What we know about video conferencing with Zoom

Martin Shelton

Principal Researcher

Header image reading, "What we know about video conferencing with Zoom"

If you work remotely on the web, you’re probably getting comfortable with multiple video chat tools. At Freedom of the Press Foundation, we’ve published a high-level comparison of some common video chat applications, and many others maintain detailed comparison spreadsheets to help you compare dozens of tools. We also wanted to dive deeper into what we know about a few individual tools. This “fact sheet” will detail some security, privacy, usability, and anti-abuse properties of Zoom. In particular, we’re focusing on properties that are critical to high-risk users, like journalists, and developed a series of questions to help examine these properties.

In our fact sheets, we’ll be taking a closer look at several tools in common use at media organizations. We can’t possibly cover them all. In addition to Zoom, we’ll examine…

Each of these platforms changes regularly, so check back to see our regular updates. And if you see anything wrong, let us know at freedom.press/contact.

Table of Contents

  1. Background
  2. Evaluating the platform’s security properties
  3. Evaluating the platform’s privacy properties
  4. Can I get the job done easily and without abuse?

Background

Zoom’s issues with security, privacy, and abuse have been well-documented. Once upon a time, Zoom was designed to allow anyone to join video calls by default. Because it was so easy to join a call, it was quite easy for unwanted participants to join, sometimes causing havoc. Likewise, their documentation and interface also made misleading claims about the quality of their encryption. In light of widespread scrutiny from the security community, in some ways they have cleaned up the security, privacy, and abuse issues in their platform.

Zoom now provides a number of controls to help users manage who is allowed into a video call. The company now provides a single prominent icon in the video’s toolbar to easily manage security settings, where users can lock the meeting, preventing new users from entering; enable or disable a “waiting room” where meeting hosts can approve who enters; remove participants. Likewise, hosts can restrict participants’ ability to share their screens, chat, rename themselves, or annotate the host’s shared content.

They have since rolled out stronger encryption by default, and options for end-to-end encryption, though this must be enabled and all users must have the Zoom client installed. Because they are making so many adjustments, this article will likely change in the weeks to come. Stay tuned.

Evaluating the platform’s security properties

Does the platform support two-factor authentication? By what methods?

Zoom allows two-factor authentication through standard authenticator apps, such as Google Authenticator or FreeOTP. For now, they do not appear to support standard FIDO2-compliant security keys for two-factor authentication.

Does the platform support transit encryption? How is it implemented?

According to research from Citizen Lab, it appears Zoom does use standard TLS to secure the traffic sent to and from Zoom’s servers.

Does the platform support end-to-end encryption? How is it implemented?

Yes. The company has previously mischaracterized how its encryption works, stating they offered end-to-end encryption when they did not. In a November 2020 complaint, the Federal Trade Commission describes this and other misleading security claims based on reporting from security researchers and the press. However, in October 2020 they later began to offer end-to-end encryption.

In March 2020, The Intercept reported that, despite Zoom’s claims that they supported end-to-end encryption in their documentation, the company later admitted they did not. Zoom has since shared a blog post to clarify.

Zoom also said their chats were encrypted with an AES-256 encryption key, but security researchers have found otherwise. An April 2020 analysis from Citizen Lab suggests their servers distributed a smaller AES-128 key to allow users to encrypt and decrypt the video stream. They also implemented their encryption with ECB mode, an encryption scheme that introduced serious weaknesses that could compromise the privacy of users’ video calls.

At the time, even if all participants were outside of China, the Zoom server could still distribute the keys to encrypt and decrypt video calls to servers in China, where the company has a large engineering presence. As Citizen Lab researchers pointed out, “A company primarily catering to North American clients that sometimes distributes encryption keys through servers in China is potentially concerning, given that Zoom may be legally obligated to disclose these keys to authorities in China.” The company has since introduced data routing, allowing paid users to choose regional data centers when using Zoom.

