A simple line of code has opened the Pandora box for the privacy and security of the Zoom video conferencing app. A line with which the company itself activated a software development kit – better known as the SDK for its Facebook acronym – that allowed both the social network and the application to collect certain data, such as IP, without the consent of the users. , the type of device, the operating system, and the location and time use of the connection. “It has only affected the Apple ecosystem. This Monday they already amended the error, but the damage has been done. They have amassed massive data whether you have a Facebook account or not. Now they can profile those who have connected, “says attorney Natalia Martos, founder of Legal Army.
These practices have prompted New York Attorney General Letitia James to open a judicial investigation. In a letter sent to the organization, it asks that it specify what kind of information it collects, for what purposes and to what other entities it provides consumer data. “It is a company that does not take privacy into account. Although difficult to prove, this is a full-blown data sale. It has taken a slice. No one sells information for free. More or less is what happened with Cambridge Analytica“Martos argues. But this lack of privacy only represents the tip of the iceberg of all the controversies that the coronavirus-imposed quarantine has uncovered in an application whose downloads have grown thanks to 86% confinement in a month, according to the Crunchbase portal.
An investigation of The New York Times It has revealed this Thursday that the application had a data mining function, just start the session, which automatically linked user names and email addresses with LinkedIn profiles. It didn’t matter that during the call someone used a pseudonym or opted for anonymity. If a user activated the LinkedIn Sales Navigator service, they could access the profiles of this social network of other participants in the video call by clicking on an icon next to their names. The CEO of the company, Eric S. Yuan, has announced that for the next 90 days he will freeze these types of options to correct them and reverse the security and privacy problems detected.
Attacks of trolls, intrusion into external video calls, public links to the rooms, a default configuration for file sharing that allows sending malware… An excessive accumulation of vulnerabilities for recently reaped success. The use of Zoom has become popular during this crisis thanks to the arrival to forced marches of telework, video calls between friends and family, remote classes and all kinds of remote connections.
As the days go by, the controversies multiply. Some users have confirmed that it is relatively easy for someone to control their activity while they are using the application. For example, the One Zoom feature alerts the caller if a guest has been more than 30 seconds without the open program in the foreground. That way a boss could know if someone has followed a meeting with more or less attention. The management of emails has also generated controversy. The app automatically adds other people to a user’s contact list if they sign in with a mail that shares the same domain. It can help in the search for a specific partner, although the hidden face is that the company, by unifying them as if they worked for the same organization, exposes the personal information among everyone. “If this occurs in the European Union, the fine would be impressive,” ditch Martos.
Zoom has defended itself against the allegations with an entry on its corporate blog. He argues that he does not sell any type of personal information; that it respects privacy laws such as the European Data Protection Regulation and the California regulations, known as CCPA; and that it does not control meetings or the content exchanged. The latter has raised a stir. It was advanced by the digital medium The Intercept by claiming that there is no true end-to-end encryption in video calls, but one TLS. That is, third parties do not access audio and video, but the app Yes, you can do it through the server through which the information runs. “We will continue to improve and evolve our privacy approach to ensure that we are doing the right thing for our users,” says the company.
In the meantime, the cybercriminals take advantage of the moment to scam users. Despite being a free application, in mobile stores we can find it for about four euros. It is an obvious example of phishing –A set of techniques that seek to deceive a victim, earning their trust by posing as a trusted person, company or service. They supplant the Zoom image with an identical one, as if they superimposed the false identity on the original. “There are no magic recipes to detect it. You have to be very careful and check everything. If we look closely, companies often incorporate authenticity data, ”says Óscar Lage, a cybersecurity expert at Tecnalia.
Repairing part of the errors is already impossible. As Lage maintains, these problems are the result of products that simply focus on functionality. “Privacy and security are not included from the beginning. The only solution they have left is to patch the app. The ideal would be to use open source, community-maintained and auditable applications, ”he explains. There are more options to maintain digital contact or continue working from home. Each with its characteristics and limitations, but the success of Zoom has not monopolized video calls. “Google Hangouts and Skype would be good alternatives. They are subject to very strict privacy, “concludes Martos.