The Washington PostDemocracy Dies in Darkness

Everybody seems to be using Zoom. But its security flaws could leave users at risk.

Its billionaire chief said the video-conferencing company never expected that “every person in the world would suddenly be working, studying, and socializing from home.”

Lauryn Morley, a substitute teacher in Bethesda, Md., leads a class from home using Zoom. (Olivier Douliery/AFP/Getty Images)
Placeholder while article actions load

When Georgetown University began advising its faculty to use the video-call service Zoom to record classes during the coronavirus lockdowns, professor James Millward couldn’t help worrying about where all that video would end up.

His course on modern China features free-flowing and unsparing discussions about contentious issues such as censorship and surveillance. How would students’ privacy be protected? And could video of students’ faces, voices and questions someday be used against them?

“If we had a big camera on the wall recording everything happening in our normal classrooms, we would be very alarmed by that,” he said in an interview. “And yet we’re now eagerly setting that all up in our homes, creating these recordings without having any idea what’s happening to them.”

After the coronavirus contagion brought an end to many of the rituals of everyday life, many of them reappeared on Zoom, a video-call service that has exploded in popularity across a nation almost entirely locked indoors. Weddings, funerals, company layoffs, kindergarten classes and official government meetings have been streamed on its platform, leading the Silicon Valley firm’s market value to double to roughly $35 billion this year.

One Washington D.C. couple was supposed to get married on March 20, but their plans were upended when the coronavirus made its way to the region. (Video: The Washington Post, Photo: Nick Hanyok Imaging/The Washington Post)

But in the dramatic growth in demand for its product, the company has encountered a crisis of its own: concerns over issues of security, privacy and harassment that could leave its growing audience at risk. Security researchers who have analyzed Zoom’s programming code say its software relies on techniques that could leave people’s computers exposed to breaches. And its data-sharing arrangements and the ability of some users to record conversations without the consent of all parties involved in those conversations could undermine people’s privacy as they engage in sensitive discussions from home.

Zoom was launched as a business-friendly video chat, and the company’s engineers pushed design decisions that bypassed certain safeguards to save people a few clicks before making or joining calls. But technical experts argue the shortcuts are a vulnerability open hackers who could exploit them to snoop on people’s lives.

The company in recent days has endured a storm of embarrassing revelations from security researchers pointing out flaws that could allow strangers to steal log-in information, gain access to messages and take control of users’ cameras and microphones.

Zoom chief executive Eric Yuan said in a blog post Wednesday night that he was “deeply sorry” for falling short of users’ “privacy and security expectations.”

“We did not design the product with the foresight that, in a matter of weeks, every person in the world would suddenly be working, studying, and socializing from home,” he wrote. The system’s new user base, he said, was using Zoom in a number of “unexpected ways, presenting us with challenges we did not anticipate when the platform was conceived.”

The most maddening part about working from home: video conferences

The company, Yuan said, will freeze work on new features and shift all of its engineering resources for the next 90 days to its biggest safety and privacy shortfalls. The company is also gathering a team of outside experts to conduct a “comprehensive review” of the system and draw up a short-term battle plan.

Zoom also is removing some controversial features, including an “attention-tracking” option that allowed a host to be alerted when the system suspected a call participant was looking elsewhere.

Federal and state authorities have begun asking questions about how the software monitors and protects Americans’ video streams. New York Attorney General Letitia James has asked the company for details on how user data is shared and safeguarded, and Sen. Richard Blumenthal (D-Conn.) wrote a letter to Yuan on Tuesday demanding answers about the company’s “troubling history of software design practices and security lapses.”

“The millions of Americans now unexpectedly attending school, celebrating birthdays, seeking medical help, and sharing evening drinks with friends over Zoom during the coronavirus pandemic,” Blumenthal wrote, “should not have to add privacy and cybersecurity fears to their ever-growing list of worries.”

The company said in a statement that it takes user privacy and security seriously and is working to provide answers to the congressional and state requests.

Mass school closures in the wake of the coronavirus are driving a new wave of student surveillance

Zoom has also attracted the scrutiny of the FBI, which said this week that it had received multiple reports of Zoom’s and other videoconference calls disrupted by anonymous trolls posting pornographic images and issuing threats; in one case last month, a hijacker on Zoom shouted a teacher’s home address in the middle of class. The FBI recommended that video hosts keep the meetings private and use other features, such as a participant-screening “waiting room,” to control who joins calls. The company last month also gave user tips on securing meetings and blocking “uninvited guests.”

