Article taken from SecurityBoulevard. For full article, click here.
Those using Zoom should be aware of the company’s privacy practices. By looking through its privacy policy and some of its support documents, you quickly discover that Zoom allows your boss to track your attention during calls, shares the copious amounts of data it collects with third parties, and has already had a major security vulnerability.
Whenever you host a call, you have the option to activate Zoom’s attendee attention tracking feature. This feature alerts the call’s host anytime someone on the call “does not have Zoom Desktop Client or Mobile App in focus for more than 30 seconds.” In other words, if you are on a Zoom call and you click away from Zoom, the host of the call will be notified after 30 seconds, regardless of whether you minimized Zoom to take notes, check your email, or respond to a question on another app.
You should also be aware that if a host decides to record the call so it can be played later, Zoom saves a TXT file of the chat messages from the meeting and shares it with your boss. According to its support page on the subject, “the saved chat will only include messages from the host and panelists to all participants.” However, it does not clarify what will happen to direct messages between attendees.
According to the company’s privacy policy, Zoom collects reams of data on you, including your name, physical address, email address, phone number, job title, employer. Even if you don’t make an account with Zoom, it will collect and keep data on what type of device you are using, and your IP address. It also collects information from your Facebook profile (if you use Facebook to sign in) and any “information you upload, provide, or create while using the service.”
To summarize Zoom’s policy, they say they don’t sell personal data for money to third parties, but it does share personal data with third parties for those companies’ “business purposes.”
Last year, security consultant Johnathan Leitschuch discovered that Zoom set up a local web server on a user’s Mac device that allowed Zoom to bypass security features in Safari 12. This web server was not mentioned in any of Zoom’s official documentation. It was used to bypass a pop-up window that Safari 12 would show before it turned on your device’s camera.
This led Electronic Privacy Information Center to file an FTC complaint against Zoom, alleging that Zoom “intentionally designed its web conferencing service to bypass browser security settings and remotely enable a user’s web camera without the knowledge or consent of the user.”
How you can protect your data
- Use two devices during Zoom calls: If you are attending a Zoom call on your computer, use your phone to check your email or chat with other call attendees. This way you will not trigger the attention tracking alert.
- Do not use Facebook to sign in: It might save time, but it is a poor security practice and dramatically increases the amount of personal data Zoom has access to.
- Keep your Zoom app updated: Zoom removed the remote web server from the latest versions of its apps. If you recently downloaded Zoom, there’s no need to be concerned about this specific vulnerability.
For any questions or concerns you may have, please contact IT Customer Care at (718) 817-3999 or via email to: HelpIT@fordham.edu.
