What we know about video conferencing with Zoom

Martin Shelton

Principal Researcher

Header image reading, "What we know about video conferencing with Zoom"

If you work remotely on the web, you’re probably getting comfortable with multiple video chat tools. At Freedom of the Press Foundation, we’ve published a high-level comparison of some common video chat applications, and many others maintain detailed comparison spreadsheets to help you compare dozens of tools. We also wanted to dive deeper into what we know about a few individual tools. This “fact sheet” will detail some security, privacy, usability, and anti-abuse properties of Zoom. In particular, we’re focusing on properties that are critical to high-risk users, like journalists, and developed a series of questions to help examine these properties.

In our fact sheets, we’ll be taking a closer look at several tools in common use at media organizations. We can’t possibly cover them all. In addition to Zoom, we’ll examine…

Each of these platforms changes regularly, so check back to see our regular updates. And if you see anything wrong, let us know at freedom.press/contact.

Table of Contents

  1. Background
  2. Evaluating the platform’s security properties
  3. Evaluating the platform’s privacy properties
  4. Can I get the job done easily and without abuse?

Background

Zoom’s issues with security, privacy, and abuse have been well-documented. Once upon a time, Zoom was designed to allow anyone to join video calls by default. Because it was so easy to join a call, it was quite easy for unwanted participants to join, sometimes causing havoc. Likewise, their documentation and interface also made misleading claims about the quality of their encryption. In light of widespread scrutiny from the security community, they have recently begun to clean up the security, privacy, and abuse issues in their platform, and appear to be doing so quite quickly.

Zoom now provides a number of controls to help users manage who is allowed into a video call. The company now provides a single prominent icon in the video’s toolbar to easily manage security settings, where users can lock the meeting, preventing new users from entering; enable or disable a “waiting room” where meeting hosts can approve who enters; remove participants. Likewise, hosts can restrict participants’ ability to share their screens, chat, rename themselves, or annotate the host’s shared content.

They are now rolling out stronger encryption, and have released a proposal to deploy end-to-end encryption. Because they are making so many adjustments, this article will likely change in the weeks to come. Stay tuned.

Evaluating the platform’s security properties

Does the platform support two-factor authentication? By what methods?

Zoom allows two-factor authentication through standard authenticator apps, such as Google Authenticator or FreeOTP. For now, they do not appear to support standard FIDO2-compliant security keys for two-factor authentication.

Does the platform support transit encryption? How is it implemented?

According to research from Citizen Lab, it appears Zoom does use standard TLS to secure the traffic sent to and from Zoom’s servers.

Does the platform support end-to-end encryption? How is it implemented?

Simply put, no. The company has previously mischaracterized how its encryption works, but it's now rolling out industry standard encryption, and has announced plans for end-to-end encryption. They continue to iterate on how this will be deployed in practice.

In March 2020, The Intercept reported that, despite Zoom’s claims that they supported end-to-end encryption in their documentation, the company later admitted they did not. Zoom has since shared a blog post to clarify.

Zoom also said their chats were encrypted with an AES-256 encryption key, but security researchers have found otherwise. An April 2020 analysis from Citizen Lab suggests their servers distributed a smaller AES-128 key to allow users to encrypt and decrypt the video stream. They also implemented their encryption with ECB mode, an encryption scheme that introduced serious weaknesses that could compromise the privacy of users’ video calls.

At the time, even if all participants were outside of China, the Zoom server could still distribute the keys to encrypt and decrypt video calls to servers in China, where the company has a large engineering presence. As Citizen Lab researchers pointed out, “A company primarily catering to North American clients that sometimes distributes encryption keys through servers in China is potentially concerning, given that Zoom may be legally obligated to disclose these keys to authorities in China.” The company has since introduced data routing, allowing paid users to choose regional data centers when using Zoom.

Initially Zoom planned to provide end-to-end encryption only to paid users. In a June 2, 2020 meeting with investors, the company's CEO, Eric Yuan stated, “Free users — for sure we don’t want to give [them] that, because we also want to work together with the FBI, with local law enforcement, in case some people use Zoom for a bad purpose." They've since walked back this plan. On June 17, 2020, they released a blog post describing their intention to extend end-to-end encryption to all users, free and paid. To help stem abuse of their platform, however, they will need to verify some additional information from holders of unpaid accounts. According to their blog post, "To make this possible, Free/Basic users seeking access to E2EE will participate in a one-time process that will prompt the user for additional pieces of information, such as verifying a phone number via a text message."

While it’s clear the company has previously made unusual choices about how to implement their encryption, in May 2020 they began to roll out standard AES-256 GCM to encrypt video calls. Zoom also plans to begin a beta test of their end-to-end encrypted offering in July 2020. These are meaningful improvements.

Has the platform undergone an independent security audit? If so, what were the results, and how did the platform respond to any identified vulnerabilities?

We have not seen publicly documented examples of an independent security audit. However, in May 2020, Zoom shared that they are hiring external security companies to conduct penetration testing, and introducing a bug bounty program.

Has the platform been breached before? How did they respond?

As Zoom had its boom during the COVID-19 pandemic, it seems the entirety of the security community seized on Zoom’s privacy and security flaws. The company has been quick to fix security issues. We’ve seen few actual security breaches, but the ones we have seen are quite bad. To name a few…

In March 2019, a security researcher disclosed to Zoom that a flaw in its Mac application allowed websites to open a video call with the camera enabled. Apparently at the time, Zoom would host a web server locally on the user’s device without notice to the user, allowing hackers to open the application more quickly. The service has since shared a blog post with details about how they have addressed the issue.