Initially Zoom planned to provide end-to-end encryption only to paid users. In a June 2, 2020 meeting with investors, the company's CEO, Eric Yuan stated, “Free users — for sure we don’t want to give [them] that, because we also want to work together with the FBI, with local law enforcement, in case some people use Zoom for a bad purpose." They've since walked back this plan. On June 17, 2020, they released a blog post describing their intention to extend end-to-end encryption to all users, free and paid. To help stem abuse of their platform, however, they will need to verify some additional information from holders of unpaid accounts. According to their blog post, "To make this possible, Free/Basic users seeking access to E2EE will participate in a one-time process that will prompt the user for additional pieces of information, such as verifying a phone number via a text message."

While it’s clear the company has previously made unusual choices about how to implement their encryption, in May 2020 they began to roll out standard AES-256 GCM to encrypt video calls. In October 2020 they also announced they would begin rolling out end-to-end encryption. Zoom now offers support for end-to-end encryption, though all users must have the Zoom client installed and it must be enabled in settings. These are significant improvements.

Has the platform undergone an independent security audit? If so, what were the results, and how did the platform respond to any identified vulnerabilities?

We have not seen publicly documented examples of an independent security audit. However, in May 2020, Zoom shared that they are hiring external security companies to conduct penetration testing, and introducing a bug bounty program.

Has the platform been breached before? How did they respond?

As Zoom had its boom during the COVID-19 pandemic, it seems the entirety of the security community seized on Zoom’s privacy and security flaws. In a November 2020 complaint, the Federal Trade Commission described many of these practices as "deceptive and unfair," suggesting the company repeatedly gave insufficient notice to users about its security and privacy practices. At the same time, the company has been quick to respond to known security issues.

We’ve seen a small handful of security breaches. To name a few…

In March 2019, a security researcher disclosed to Zoom that a flaw in its Mac application allowed websites to open a video call with the camera enabled. At the time, Zoom would host a web server locally on the user’s device, allowing Zoom to more easily reinstall itself without notice to the user. This behavior also allowed hackers to open the application more quickly, allowing for an attacker to enable the user's camera. The service has since shared a blog post with details about how they have addressed the issue.

In the summer of 2019, security researchers at Checkpoint Security responsibly disclosed to Zoom that they could automatically generate valid meeting IDs, allowing an attacker to join a meeting uninvited, and listen in, or gather files or content shared during the call. A Zoom spokesperson has stated these issues were resolved in August 2019 when Zoom introduced several changes to mitigate against this attack. When these issues were publicly disclosed in January 2020, the company had security patches in place for months.

In April 2020, a security researcher publicly described an exploit that would allow hackers to grab Zoom users’ Windows operating system credentials. That same month Zoom released a blog post stating they have patched the vulnerability.

While it’s not technically considered a security breach, until April 2020, Zoom allowed anyone to join an active room if they had a link. At the time, the platform offered tools to help prevent unwanted visitors (e.g., the waiting room, meeting passwords), however, these were disabled by default. Likewise, rooms often did not enable permissions that would prevent a stranger from streaming the content on their screen or microphone. This led to a phenomenon dubbed “zoom bombing,” where an abusive user or group disrupts the ongoing meeting by posting profanity, pornography, or other disturbing imagery. In response, the company changed their default settings to make such invasions harder, and overhauled their permission and identity model (e.g., requiring users to have the appropriate invitation link). See more details in our section on abuse below.

More recently, security researchers have discovered exploits allowing for remote code execution, and unauthorized screensharing, among other issues. (You can find more disclosures here and here.) It is important to note, however, the company has generally been quick to address its known vulnerabilities.

Evaluating the platform’s privacy properties

How does the platform handle contact discovery?

Zoom’s mobile application allows users to import contacts either through their email contact list, or from their phone’s contact list. The service also allows users to sync contacts with Google, Office 365, or Microsoft Exchange.

Can I use the platform without making an account?

Users can log in if they have the appropriate invitation URL.

What user metadata and content is logged by the platform?

Zoom’s privacy policy describes the many types of metadata they collect: call time and duration, names, emails, and phone numbers involved in the session, times when participants joined and left, and name of the meeting. Likewise, they gather some information about your devices (e.g., IP address, MAC address, the type of device, device phone number).

