A class action lawsuit gets Zoom to admit they give your data to Facebook, as the FBI warns that hackers are having a field day on the video conferencing platform.
The sudden boom of Zoom video conferencing during our drunken, pajama-clad, shelter-in-place era has quickly evolved from “Everyone is on this wonderful flawless platform!” to the inevitable “Jesus Christ, what were we thinking?” The first of surely many dominos to fall was Thursday’s Vice report that Zoom was sending your to data Facebook, for a price, even if you do not have a Facebook account, and with no acknowledgement of this in their privacy policy. (That report singles out only the iOS version of the Zoom app, so if you’re an iOS user it certainly deserves a full read.) CBS News reports that the story inspired a class action lawsuit against Zoom from angry California users, which you can read online here, and the New York Times notes that the New York attorney general is also piling on demanding a full review of Zoom’s privacy and security practices.
"The Zoom app notifies Facebook when the user opens the app, details on the user's device.., [their] time zone and city, which phone carrier.., and a unique advertiser identifier.. which companies can use to target a user with advertisements", WTF 😭 https://t.co/KxpdLk55g4
— DHH (@dhh) March 26, 2020
Zoom quickly backtracked as detailed in a CYA blog post the next day, and Vice confirmed that the non-consensual sharing of data like location and device details were no longer being made available for Facebook to purchase.
Zoom has stopped the data leakage to Facebook. That’s good. But their privacy policy is still a complete trash fire that belittles privacy legislation, and grants themselves the right to do exactly what they were just caught doing. https://t.co/oowYsWrxEV pic.twitter.com/hWj0BEoD2y
— DHH (@dhh) March 28, 2020
“Zoom does not sell our users’ data,” the company’s chief legal officer Aparna Bawa said in a very normal Sunday blog post. “Zoom has never sold user data in the past and has no intention of selling users’ data going forward.” But as anyone who remembers the Facebook-Cambridge Analytica affair and related scandals knows, when they say they do “not sell our users’ data” what they likely mean is that they rent it out in easily downloadable fashion that can be kept permanently. This perhaps meets the legal threshold of “not selling,” but it’s an argument that’s only credible to someone with vested shares in tech companies who perform such transactions.
We will be reviewing this following an unfortunate incident today where the Zoom whiteboard was hyjacked by an anonymous individual who proceeded to draw cartoon penises. https://t.co/bRJXVxu6ro
— UCL Psychiatry (@UCLPsychiatry) April 1, 2020
Now, onto the more dominos falling in the Zoom privacy-verse. We’ll start with the more innocuous pranks, and move our way up to the genuinely terrifying security issues. As we see above, hackers have figured out a trick so simple that it can’t really even be called hacking. Zoom conference links tend to be public, so any asshole can just log on and, say draw erect penis pictures to lighten the mood. But the FBI put out a statement that some scoundrels were also broadcasting “pornographic and/or hate images and threatening language” into the webcasts, and that “a Massachusetts-based high school reported that while a teacher was conducting an online class using the teleconferencing software Zoom, an unidentified individual dialed into the classroom. This individual yelled profanity and then shouted the teacher’s home address in the middle of instruction.”
Two zero-day #security flaws have been uncovered in #Zoom’s macOS client version. The flaws could give local, unprivileged attackers root privileges, and allow them to access victims’ microphone and camera.https://t.co/qStJt1vRps
— Threatpost (@threatpost) April 1, 2020
It gets worse. TechCrunch brings us the news of two new security vulnerabilities found on the platform, one of which is a flaw where a clever hacker could steal passwords on the Windows platform using “UNC path injection to expose credentials for use in SMBRelay attacks.” I’m not even going to Google those terms, but it sounds bad.
TechCrunch also directs us to the finding of the nightmare scenario flaw — the ability to hijack your camera and microphone. It’s all detailed on the tech blog Objective-See, where obviously-smarter-than-me security researcher Patrick Wardle writes that “Zoom has (for reasons unbeknown to me), a specific 'exclusion' that allows malicious code to be injected into its process space, where said code can piggy-back off Zoom’s (mic and camera) access! This give malicious code a way to either record Zoom meetings, or worse, access the mic and camera at arbitrary times (without the user access prompt)!”
YIKES!!! Ex-NSA hacker drops new zero-day doom for Zoom | TechCrunch https://t.co/pm6Luehju8
— Scott Adams (@ScottAdamsSays) April 1, 2020
Additional privacy flaws are being alleged as I type this. The Intercept claims that Zoom does not offer end-to end encryption, despite marketing claims that they do. Yet another Vice report says that Zoom is “Leaking Peoples' Email Addresses and Photos to Strangers.”
just leaked into boris johnsons zoom call pic.twitter.com/Dg7bSbmNHo
— jœ (@xeimonster) April 1, 2020
This all sheds a very different light on last week’s I Went to a Sex Party on Zoom essay on Slate, which leads with the memorable line “About 15 minutes into my first sex party on Zoom, the dicks came out of the pants. There were more than a dozen of them.” Sure, fun, but do we remember an August 2014 incident called the Fappening? (Don’t look at me, I was at Burning Man the whole time.) Certainly anyone who consciously engages in erotic activities over an online video or photo platform is at risk of having their private bits or jerkoff party footage exposed on the internet, but here we have possibility of personally compromising pics and photos from people who would never engage in such naughtiness, even with a trusted recipient.
Let’s say you popped a bottle of wine for an informal work conference, or a gang of 8chan trolls has accessed your camera and figured out your showering, underwear-changing, or masturbating schedule. The possibility of perfectly normal human behavior being exploited into fodder for fappers, scammers, or private investigators is now a real possibility. This may all be coming to terms with a new tech reality, and perhaps even the most vigilant companies will struggle with such things. But personally, I’m going to keep my Zooming in the web browser and not downloading the app — because I don’t want anyone downloading my fap.
Related: Haunting Drone Footage Shows the Ghost Town Of San Francisco on Sunday [SFist]
Image: Zoom