In the summer of 2019, security researchers at Checkpoint Security responsibly disclosed to Zoom that they could automatically generate valid meeting IDs, allowing an attacker to join a meeting uninvited, and listen in, or gather files or content shared during the call. A Zoom spokesperson has stated these issues were resolved in August 2019 when Zoom introduced several changes to mitigate against this attack. When these issues were publicly disclosed in January 2020, the company had security patches in place for months.

In April 2020, a security researcher publicly described an exploit that would allow hackers to grab Zoom users’ Windows operating system credentials. In a blog post the company has said they have patched the vulnerability.

While it’s not technically considered a security breach, until April 2020, Zoom allowed anyone to join an active room if they had a link. At the time, the platform offered tools to help prevent unwanted visitors (e.g., the waiting room, meeting passwords), however, these were disabled by default. Likewise, rooms often did not enable permissions that would prevent a stranger from streaming the content on their screen or microphone. This led to a phenomenon dubbed “zoom bombing,” where an abusive user or group disrupts the ongoing meeting by posting profanity, pornography, or other disturbing imagery. In response, the company changed their default settings to make such invasions harder, and overhauled their permission and identity model (e.g., requiring users to have the appropriate invitation link). See more details in our section on abuse below.

Evaluating the platform’s privacy properties

How does the platform handle contact discovery?

Zoom’s mobile application allows users to import contacts either through their email contact list, or from their phone’s contact list. The service also allows users to sync contacts with Google, Office 365, or Microsoft Exchange.

Can I use the platform without making an account?

Users can log in if they have the appropriate invitation URL.

What user metadata and content is logged by the platform?

Zoom’s privacy policy describes the many types of metadata they collect: call time and duration, names, emails, and phone numbers involved in the session, times when participants joined and left, and name of the meeting. Likewise, they gather some information about your devices (e.g., IP address, MAC address, the type of device, device phone number).

Zoom retains some data about the user, including your name, email address, phone number, and billing information. The service also saves users’ Zoom preferences (e.g., if you prefer video off), and approximate location.

With the user's consent, the service can optionally save the content of calls and text chat, whiteboards, or voice mail.

What user data does the platform sell?

In their privacy policy, Zoom says they do not sell user data. As security researcher Bruce Schneier points out, however, they may use ‘marketing data’ gathered through their websites for advertising purposes.

How long does the platform hold on to user data after the user deletes it, or shuts down their account?

Zoom’s privacy policy is unclear about how long they retain user data following deletion or after an account is closed. “We will retain personal data collected for as long as required to do what we say we will in this policy, unless a longer retention period is required by law.”

Can the platform be self-hosted?

You can host your own chat streams. Organizations using Zoom’s Business and Enterprise services can host Zoom servers on-premises, ensuring that their call content (voice, video, meeting text chat, data sharing) stays within their organization’s network. However, user and meeting metadata (who spoke to whom, when, how long) are still connected to Zoom’s public servers.

Does the platform publish a yearly transparency report?

Not yet. In March 2020, Access Now asked that Zoom release a transparency reports disclosing how they respond to legal requests. In April 2020, the company has said they will release transparency reports in the near future.

Does the platform alert users to requests for their data?

A spokesperson reaching out on behalf of Zoom tells Freedom of the Press that they don't alert users to requests for their data.

Are there any publicly documented cases of law enforcement requests for user data?

We have not yet seen examples of unsealed court records involving law enforcement requests of Zoom content or metadata. We won't know how frequently such requests are honored or challenged by the company until the forthcoming release of its first transparency report.

In a blog post the company has said, "Zoom has never built a mechanism to decrypt live meetings for lawful intercept purposes, nor do we have means to insert our employees or others into meetings without being reflected in the participant list." However, the company is clear in their documentation that they do have access to meeting metadata. Saved meeting content may also be vulnerable to legal request.

Can I get the job done easily and without abuse?

Does the platform offer the ability to broadcast?

Yes.

Can I use this platform to host closed room meetings?

Yes. You can prevent the video calls from accepting unwanted users with a few security options.

Can I control who can access my call if I want to?

There are several controls to limit who can join a meeting. Users can set meeting passwords, and only distribute them to invitees. Users can lock the meeting, preventing new users from entering. Users can also enable or disable a “waiting room” where meeting hosts can approve who enters. Since May 2020, waiting rooms are enabled by default for Zoom Basic, Single Pro users, and users in their K-12 program.

What is the maximum meeting group size?

The free version of Zoom enables up to 100 users to participate in the same conversation, while the paid enterprise versions can support up to 1000 participants. Webinars can support as many as 10000 participants, depending on your webinar license.

Are there accessibility features? If so, what are they?

Yes. Zoom supports closed captioning, automatic transcription, keyboard accessibility, and screen readers.

Who can record meeting video? Audio? Chats?

Zoom supports saving meeting video, audio, and chat in the cloud or locally. By default only the host can record the meeting.

Is there a way to mute participants in the call? How does it work?

Yes. Anyone in the meeting can mute anyone.

Is there a way to kick participants off the call? How does it work?

Yes. Hosts and co-hosts may manually remove users.

You made it to the end!

Now that you’ve read all about the platform, you can evaluate whether it’s right for your situation. If you want to check out another platform, consider looking to our short guide for a high-level comparison, or videoconferencing.guide for many more details. And as always, contact our training team if you need more assistance.

Donate to protect press freedom.

Your support is more important than ever.