Zoom is a big privacy headache. Here’s how you can lock it down

Zoom has become the video-calling app of choice. That doesn’t mean it isn’t slurping up your data

In the coronavirus-fuelled race to work from home, the vast majority of people have settled on one service: Zoom. Even the UK’s meetings of Cobra, the cabinet members tasked with tackling the coronavirus crisis, are using the app to host their meetings remotely. In the first two months of 2020, Zoom added more users than the entirety of 2019, according to estimates from analysts Bernstein – and with screeds of guides about how to harness the power of Zoom, it seems likely those numbers are only increasing.

But privacy experts have been sounding warnings about Zoom’s privacy settings, cautioning that they’re a quagmire of over-intrusive elements that can learn far more about you than they actually need to. Zoom’s privacy policy sort of says it doesn’t sell your data – “which I’m thrilled about,” says Daragh O Brien, a data protection consultant with Castlebridge, an Irish company. “But there’s still an incredible amount of secondary processing you leave yourself open to in the app – and that’s before we even get to the tracker and cookie payload that comes with the web client.”

However, Zoom does use “certain standard advertising tools” according to its privacy policy “which require personal data” – such as Google Ads and Google Analytics. They also cover what’s called “customer content”, which includes the names of every user on a call, the video footage generated, the contents of any documents shared and transcripts of what was said on the call.

Widespread criticism has stung Zoom: on March 29, it clarified its privacy policy in a blog post, addressing some of the issues data protection experts had with it and stating clearly “No data regarding user activity on the Zoom platform – including video, audio, and chat content – is ever provided to third parties for advertising purposes”.

Zoom wants you to know that it cares about privacy. Three separate company spokespeople responded to our request for comment to say the company takes users’ privacy “extremely seriously”. “Zoom only collects data from individuals using the Zoom platform as needed to provide the service and ensure it is delivered as effectively as possible,” a spokesperson said, adding that it has “layered safeguards in place to protect our users’ privacy, which includes preventing anyone, including Zoom employees, from directly accessing any data that users share during meetings, including – but not limited to – the video, audio and chat content of those meetings. Importantly, Zoom does not mine user data or sell user data of any kind to anyone.”

While Zoom has become a lightning rod for criticism, it’s not the only one at fault. “A lot of other tools have significant privacy issues,” says O Brien. “Zoom is getting the attention because it’s the go-to due to its functionality being quite good as a product.” However, it should come with a big health warning, he says.

The defaults for Zoom aren’t just biased in favour of overly broad data collection for the app itself, but also for the host of any call. A call host can record a huge information by default, including your video, any audio or text, and can even track whether you’re paying attention by looking at the webcam. “The host will know whether the participants are paying attention or have wandered off, which amounts to workplace monitoring,” says O Brien.What is GDPR? The summary guide to GDPR compliance in the UK

That worries many. “One danger of suddenly taking up new tech solutions in response to a crisis, is that the planning and preparation steps get bypassed, acceptable use is assumed, but not formalised or communicated, and risk assessments fall by the wayside,” explains Rowenna Fielding, a privacy and data protection expert at Protecture. “In a healthy corporate culture, bosses lead and empower their employees rather than treating them like Victorian mill-workers. Just because snooping settings are there doesn’t mean they should be used.”

Those can all be turned off, as can the ability to require any participants to use a password to get into meetings which prevents one major flaw in the system, which has seen people randomly interrupting calls they haven’t been invited to. “You can limit potential intrusion into people’s privacy in that regard,” says O Brien. It’s also possible for the admin to change where the recording of the call is stored from the cloud (by default) to locally, which means that Zoom doesn’t hold on to the recordings of the session for any period of time. For those accessing it through a web browser, using a privacy-respecting web browser such as Brave can also limit the amount of cookie tracking that takes place.

“Given concerns raised last July about the Zoom Mac Client, and the impact of that on trust, I am genuinely perplexed why Zoom did not conduct a root and branch privacy review,” says Pat Walshe, a data protection expert. “I would urge Zoom to urgently conduct such a review now.”

There are some settings within Zoom that boost user security: these include options for meetings to use end-to-end encryption, watermark all content, and only allow people to join a meeting if they have an email with a certain domain name (e.g. @wired.co.uk).

Fielding suggests that participants can also take steps to prevent their data being tracked or used quite as much, too. She recommends using a unique email alias only for Zoom, and make sure to clear all your cookies and temporary files after each call to limit the tracking the service can do through your browser. 

She also recommends you don’t say anything on a call you aren’t happy for Zoom to data mine and repurpose for commercial benefit. If you’re still unhappy, take drastic measures: suggest that call hosts look for privacy-friendly alternatives. The problem with this approach will be that many companies will have already paid for Zoom usage, so there won’t be other options available through corporate structures.

That’s something Lilian Edwards, chair of law, innovation and society at Newcastle University’s Law School agrees with. “However much individuals have worries about Zoom, many institutions are tied into it as what they bought and trained for,” she says. “Going forward procurements have to start thinking about things like security and privacy as well as features.”

They would do well to look at alternatives. Other services, including one called Jitsi, are available, but are more complicated. “It doesn’t play nicely with all browsers,” admits O Brien. “It seems to have a preference for Chrome, which puts you into Google land.” But if you have the know-how, it’s worth trying to avoid tracking unnecessary data.

In the meantime, taking a stand is the most important way to stop your bosses – and ultimately, maybe Zoom – from spying on you. “One thing we could do is complain loudly and vociferously to Zoom and make them realise what they have in their product is not acceptable to their customers,” says O Brien. He admits that won’t solve the problem today. “But it might make them realise they need to change the way their product is architected from a product perspective to make it safer and better for customers.”

All Rights Reserved for Chris Stokel-Walker

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.