Lamar Elementary School principal Erin Honeycutt sets up a Zoom class for first- through fifth-graders in Meridian, Miss., in March. Some schools have had to curtail online classes in response to a form of harassment known as "Zoombombing." (Paula Merritt/The Meridian Star via AP) (Paula Merritt/AP)

Zoom, a videoconferencing service created for corporate webinars and meetings, has grown intosomething more amid the coronavirus outbreak.

With the number of daily users exploding from 10 million to 200 million from December to March, it has become a forum for nearly every kind of social function,including happy hours, yoga sessions, school classes, funeral services as well as Passover, Easter and (soon) Ramadan rituals.

But no sooner had many tried Zoom for the first time than they began to hear reasons they might want to stay away.

Trolls have crashed meetings, flashing porn or racist slurs on screens. Security researchers released report after report on newly discovered vulnerabilities including leaked emails and bugs that might have allowed hackers to access webcams.

Earlier this month, Google warned employees not to use Zoom's desktop application on their work computers "due to privacy and security vulnerabilities." SpaceX, the U.S. Senate and New York City’s school district have enacted similar restrictions.

If you're among the tens of millions of people who has become a regular Zoom user in recent weeks, you may be wondering what all this means for you. Here's a primer on some of the notable privacy and security lapses and how to keep your calls and data safe.







Is Zoom sending my data to Facebook?

A Vice investigation showed that Zoom’s app for iPhones sent data about users’ devices to Facebook, including about users who did not have Facebook accounts. The company was hit with at least two lawsuits in federal court, one by a California resident who alleges Zoom violated the state’s new Consumer Privacy Act by disclosing information to Facebook without providing consumers with adequate notice or the ability to opt out.

Zoom Chief Executive Eric Yuan said in a blog post March 27 that the company removed code that sent user data to Facebook in an updated version of the iOS app. The company updated its privacy policy March 29 after a swell of concern from users.

“I think Zoom wasn’t completely honest," Electronic Frontier Foundation senior technologist Bill Budington said. “I think they are going through a lot of growing pains.”

How else might my information have been compromised?

Reports of Zoom's vulnerabilities predate the coronavirus crisis. Last July, security researcher Jonathan Leitschuh exposed a flaw that allowed hackers to take over Mac webcams through the app. The company fixed the problem after a public interest research center filed a complaint with the Federal Trade Commission.

Thousands of personal Zoom videos were left viewable on the open web, including one-on-one therapy sessions, telehealth calls, and elementary school classes, the Washington Post reported. People's names, phone numbers and intimate conversations were revealed and children's faces and voices were exposed.

Experts say the company now seems to be making more serious efforts to identify and quickly patch vulnerabilities. It formed an advisory council of chief security officers from other companies and hired Alex Stamos, Facebook's former chief security officer, as an advisor. “That’s a lot of money being thrown at the problem to improve security. That is not insubstantial,” said Leitschuh, who discovered the Mac camera vulnerability last year.







Are Zoom calls encrypted, and does that matter?

One way Zoom has sought to reassure users on privacy is by claiming its communications were protected by end-to-end encryption, which makes it, in effect, impossible for anyone, including the company itself, to spy on them. Recently, however, the Intercept revealed Zoom has been using a different type of encryption, called transport encryption, which enables the company to decode the content of calls.

That means the company could hypothetically be susceptible to pressure from government authorities to disclose communications, said Bill Marczak, a fellow at the Citizen Lab and a postdoctoral researcher at UC Berkeley.

That doesn't make those calls uniquely vulnerable, however. Cellphone calls and Skype calls on default settings, for example, aren’t encrypted end to end either, and it’s unlikely the average person would need this type of security. But reporters or dissidents under oppressive regimes, government officials discussing classified information or big companies that want to keep their business strategies confidential might want to use a more secure platform, Budington said.





