Zoom has been criticized for "security lapses and poor design choices" that have resulted in heightened scrutiny of its software. Many of Zoom's issues "surround deliberate features designed to reduce friction in meetings", which
Citizen Lab found to "also, by design, reduce privacy or security". In March 2020,
New York State Attorney General Letitia James launched an inquiry into Zoom's privacy and security practices. The inquiry was closed on May 7, 2020, with Zoom not admitting wrongdoing, but agreeing to take added security measures. In April 2020, CEO Yuan apologized for the security issues, stating that some of the issues were a result of Zoom's having been designed for "large institutions with full IT support". He noted that in December 2019, Zoom had a maximum of 10 million daily meeting participants, and in March 2020 the software had more than 200 million daily meeting participants, bringing the company increased challenges. Zoom agreed to focus on data privacy and issue a transparency report. In April 2020, the company released Zoom version 5.0, which addressed a number of the security and privacy concerns. It includes passwords by default, improved encryption, and a new security icon for meetings. In September 2020, Zoom added support for
two-factor authentication to its desktop and mobile apps; the security feature was previously Web-only. As of April 2020, businesses, schools, and government entities who have restricted or prohibited the use of Zoom on their networks include
Google,
Siemens, the
Australian Defence Force, the
German Ministry of Foreign Affairs, the
Indian Ministry of Home Affairs,
SpaceX, and the
New York City Department of Education. In May 2020, the New York City Department of Education lifted their ban on Zoom after the company addressed security and privacy concerns.
Privacy Zoom has been criticized for its privacy and corporate data sharing policies, as well as for enabling video hosts to potentially violate the privacy of those participating in their calls. In March 2020, a
Motherboard article found that the company's
iOS app was sending device analytics data to
Facebook on startup, regardless of whether a Facebook account was being used with the service, and without disclosing it to the user. Zoom responded that it had been made aware of the issue and patched the app to remove the
SDK after learning that it was collecting unnecessary device data. The company stated that the SDK was only collecting information on the user's device specifications (such as model names and operating system versions) in order to optimize its service and that it was not collecting personal information. In the same month, Zoom was sued by a user in
U.S. Federal Court for illegally and secretly disclosing personal data to third parties, including Facebook. Zoom responded that it "has never sold user data in the past and has no intention of selling users' data going forward". In April 2020, a Zoom information gathering feature was found that automatically sent user names and email addresses to
LinkedIn, allowing some participants to surreptitiously access LinkedIn profile data about other users without their express consent. Soon after, the companies disabled their integration. In May 2020, the
Federal Trade Commission announced that it was looking into Zoom's privacy practices. The FTC alleged in a complaint that since at least 2016, "Zoom maintained the cryptographic keys that could allow Zoom to access the content of its customers' meetings, did not provide advertised end-to-end encryption, falsely claimed
HIPAA compliance, installed the ZoomOpener webserver without adequate consent, did not uninstall the web server after uninstalling the Zoom App, and secured its Zoom Meetings with a lower level of encryption than promised." On November 9, 2020, a settlement was reached, requiring the company to stop misrepresenting security features, create an
information security program, obtain biannual assessments by a third party, and implement additional security measures.
Security Vulnerabilities In November 2018, a security vulnerability was discovered that allowed a remote unauthenticated attacker to spoof
UDP messages that allowed the attacker to remove attendees from meetings, spoof messages from users, or hijack shared screens. The company released fixes shortly after the vulnerability was discovered. In July 2019, security researcher Jonathan Leitschuh disclosed a
zero-day vulnerability allowing any website to force a
macOS user to join a Zoom call, with their
video camera activated, without the user's permission. Attempts to uninstall the Zoom client on macOS would prompt the software to re-install automatically in the background using a hidden web server that was set up on the machine during the first installation so that it remains active even after attempting to remove the client. After receiving public criticism, Zoom removed the vulnerability and the hidden webserver to allow complete uninstallation. In April 2020, security researchers found vulnerabilities where
Windows users'
credentials could be exposed. Another vulnerability allowing unprompted access to cameras and microphones was made public. Zoom issued a fix in April 2020. Motherboard reported that there were two Zoom
zero-days for macOS and Windows respectively, selling for $500,000, on April 15, 2020. Security bug brokers were selling access to Zoom security flaws that could allow remote access into users' computers. On April 20, 2020, the
New York Times reported that
Dropbox engineers had traced Zoom's security vulnerabilities back over two years, pushing Zoom to address such issues more quickly, and paying top hackers to find problems with Zoom's software. In the same article, the
New York Times noted that security researchers have praised Zoom for improving its response times, and for quickly patching recent bugs and removing features that could have privacy risks. On July 1, 2020, at the end of the freeze, the company stated it had released 100 new safety features over the 90-day period. Those efforts include end-to-end encryption for all users, turning on meeting passwords by default, giving users the ability to choose which data centers calls are routed from, consulting with security experts, forming a CISO council, an improved bug bounty program, and working with third parties to help test security. Yuan also stated that Zoom would be sharing a transparency report later in 2020. On November 16, 2020, Zoom announced a new security feature to combat disruptions during a session. The new feature was said to be a default for all free and paid users and made available on the Zoom clients for
Mac,
Windows, and
Linux, as well as Zoom mobile apps. On August 12, 2022,
Wired magazine reported on three separate security vulnerabilities discovered by security researcher Patrick Wardle affecting the Zoom
Mac OS desktop app. The vulnerabilities allowed an attacker who already had access to the Mac device to perform a
privilege escalation attack by installing malicious code using the app's auto-update feature, thereby giving them full control over the victim's device.
