Zoom's global surge has coincided with increased scrutiny over data and privacy protections the company offers its users.
Last Thursday, Zoom removed one controversial piece of its platform: An "attention-tracking tool" that was previously offered to any user who hosted a Zoom meeting.
The attention-tracking tool, when activated by a Zoom meeting host, existed to monitor if any other users in attendance opened an app or window other than the Zoom meeting for more than 30 seconds during a time that another user in the meeting was sharing their screen.
For UNC Zoom users, this attention-tracking tool had already been turned off by default, Dennis Schmidt, UNC’s chief information security officer of Information Technology Services, said in an email.
However, previous to Zoom's decision to remove the feature on April 2, Schmidt said individual meeting organizers — which could include class lecturers, students organizing study groups and more — did have the ability to activate the feature for themselves.
Zoom CEO Eric Yuan announced the tracking tool's removal in a public statement on April 1, where he said demand for the company's services has "ballooned overnight," from around 10 million daily meeting participants at the end of last December to more than 200 million last month.
"We have strived to provide you with uninterrupted service and the same user-friendly experience that has made Zoom the video-conferencing platform of choice for enterprises around the world, while also ensuring platform safety, privacy and security," Yuan said in the statement. "However, we recognize that we have fallen short of the community’s — and our own — privacy and security expectations."
In an email to The Daily Tar Heel, a Zoom spokesperson said the company was originally developed for business-related use, and has been “confidently selected for complete deployment” globally.
"During the COVID-19 pandemic, we are working around-the-clock to ensure that hospitals, universities, schools and other organizations across the world can stay connected and operational,” the email said.
The company's updated policy page breaks down the various user data Zoom interacts with into categories: Data users give to Zoom by using its software, data Zoom collects from users, data users can choose to give Zoom and data Zoom "may obtain about you."
Prior to that update, the company’s policy page contained different language in various descriptions of its data collection.
The archived version of Zoom's policy page states that this potentially collected information includes, but is not limited to, your physical address, email address, phone numbers, job titles, credit and debit card information, IP address, Facebook account information and more.
On March 30, a class-action lawsuit was filed in federal court in California accusing Zoom of sharing users' data with other companies, including Facebook, without the explicit consent of those users. The suit cites a report from the previous week by Vice about an issue with the iOS version of the Zoom app, which sent some users’ data to Facebook even if they did not have a Facebook account.
Andrew Dwyer, a cybersecurity research associate at the University of Bristol, raised concerns on Twitter late last month about security vulnerabilities Zoom has previously displayed after he learned the U.K. government had begun using the platform amid the global spread of COVID-19.
“Should we be letting a company we know so little about be entering our highest office of state? Should we be divulging so [much] personal data to this company with lax policies?” Dwyer tweeted. “The rush to online means we need to pay more attention and not less.”
The level of security required for government meetings obviously differs from that of university lectures, and in the context of a college lecture, Dwyer said, Zoom “may be a viable way to deliver material.”
However, Dwyer said Zoom’s privacy policies authorize it to store the information of people as they use the platform. The extent of information Zoom can gather, he said, also includes clickstream data — essentially, a specific overview of any user’s page-by-page internet activity during a given time period.
Questions over data gathering and surveillance among skeptics of Zoom exist similarly with most video-communication platforms. But past security concerns have taken a long time for Zoom to resolve, Dwyer said, suggesting “they are an immature business with regards to security.” He referenced one instance of a vulnerability that enabled Zoom to access webcams on Apple Inc.’s Mac computers.
Schmidt said the recent weeks had been "dynamic and quick-moving" for the University.
“On (March 25), an additional authentication option was added to restrict meeting access to only those participants logged into UNC Zoom,” Schmidt said in an email. “Before this change, anyone with a Zoom account, including external users, with whom a meeting ID or link had been shared, could potentially join authenticated Zoom meetings.”
UNC has held an active vendor agreement with the company since Oct. 11, 2017, according to the contract between the University and Zoom. The contract gives no specific dollar-value to the financial details of the agreement.
A UNC Zoom web page with guidance on securely using the platform posted an update last week announcing that the new authentication option had been implemented at 10 p.m. on March 25, two days after UNC officially began online classes campus-wide.
The update also indicates that this new UNC Zoom user authentication option is not automatically activated for UNC accounts that existed previous to the update.
Recently, this default Zoom feature has been exploited by outside users to hijack meetings with racist or explicit messages — a tactic now colloquially known as “Zoombombing.”
Last Thursday, a finance course taught by Chip Snively in UNC’s Kenan-Flagler Business School experienced one of these incidents. After class, Snively emailed students apologizing, and outlined future steps for more secure meetings that include a class password and use of Zoom’s waiting room feature, according to the email.
“My [apologies] for our ‘Zoom Bomber’ interruption and his idiotic/offensive comment in chat,” the professor said in the email.
Calvin Deutschbein, a computer science Ph.D. student at UNC, said they avoid using Zoom when possible, instead opting for platforms like Google Hangouts to teach classes and host office hours. Google Meet encrypts most customer data and recordings by default, according to the company's administrative help page, and employs a range of "anti-hijacking controls" and "counter-abuse measures."
Deutschbein said on a recent occasion, they were able to access a different Zoom meeting than the one they’d received the link to within 15 minutes, just by changing a few numbers in the meeting URL.
“I think Zoom lends itself to Zoombombing. I think they’re trying to fix that and it’s probably too late,” Deutschbein said.
‘A collective effort’
Although the service can help universities during this online transition, Dwyer said they should not become reliant on Zoom, especially its free versions. He encouraged students to push their schools to invest in more sustainable long-term solutions for a remote-learning environment that "have higher standards of security and privacy.”
Deutschbein, who is also an adjunct professor at Elon University, expressed worries about how schools may try to continue the use of online platforms to save money in the future. When possible, Deutschbein said they upload their teaching materials and lectures to servers not owned by the universities.
Schmidt encouraged “any member of the campus community with concerns about privacy related to Zoom” to email ITS at email@example.com.
For most students, who are already required to use Zoom, Dwyer suggested not logging in through Facebook.
“Ultimately it’s a difficult time for students and academics in the transition online,” Dwyer said. “Privacy and security can only be partially done through our own actions, and it is mainly shaped by the institutions and structures we work in, making it a collective effort.”
Reporting contributed by Charlie McGee.