Viral lockdown video apps are putting user privacy at risk

Public Zoom calls such as this have been facing such problems for a while now. It seems pranksters are using Zoom’s screen sharing feature to disrupt such calls with pornographic content, racial slurs, and more.

Zoombombing, which is the internet’s name for such acts, may be the least of our privacy concerns with regard to these apps. Zoom has also been found to be sharing the private email addresses of users with strangers.

“I just had a look at the free for private use version of Zoom and registered with my private email. I now got 1,000 names, email addresses, and even pictures of people in the Company Directory,” Twitter user Jeroen J.V. Lebon wrote on the microblogging platform.

The leak was actually part of a feature on Zoom called “Company Directory”. This allows users from the same organisation, who join using the company email ids to be grouped automatically. It seems that while Zoom made its app publicly available, it never considered how this feature would affect users who don’t join with corporate ids. In fact, Zoom’s chief executive officer Eric S. Yuan admitted this in a blog post on 2 April. “We did not design the product with the foresight that, in a matter of weeks, every person in the world would suddenly be working, studying, and socializing from home. We now have a much broader set of users who are utilizing our product in a myriad of unexpected ways, presenting us with challenges we did not anticipate when the platform was conceived,” he wrote. Yuan explained that Zoom had 10 million daily users in December 2019, but has 200 million “daily meeting participants” right now. He said the company is halting new updates and will focus on privacy and transparency. “Over the next 90 days, we are committed to dedicating the resources needed to better identify, address, and fix issues proactively,” he wrote.

Zoom has also been found to be playing it fast and loose with the term “end-to-end encryption” and an analysis by Motherboard revealed that the app sends data to Facebook even if a user does not have an account on the social network. One user has filed a suit against the company, alleging that the app “collects the information of its users and discloses, without adequate notice or authorization, this personal information to third parties, including Facebook, invading the privacy of millions of users”.

Zoom isn’t the only video chatting or conferencing tool that’s facing such allegations either. A service called Houseparty, which has gained traction among users during the lockdown, has allegedly been putting its users at risk too. While allegations against the app hacking its own users have been found to have no proof, Houseparty’s privacy policy has been questioned by security researchers worldwide even though the app assured its users that their accounts are safe.

“Anybody who decides to use the Houseparty application to stay in contact during quarantine needs to be aware that the app collects a worrying amount of personal information,” digital privacy expert Ray Walsh told Digital Trends.

The Houseparty app’s privacy policy states that while users may request for deletion of their data, it may still retain copies of this in “archived or backup copies” for its records “as required by law”. Houseparty’s privacy policy has reportedly not been updated since before the European General Data Privacy Regulations (GDPR) came into effect and experts said it is likely in violation of GDPR.

For Zoom, it’s important to send invite links for calls privately. Hosts on Zoom video calls can invite users using a public link. “Since this link does not require a password entry, pay close attention to who and how it is shared since anyone with the link can enter the call without having to show a call ID number or password,” cautions Omri Herscovici, vulnerability research team lead, Checkpoint Research. There’s also a waiting room option on Zoom, which allows a host to create a waiting room for others to join and then confirm every participant one by one or as a group. Disabling screen sharing is another measure one could take. This can be done from the “advanced sharing options” menu from the toolbar. For Houseparty,users should turn off location sharing on the app’s settings and experts have even suggested using fake names and birth dates to avoid the app from getting your real details. The app also allows a “private mode”, which lets people allow only those they want to join in on their video chats.

However, while these solutions do help protect your privacy to some extent, they won’t be workarounds for all the issues pointed out with these apps. Of course, there are alternatives to Houseparty and Zoom that users can use.

―Livemint