Some have also criticized Zoom’s default settings, which allow new people on a call to abruptly blast text and images onto other viewers’ computers — a screen-sharing feature that “zoombombing” trolls have exploited. Zoom, which said in statements to The Washington Post that the feature was designed for its core user base of businesses, recently changed that default for schools, allowing only teachers to share their screens.

The service also allows a video host to record the call without participants’ explicit consent. Call participants are notified when the recording starts and are given the option of leaving, but some students and other Zoom users said they feel they have to stay.

Zoom representatives said the company does not monitor people’s meetings and stores chat messages and video recordings only if hosts initiate such storage. Video can be saved on Zoom’s servers or the host’s computer, and participants are notified if the host decides to record the live stream.

Alex Stamos, the former Facebook security chief who leads the Stanford Internet Observatory, said Zoom’s problems have ranged from silly design decisions to serious product-security flaws — many of which he is reminded of constantly, because he, his wife and their three school-age children now use Zoom at home every day.

“Google would never ship with these problems. Never. They can afford the best security team in the world,” he said. “But in a competitive marketplace, what you also have to put up with is security growing pains from the upstarts.”

The ultimate guide to which socializing app is right for you, from Zoom to Netflix Party

Zoom has become a global phenomenon virtually overnight because its video-call software is relatively fast, reliable and easy to use. Though Zoom’s business clients pay thousands of dollars a month for service, anyone can use it to conduct free video calls or group meetings of up to 40 minutes duration. During the coronavirus pandemic, the company also is allowing grade schools to use the platform free of charge.

Zoom was used by more than 200 million callers last month, up from 10 million in December, and is used in more than 90,000 schools across 20 countries, Yuan said. More than 5 million people in the United States used Zoom’s mobile apps on Tuesday, five times more than a month ago, dwarfing the competition of its top rivals, including Skype, Slack, Google Hangouts and Microsoft Teams, data from the software research firm Apptopia shows.

Yuan, Zoom’s billionaire founder, said he first daydreamed about a snappy video-chat service when he was a college student in China during long train rides to visit his girlfriend (now his wife). He moved to Silicon Valley during the late 1990s tech boom, joining the rival video firm WebEx, and later left with a team of engineers to found Zoom in 2011.

The San Jose-based company made the bulk of its $188 million in revenue during the past fiscal year, which ended Jan. 31, from video-service subscriptions sold to more than 80,000 businesses, financial filings show.

That is part of the problem, some industry experts said: Zoom was never designed for households, schools and social groups unsure of the advanced settings and technical controls. The service’s sudden popularity was so unexpected that Yuan told a virtual summit on Wednesday that the shift from a professional clientele to a mainstream audience was the company’s “number one challenge.”

Zoom has become the movie of our lives, boxed for an occasion we didn’t know was coming

Zoom faced heavy criticism last summer when a security researcher showed the company had been installing secret pieces of software on users’ computers that could turn on their cameras without their knowledge or consent. The company defended the practice as helping speed up meetings, but groups such as the Electronic Privacy Information Center, which filed a complaint with the Federal Trade Commission, said the camera-control capability ignored security settings and could be abused by strangers wanting to silently invade Zoom users’ calls. After Zoom said it corrected the issue, engineers at Apple took the rare step of universally deleting the programs. Zoom said it no longer uses the technique.

But as the app’s popularity has grown, researchers have revealed new concerns. Zoom’s iPhone and iPad apps sent some limited information, such as users’ location cities and the time at which they opened the app, to Facebook as part of a log-in feature common across the Web. After the tech outlet Motherboard revealed the practice, Zoom said it removed the relevant code.

Zoom advertised a security measure, known as end-to-end encryption, that would protect messages between senders and their designated recipients. But an analysis in the online outlet the Intercept this week showed that the messages are not properly encrypted, potentially allowing outsiders to see their contents. A Zoom executive on Wednesday apologized in a blog post for the “discrepancy between the commonly accepted definition of end-to-end encryption and how we were using it.”

