Amid high-level technical debate, the popular video conferencing application Zoom It is experiencing a hurricane of criticism for security situations that include: confusion with its encryption protocol (which prevents anyone from seeing the messages that are sent by the platform) and problems with access to information by third parties, including the giant of social networks Facebook.
In a statement on its website, the application apologized to users around the world and clarified what measures they have taken in the last few days and which they plan for the weeks themselves.
The application revealed that in the middle of the situation, The application went from having 10 million meetings a day on the platform to more than 200 million meetings a day this March.
“Zoom usage skyrocketed overnight, far exceeding what we expected when we first announced our desire to help in late February. This includes more than 90,000 schools in 20 countries that have accepted our offer to helping children continue their education remotely. ”
In addition to the challenge in the stability of the service, Zoom has presented security and privacy issues, which in the words of Eric Yuan, founder and CEO of Zoom “we recognize that we have not met the privacy and security expectations of the community, and Ours. So I am deeply sorry. “
Information shared without consent and harassment
The largest number of users of the popular application was accompanied by reports of cases in which meetings were attacked to invade them and annoy the participants. The modality, known as Zoombombing, mainly took advantage of the ignorance of novice users to make fun of them.
Given this, “we have sought to highlight the protections that can help prevent this, such as waiting rooms, passwords, mute controls or the limit to screen sharing,” the statement said.
But beyond the innocent ones, perhaps one of the most serious criticisms was the accusation that without consent of the users Zoom sent information to the social network Facebook automatically.
A report from the Vice portal found that through a configuration, the video conferencing application sent user information that the system opened such as the model of their device, network provider, time zone, city, and a unique identifier that advertisers they can use to send targeted advertising.
To this, the journalists’ complaint stated that Facebook’s policy on the use of its SDK (Software Development Kit), which indicates that a website or application must explicitly mention that its data will be shared with third parties, was not followed. that the option to cancel the tracking has to be given.
Furthermore, the inconvenience implied that data was sent even from potential clients who did not have active profiles on the social network. Following this, the New York prosecutor has announced that he will investigate the matter and that the company “will face increased scrutiny over privacy.”
Other experts have criticized for example that the application administrator permissions allow the technology people of the clients, that is to say to a company, access information of the users with whom they communicate through the platform, such as the IP address and operating system.
To this, it is added that the application had a function that allows monitoring the attention of the participants and with which Meeting hosts can verify whether or not the conference window is active on the users’ desktop.
In the statement, the Zoom director revealed that as of March 27, the application removed the Facebook SDK on iOS systems and “we reconfigured it to prevent it from collecting unnecessary information from our users’ device.”
On April 1, Zoom also announced that it removed the attendee attendance tracking feature and clarified the operation of its encryption protocols, criticized for not being ‘end to end encryption’, or for end-to-end encryption but for allowing Company servers get a key to decrypt the traffic that travels there. This year, the company would launch a tool for business customers to have more control over access to those encryption keys.
Steps to future
In his apology, Yuan explained that in the next 90 days they will take proactive measures such as freezing the development of new functions to focus their engineering resources on trust, security and privacy.
The company promised that they will conduct a comprehensive review with experts and users and that they will generate a transparency report detailing information related to requests for data, records or content, welcoming recommendations that international organizations such as Access Now had made. To this, the director assured that he will hold weekly web sessions to address questions on the topics.