Using Zoom? Take these steps to protect your privacy [Updated]

By

yoga class zoom
Zoom lets you keep attending your local yoga class, but at what cost?
Photo: Anupam Mahapatra/Unsplash

Video-conferencing tool Zoom is seeing a surge in use during the coronavirus pandemic, due to people being stuck at home and unable to meet in meatspace groups. I’ve read about people using Zoom to drop in on yoga and pilates classes, as well as for more usual business-related activities.

You might remember Zoom as the app that installed a web server on Macs in order to circumvent Safari’s built-in security and privacy tools — a server that could then be used by anyone to activate your webcam and spy on you. And it doesn’t end there. Zoom’s tracking features, designed to let your boss see if you’re paying attention during calls, also leak a lot of your personal info to the Zoom session’s host.

On the other hand, Zoom is actually a really good service in terms of quality and ease of use. Aside from the privacy and security concerns, there’s a reason Zoom is popular. And that makes it hard to convince people to switch to other video-conferencing software.

This post is meant to be two things. A guide for you to learn about Zoom, so you can decide if you want to use it. And also a resource to forward to people who hastily set up Zoom in an effort to keep their businesses afloat. It should help them make an informed choice about whether to keep using the app. (It also offers tips on how to avoid getting “Zoom bombed.”)

Zoom’s shady history

Last summer, videoconferencing app Zoom was outed for installing a web server on Macs. The purpose of this was to circumvent a safety feature in Safari. You know when you click on a link that wants to open an app on your Mac, and you get a pop-up window asking for permission to open it? That’s what Zoom was bypassing.

The idea was to make it easier to join a Zoom call. Just click a link, and the app launches, like magic. Security researcher Jonathan Leitschuh detailed the vulnerability in a Medium post.

This vulnerability allows any website to forcibly join a user to a Zoom call, with their video camera activated, without the user’s permission.

On top of this, this vulnerability would have allowed any webpage to DOS (Denial of Service) a Mac by repeatedly joining a user to an invalid call.

Worse, deleting the app left the server in place. So even if you thought you uninstalled Zoom, the vulnerability remained. Simply visiting a website was enough to trigger such attacks.

Want more? BuzzFeed News reported that the still-active web server “reinstalled the Zoom app when a meeting link was clicked, without notifying the user, if the Zoom app had been deleted from the machine.”

Apple eventually fixed this with an automatic security update. Meanwhile, Zoom’s own fix required users to manually update the app.

This, then, is the first warning against using Zoom. The company deliberately disabled security features on the Mac, a move that ended in disaster.

Zoom and privacy today

That was last year. What about now? Let’s take a look at the Zoom Privacy Policy page, currently dated March 18, 2020. I don’t really need to analyze this very much. Here’s the official list of information that Zoom can collect when you use the app. And remember, this happens whether or not you sign up to Zoom and agree to its terms. Just joining a call might be enough to fork over your data.

Whether you have Zoom account or not, we may collect Personal Data from or about you when you use or otherwise interact with our Products. We may gather the following categories of Personal Data about you:

Information commonly used to identify you, such as your name, user name, physical address, email address, phone numbers, and other similar identifiers

Information about your job, such as your title and employer

Credit/debit card or other payment information

Facebook profile information (when you use Facebook to log-in to our Products or to create an account for our Products)

General information about your product and service preferences

Information about your device, network, and internet connection, such as your IP address(es), MAC address, other device ID (UDID), device type, operating system type and version, and client version

There’s more, but that’s the best of it.

Now, this isn’t that different from many other online services’ privacy policies. It’s just that we bothered to look at this one.

What do you do if you have to use Zoom

Like Facebook, you might be forced to use Zoom just because everybody else is using it. Instead of missing out on your yoga classes, you can take precautions.

  • Don’t sign into Zoom with Facebook. This stops Zoom from collecting your Facebook profile info. Although, if you’re already giving all your private info to Facebook, maybe it doesn’t matter.
  • Use a separate device if you need to do anything during the call, if possible. This stops Zoom’s attention-tracking features from detecting that you are goofing off, because you’re goofing off on a different machine.
  • Use a virtual private network during the call if you can. A VPN can hide all kinds of data about you, including your location and IP address. However, it might slow down your connection, so you’ll have to balance your needs.
  • Use an iPad or iPhone instead of your Mac. Zoom’s iOS app is subject to Apple’s App Store rules, which gives an extra degree of security. The Mac version is a direct download from Zoom, so you have no idea what’s inside.
  • On iOS, consider using a firewall like Guardian Firewall. This will block any tracker connections, as well as hiding your location via VPN.

Alternatives to Zoom

If you decide against using Zoom, several alternatives exist. If you want to be taken seriously by your yoga school, you’ll need to suggest something that works for everyone. That means Group FaceTime is likely out, because it only works on Mac and iOS.

You might consider using Skype or Skype for Business (owned by Microsoft), or Google Hangouts. Both of these services allow group calls. And both offer the advantage of a huge user base. Pretty much everyone has a Google ID or Gmail account; ditto for Skype. Or you could try Slack, another great tool for group communication that offers videoconferencing.

Because Zoom is both popular and good, you might just swallow your privacy concerns and go along with it. After all, supporting your local teachers might be more important these days.

Tips for staying safe with Zoom

If you do decide to use Zoom, the company offers a few good tips on its blog for staying safe. First, don’t share a link on social media or any public forum, because then anyone who sees it can join. This can lead to “Zoom bombing,” where bad actors crash the party, and drop off a payload of porn and/or other disruptions, before leaving. This could definitely harsh the mellow of your yoga class.

Next, if you’re hosting the event, do not use your Personal Meeting ID (PMI) to do it. “Your PMI is basically one continuous meeting,” says Zoom, “and you don’t want randos crashing your personal virtual space after the party’s over.”

Also, make use of the Zoom “Waiting Room,” which is a way to control who can get into your meeting. It’s kind of a virtual nightclub rope — and you’re the bouncer.

Disable screen sharing and File sharing

To prevent Zoom bombing, you should disable Zoom’s screen sharing feature. This will stop malicious callers from dumping porn etc. into the chat, even if they managed to get in.

First, click on the Settings link on the left, then scroll down to Screen Sharing. Change the option from All Participants to Host Only.

If you’ve already started a call, then click on the Settings link again, and then click on the big green Share Screen button. Yes, to disable screen sharing, you have to press a button that makes it seem like you’re about to share it instead. Then click on Advanced Sharing Options, and use the pop up dialog box to choose Only Host.

On mobile, the same settings are available under the … button. Tap it, and then tap on Meeting Settings toggle the Allow Participants to Share switch off.

Finally, while you’re in there, turn off the File Transfer option, to stop people sending in dodgy files and images.