Friday, April 24, 2020

Zoom privacy and security controversy

Cyber-security level-wise, this is the horrendous one coming out of Zoom, the video conferencing app that became popular recently! Like the Dingtalk app, Zoom is one of the video conferencing apps that is originally intended for business use but because of the on-going pandemic, it has gone beyond the original purpose in which even teachers and students will be using it.
From the tech news including the local news, there are tons of cyber-security problems involving Zoom and some of the companies are already concerned about it that they restrict the use of it. The same applies for some of the countries. You may want to avoid Zoom at all costs like it's your own policy but depending on where you live, you don't have a choice unless they're aware of the situation that you may be glad to use the alternative tool with them like Microsoft Teams, Bluejeans and even Cisco Webex but that sort of applies to employees as I don't know if students are able to switch to an alternative professional tool like those companies can. Not even Google Hangouts is allowed at Standard Chartered according to its  CEO due to the lack of encryption.
For data-collection, it's a SERIOUS ISSUE in which even the students' personal data, academic history and so on are at RISK. There's even a possibility of unauthorized surveillance of the students through that app that it's a violation of their rights and the law called, Family Educational Rights and Privacy Act. Another violating action is the collection of device analytics data through Facebook SDK that Zoom was sued in US Federal Court as well as the data-mining of user names and email address to LinkedIn which doesn't make any sense for students as LinkedIn is like a business-related social media site.
Another serious problem is the Zoombombing, as done by cyber-criminals. It's a serious cyber-crime to intrude to whatever private conversation or private meeting and the invite or meeting numbers should be kept private in the first place. Another contribution to that cyber-crime is that the cyber-criminals can as well put in a bunch of disturbing materials and words after such intrusion. Even worse is the following cybersecurity vulnerabilities as discovered by security researchers:
  1. Mac users would be forced to join a Zoom call with their video camera activated without permission and the uninstallation cause a re-installation through a hidden web server. Zoom was aware of that and users were able to uninstall the app as the pre-install scripts were sort of abusive.
  2. Windows users' credentials could be exposed as well as some calls being routed to some servers in China. Again, Zoom was aware of this issue in which free users would not have data routed to China and paid subscribers will be able to choose whichever region that's appropriate for them
  3. The vulnerability from two years ago in which the attacker was able to hijack shared screens, spoof messages from users or even remove attendees which is kind of nasty. I don't know what kind of cyber-criminal with whatever issues will do this wicked shit. Is it out of mischievous-ness, jealousy or even some anger over whatever change that is unacceptable?
The next thing is that the company behind Zoom had admitted to falsely claiming that the conversations were end-to-end encrypted which was like a dishonest and misleading act. It's quite shady to fool the consumers about this and especially for the other features that consumers have been concerned of in other products.
There's one of the recent articles from Neowin stating that Zoom had recently added the newer security features such as the use of AES 256-Bit GCM encryption although the system-wide rollout for customers' accounts will occur at the end of next month. Meeting passwords and waiting rooms are turned on in version 5.0 by default and the hosts can even report a user to Zoom.
Until sufficient cyber-security features are implemented, the Zoom app is not quite safe to use as there were already cases of such incidents including the one in Singapore. As the app is quite popular despite the controversy, there are of course 1-starred reviews in the IOS and Android versions' app store review portions that probably mention the data collection thingy. Obviously, review-bombing it because of the on-going controversy is a bad idea in the first place and if the Zoom app is gone in the same way DingTalk was gone from the IOS app store, there will be another news of this action and IOS users won't be able to use obtain the app for essential purposes. The best solution is that Zoom should be implementing better cyber-security features in the next updates to solve those issues so that users can use the app safely after such implementation.