actually uses “transport encryption”. As reported by The Intercept, transport encryption differs from end-to-end encryption because “the Zoom service itself can access the unencrypted video and audio content of Zoom meetings. So when you have a Zoom meeting, the video and audio content will stay private from anyone spying on your Wi-Fi, but it won’t stay private from the company.” While Zoom is not the only solution that doesn’t support end-to-end encryption (Skype calls don’t either), it’s safe to say you might want to use a different solution to discuss classified information.
I won’t go on listing Zoom’s numerous other issues, especially as its CEO and Founder, Eric S. Yuan, recently took a step back and said the company would pause the development of new features to focus on fixing privacy and security issues. In the ICT industry, the word “sorry” isn’t used very often, and that is to be appreciated coming from such a popular organisation.
I believe the real issue behind Zoom, and many other organisations and solutions, is choosing user experience over user privacy. Besides the end-to-end encryption debacle, the rest of Zoom’s issues seem to stem from the company’s desire to attract as many users as possible. I must admit that was also the reason I found Zoom to be my favourite amongst other video conferencing solutions – login in takes a couple of minutes, joining a call only requires clicking on a link, all my colleagues are automatically added to my contact list, etc.
Any marketeer will tell you that the least number of steps you have for a user to complete, the higher the chances they will turn into a lead. Zoom adopted that same mentality – the easier to use, the more people will use it. And they’re probably right, since despite all these issues, Zoom is still one of the most used apps during this pandemic. Is convenience really more important than our privacy? Zoom has given itself 90 days to solve all its issues, and I would be willing to bet its number of users will still increase during this time – which I guess answers the question.