Zoom retains some data about the user, including your name, email address, phone number, and billing information. The service also saves users’ Zoom preferences (e.g., if you prefer video off), and approximate location.

With the user's consent, the service can optionally save the content of calls and text chat, whiteboards, or voice mail.

What user data does the platform sell?

In their privacy policy, Zoom says they do not sell user data. As security researcher Bruce Schneier points out, however, they may use ‘marketing data’ gathered through their websites for advertising purposes.

How long does the platform hold on to user data after the user deletes it, or shuts down their account?

Zoom’s privacy policy is unclear about how long they retain user data following deletion or after an account is closed. “We will retain personal data for as long as required to do what we say we will in this Statement, unless a longer retention period is required by applicable law.”

Can the platform be self-hosted?

You can host your own chat streams. Organizations using Zoom’s Business and Enterprise services can host Zoom servers on-premises, ensuring that their call content (voice, video, meeting text chat, data sharing) stays within their organization’s network. However, user and meeting metadata (who spoke to whom, when, how long) are still connected to Zoom’s public servers.

Does the platform publish a yearly transparency report?

Yes. Zoom released its first transparency report in late 2020.

Does the platform alert users to requests for their data?

A spokesperson reaching out on behalf of Zoom tells Freedom of the Press Foundation that they don't alert users to requests for their data.

Are there any publicly documented cases of law enforcement requests for user data?

We have not yet seen examples of unsealed court records involving law enforcement requests of Zoom content or metadata. Zoom has, however, released the number of the requests they've recently received in their transparency report. In this report they also report some details on Chinese government requests.

"In May and June of this year [2020], there were meetings in remembrance of Tiananmen Square. Zoom received several requests from Chinese government authorities in the days of and leading up to these meetings, some of which resulted in our termination of specific meetings. Those requests are reflected in this report.

As described in our blog post published on December 18, 2020, we terminated a China-based employee who was responsible for responding to Chinese government requests because this individual violated Zoom’s policies by, among other things, attempting to circumvent certain internal access controls, including those required to manage government requests as described in this report."

In an April 2020 blog post the company has said, "Zoom has never built a mechanism to decrypt live meetings for lawful intercept purposes, nor do we have means to insert our employees or others into meetings without being reflected in the participant list." However, the company is clear in their documentation that they do have access to meeting metadata. Saved meeting content may also be vulnerable to legal request.

Can I get the job done easily and without abuse?

Does the platform offer the ability to broadcast?

Yes.

Can I use this platform to host closed room meetings?

Yes. You can prevent the video calls from accepting unwanted users with a few security options.

Can I control who can access my call if I want to?

There are several controls to limit who can join a meeting. Users can set meeting passwords, and only distribute them to invitees. Users can lock the meeting, preventing new users from entering. Zoom now uses a "waiting room" where hosts can manually allow participants to join.

What is the maximum meeting group size?

The free version of Zoom enables up to 100 users to participate in the same conversation, while the paid enterprise versions can support up to 1000 participants. Webinars can support as many as 10000 view-only participants, depending on your webinar license.

Are there accessibility features? If so, what are they?

Yes. Zoom supports closed captioning, automatic transcription, keyboard accessibility, and screen readers.

Who can record meeting video? Audio? Chats?

Zoom supports saving meeting video, audio, and chat in the cloud or locally. By default only the host can record the meeting.

Is there a way to mute participants in the call? How does it work?

Yes. There are several settings for users to mute one another. All participants can mute or unmute themselves, and hosts and co-hosts can mute anyone, or ask them to unmute themselves as needed.

Is there a way to kick participants off the call? How does it work?

Yes. Hosts and co-hosts may manually remove users.

You made it to the end!

Now that you’ve read all about the platform, you can evaluate whether it’s right for your situation. If you want to check out another platform, consider looking to our short guide for a high-level comparison, or videoconferencing.guide for many more details. And as always, contact our training team if you need more assistance.

This article was updated on May 6, 2021.

Donate to protect press freedom.

Your support is more important than ever.