Security researchers this week said software vulnerabilities also could allow hackers to gain access to users’ cameras and microphones. Zoom representatives said they are “actively investigating” the reports. And the code Zoom uses to speed up installation relies on “bad security practices and … lying to the user,” according to a technical analyst at the cybersecurity firm VMRay. Yuan, Zoom’s CEO, said in a response that the company had used those practices to “balance the number of clicks” required by a user before the program could be used.

We’re all video chatting now. But some of us hate it.

The country’s abrupt Zoom-ification also has elevated anxieties among some bosses and teachers scrambling to lead employees and students in a strange new time. New York University Provost Katherine Fleming sent the university’s teaching staff an email last month trying to address some concerns over a teaching method that, she wrote, had “been a challenge for all and a major drag for some.”

“Holding classes remotely is not a secret first step on the road to eliminating our regular mode of instruction,” Fleming wrote, according to a copy of the email provided to The Post. “NYU is not using NYU Zoom to surveil your class.”

The coronavirus outbreak has forced many educators to adapt to virtual teaching. Here's how 7th grade math teacher Jil Llewellyn suggests you get through it. (Video: The Washington Post)

Clay Shirky, a vice provost for educational technologies at NYU, said Zoom has helped the university rescue the semester from devastating cancellations: At any moment during the school day, more than 250 classes are in session on Zoom. But the company, he said, has often “shot themselves in the foot by doing some dopey marketing,” such as offering the “attention-tracking” feature, which alerted a video host when an attendee had clicked out of the Zoom window for more than half a minute.

Zoom removed the feature, but the damage in some ways has been done. “In this climate of anxiety,” Shirky said, “it is very easy for some tiny irritant to become a pearl of uproar.”

Government efforts to track virus through phone location data complicated by privacy concerns

Zoom has scrambled to navigate the criticism, rolling out guides for how users can better protect their video streams. Over the weekend, the company also updated its privacy policy to say that customer video and chat messages are not accessed by the company or used for advertising. “Your meetings are yours. We do not monitor them or even store them after your meeting is done” except at the host’s request, Zoom’s chief legal officer, Aparna Bawa, wrote.

But there is already some indication that the pushback has started weighing down Zoom’s bottom line: The company’s stock price, which initially soared during the coronavirus lockdowns, has fallen this week nearly 25 percent. At least two class-action lawsuits were filed against Zoom this week alleging that the company had improperly shared users’ personal information and had duped customers with its promise of encrypted chat.

The company has faced added pressure from the rise of “zoombombing” raids, in which anonymous trolls barge into unlocked Zoom meetings, shouting profane insults and racist slurs. Videos of the raids, some of which have been removed by YouTube for violating hate-speech policies, show giggling trolls posting pornography into online grade-school lessons, pulling their pants down in front of company conference calls, and dancing with bottles of bourbon in what appeared to be an online Alcoholics Anonymous meeting.

Some students have also gone on Reddit message boards and Discord chat rooms to request that people hijack their own classes. “Please — I’m begging you — raid my AP Stats class,” one person wrote on a Reddit forum this week devoted to Zoom school invasions. The user also listed the names of the school’s headmaster, principal and former teachers — details the trolls could use for comedic effect — and added, “Do whatever the hell you want.”

The awkward intimacy of video dates, when they’re in your bedroom but you can’t touch

The company said in a statement that it “strongly condemns harassment” and is seeking to remove the videos and identify the trolls to “ensure this doesn’t happen again.”

But some Zoom users think the company has not acted aggressively enough. Dennis Johnson, a recent graduate of California State University at Long Beach, was defending his doctoral dissertation last week on a university Zoom call when an unknown user took over the video and began scrawling an image of a penis and a racial slur — all while Johnson’s mother, grandmother, spouse and dozens of other friends and family members watched.

“I literally had to pause for a second, thinking, ‘This can’t be happening right now,’” Johnson said. “Somebody literally stole my moment. Three years of writing this paper, months of preparing, and I get there and it’s taken from me and there’s nothing I can do to get it back.”

Elana Zeide, a researcher at the University of California at Los Angeles’s law school who studies technology and policy, said the extra scrutiny of Zoom has helped draw attention to its questionable design decisions. But the attention has also highlighted a tension for people scrambling amid the chaos of “social distancing” to find a simple way to gather online. “You have schools and parents in a pinch, and there are only so many tools to use,” she said.