Zoom offered the simplest path to videoconferencing in a pandemic. Photo / Glenn Harvey, The New York Times
The popular app offered the simplest path to videoconferencing in a pandemic. That doesn't make it the right path to take.
Ever since many of us started working from home in the coronavirus pandemic, I've been invited to countless gatherings taking place on Zoom, the videoconferencing app. Virtual happy hours,work meetings, dinners, you name it.
I've been a no-show, and it's not just because my hair has grown embarrassingly long. It's because I have a fundamental problem with Zoom.
Let me first say I understand why Zoom has been so popular in the pandemic. The company designed its app to be free and extremely easy to use; in tech lingo, we call it "frictionless." Even our friends and relatives with zero technical know-how can join a Zoom meeting just by clicking a link. Then, voilà, you are looking at a screen with familiar faces and can begin chatting away.
At least 200 million of us, desperate to see people outside our homes, now use Zoom, up from 10 million a few months ago. Many of us use it for free, though Zoom also has a paid product. For lots of us, it's a lifeline to see and converse with a friend or relative.
But for the last year, I've been wary of the app. Zoom has had multiple privacy snafus in that period, which have come up so frequently that they became a game of whack-a-mole.
The missteps included a weakness that would have allowed malware to attach to Zoom and hijack our web cameras. The issues with basic security practices culminated with "Zoombombing," in which trolls crashed people's video meetings and bombarded them with inappropriate material like pornography.
In a blog post last week, Zoom's chief executive, Eric Yuan, apologised for all the mistakes and said the recent problems had largely been addressed. The company promised to focus on fixing its privacy and security issues over the coming months; it reiterated the plan Wednesday.
If there is something déjà vu about all of this, you aren't wrong. That's because we find ourselves dealing with the same situation over and over again, focusing on the convenience of easy-to-use tech products over issues like data security and privacy.
We went through this not long ago with Ring, the doorbell camera, another product with a catchy name. Ring, which is owned by Amazon, became popular during another crummy situation: an increase in the petty crime of package thefts. It was also easy to install. But despite glowing customer reviews, Ring became mired in privacy scandals, including one that involved hackers hijacking the Ring cameras of multiple families.
The lesson is one we need to learn and relearn. When a company fails to protect our privacy, we shouldn't just continue to use its product — and tell the people we care about to use it — just because it works well and is simple to use. Once we lose our privacy, we rarely get it back again.
"There's a revolving door," said Matthew Guariglia, a policy analyst for the Electronic Frontier Foundation, a digital rights nonprofit. "When you give your data to one company, you have no idea who else is going to have access to it, because so much of it happens behind the black box of company secrecy."
The onus is certainly on Zoom, not us, to fix the privacy and security problems of its app. But we can put pressure on Zoom by not accepting the situation. If you do use Zoom, do so with caution and strong security settings. More on this later.
Zoom's privacy and security issues
Let's first take a closer look at why Zoom has been under the microscope. The issues boil down to two main things: its privacy policy and the architecture of its security.
Zoom recently announced that it had revised its privacy policy to be clearer and more transparent. In it, the company emphasised that it does not and has never sold people's personal data, and has no plans to.
But the policy does not address whether Zoom shares data with third parties, as companies such as Apple and Cisco explicitly state in their privacy policies.
This is a notable omission. Tech companies can monetise user data in many ways without directly selling it, including by sharing it with other companies that mine the information for insights, according to research published by the MIT Sloan School of Management. In some cases, tools to collect data from users are "rented" to third parties. Such practices would technically make it true that your personal data was not "sold," but a company would still make money from your data.
Lynn Haaland, Zoom's global risk and compliance officer, said the company does not anonymise or aggregate user data or rent it out in exchange for money.
So why is this not addressed in the privacy policy?
"We try to be clear here about what we do do with the data," Haaland said about the updated policy. "Sometimes when you try to list all the things you don't do with data, if you leave one out, then people say, 'Oh, well, you must be doing that.'"
Zoom's security flaws
While Zoom has worked furiously to plug the security holes that have emerged in the last few weeks, its products for Windows and Mac computers have weaker security by design.
That is largely because the company opted not to provide its app through Apple's official Mac app store or the Microsoft Windows app store. Instead, consumers download it directly from the web. In this way, Zoom's software avoids living in a so-called sandboxed environment, which would have restricted its access to Apple and Microsoft operating systems.
As a result, Zoom is able to access deeper parts of the operating systems and their web browsers. That is largely what makes Zoom sessions so simple to join.
By choosing to circumvent safer methods for installing its app, Zoom has opted for weaker security architecture, said Sinan Eren, chief executive of Fyde, an app security firm.
"They want to make the installation process a lot easier and streamlined, but at the same time they want deeper hooks into the operating system so they can collect more things," he said. "That also exposes us to potential vulnerabilities."
Zoom declined to comment on its security architecture.
Use Zoom at your own risk
So what to do? In these difficult times, many of us have no better option than to use Zoom. So here are some steps to keep in mind.
— Use Zoom with caution. In general, it's safer to use Zoom on a mobile device, like an iPad or Android phone, instead of on a Mac or Windows PC. Mobile apps operate in a more restricted environment with limited access to your data. In addition, apps served through the App Store or Play store undergo a review process by Apple and Google that include an inspection for security vulnerabilities.
Also, be sure to turn on Zoom security settings, like meeting passwords, to prevent unwanted guests from Zoombombing your sessions.
Last but not least, be mindful of what it means to tell others to use a product with weak data security. Try to avoid using it for sensitive matters, like work meetings that discuss trade secrets.
— If you are concerned about privacy, try an alternative. There are video chatting tools from companies with better reputations, like Google's Hangouts, Cisco's Webex and FaceTime for Apple devices. These products may not be as simple to use as Zoom, but they work and you can worry less.
A product being great just isn't good enough if it's lousy at protecting our privacy. Many people appear to have learned this lesson already and have reacted accordingly. Elon Musk's rocket company SpaceX banned employees from using Zoom. New York City's school district recently banned Zoom for online learning.