Zoombombing "
Zoombombing" is a phenomenon where uninvited participants join a meeting to cause disruption. In July 2019, security researcher Sam Jadali uncovered the
DataSpii leak. This catastrophic leak was facilitated by a marketing intelligence company known as Nacho Analytics (NA), which provided its members access to the URLs of real-time Zoom meetings of firms such as Oracle, Dell, Walmart, Uber, UCLA and Capital One. NA's dissemination of meeting URLs enabled its members to Zoombomb these meetings. In April 2020, Zoom increased its default security settings to mitigate Zoombombing.
Encryption practices Zoom encrypts its public data streams, using
TLS 1.2 with AES-256 (
Advanced Encryption Standard) to protect
signaling, and AES-128 to protect
streaming media. Security researchers and reporters have criticized the company for its lack of transparency and poor encryption practices. Zoom initially claimed to use "
end-to-end encryption" in its marketing materials, but later clarified it meant "from Zoom end point to Zoom end point" (meaning effectively between Zoom servers and Zoom clients), which
The Intercept described as misleading and "dishonest".
Alex Stamos, a Zoom advisor who was formerly security chief at
Facebook, noted that a lack of end-to-end encryption is common in such products, as it is also true of
Google Hangouts,
Microsoft Teams, and
Cisco Webex. On May 7, 2020, Zoom announced that it had acquired
Keybase, a company specializing in end-to-end encryption, as part of an effort to strengthen its security practices moving forward. Later that month, Zoom published a document for peer review, detailing its plans to ultimately bring end-to-end encryption to the software. In April 2020, Citizen Lab researchers discovered that a single, server-generated AES-128 key is being shared between all participants in
ECB mode, which is deprecated due to its pattern-preserving characteristics of the ciphertext. During test calls between participants in Canada and United States, the key was provisioned from servers located in mainland China where they are subject to the
China Internet Security Law. On June 3, 2020, Zoom announced that users on their free tier will not have access to
end-to-end encryption so that they could cooperate with the
FBI and law enforcement. Later, they said that they do not "proactively monitor meeting content". On June 17, 2020, the company reversed course and announced that free users would have access to end-to-end encryption after all. On September 7, 2020, cryptography researcher
Nadim Kobeissi accused Zoom's security team of failing to credit his open-source protocol analysis research software, Verifpal, with being instrumental during the design phase of Zoom's new encryption protocol, as described in their whitepaper published in June 2020. Kobeissi published a week's worth of conversations with Zoom's security leadership in support of his claim, including Max Krohn, which included eight Verifpal models that Zoom's team asked for feedback on, promises of a citation to credit Kobeissi for his contributions and an admission that the Verifpal citation was pulled from the whitepaper at the last moment for unspecified reasons. Kobeissi also linked to a tweet by Zoom security consultant Lea Kissner which he described as a public
character assassination attempt issued in response to his repeated requests to have his work cited in the research paper published by Zoom.
Data routing Zoom admitted that some calls in early April 2020 and prior were mistakenly routed through servers in
mainland China, prompting some governments and businesses to cease their usage of Zoom. The company later announced that data of free users outside of China would "never be routed through China" and that paid subscribers will be able to customize which data center regions they want to use. The company has data centers in Europe, Asia, North America, and Latin America.
Regulatory issues In August 2021, the Data Protection regulatory body in Hamburg, Germany, ruled that Zoom was operating in the
European Union in breach of the
General Data Protection Regulation (GDPR). This is due to the fact that, as per the
Schrems II ruling, data that is transferred out of the EU must be protected as the GDPR requires. The data gathered by Zoom was being sent to the United States. ==See also==