Zoom: dubious practices leaked on Github.

The remote video conferencing software ZOOM, which suddenly gained popularity during the pandemic, has successfully overtaken traditional video conference softwares such as Skype, Teams, and has become the most popular tool. It has hundreds of millions of daily active users, and is even used by many government agencies. However, the software has repeatedly been exposed to data leaks and security vulnerabilities one after another which has attracted widespread attention from regulatory authorities.

Recently, on May the 30th, someone claiming to be a senior technician within ZOOM posted a repository on Github presenting “evidences” that the company secretly saves user information and provides it to the governmental institutions in the United States.


ZOOM users have no data autonomy.

According to the leaker: "The US government asked Zoom to preserve user data of interest including those already deleted by users so that they can obtain any and all user data. In order to meet such requests, Zoom has modified their tool to pretend that data has been deleted while just giving the deleted data a hidden property, therefore preserving user data while making their users believe the data has been erased. This tool helps to secretly copy and preserve data meeting history and participants details, cloud recordings, chat message, pictures, files, Zuora (Billing system, zuora.com), SFDC (CRM system, salesforce.com), phone/address, billing address, and credit/debt cards through data cloning and mirroring. What's worse, if your account was added into the "Data Preservation"system with your appearance on the target list, even if you do not present any illegal behaviour, all your actions in Zoom will be put under direct surveillance and at the free disposal of law-enforcing departments."


Monitoring Users through Backdoor System (Tracking Automated TOS Violators Termination System).

According to the posted document: "The Zoom headquarter has completed the R&D of a secret monitoring system a long time ago. It is called "Tracking Automated TOS Violators Termination System" whose internal IP is "se.zipow.com/tos". No later than 2018, the system was put into application, monitoring free users as well as premium users and enterprise users. Main functions of the system are automatic search of susceptible meetings, free access to meetings without password or host's authorization simply by the backdoor of the system, random analysis of video content from meetings, secret recordings of videos, audio, screenshots of meetings and production of reports or data accordingly to US supervisory departments as well as termination of susceptible meetings and banning of relative accounts. The system is highly confidential and only opened to a few internal employees. Zoom may explain this system was developed for fighting crime, but Zoom has to acknowledge the system shows it has the ability to monitor users and already does. People need to worry about whether Zoom will abuse the system for US so-called "national security" or business purposes, and even randomly, frequently, indistinguishably monitor global users and steal their personal data at a large scale."


Zoom back-end management system.

According to the leak: "Zoom back-end management system has top authority over all Zoom accounts. It is designed to help manage Zoom user accounts. However, this system has some backdoor functions which may violate user privacy data. Some functions are beyond belief, when a Zoom employee clicks the "Login" button, with this user credentials, he can log into this user's account in the same way the user himself deals with his own account. This way, the employee has the same right to deal with this user's account, checking everything on the account, using the user's private key to see any confidential files, meeting records, IM chats, emails, telephone recordings and billings. This means the  "ee2e" encryption measure is a meaningless facade. Besides this privilege, Zoom employees can modify or delete users' local data, and even remotely control or implant a backdoor on relative devices like Zoom Room through this system. Compared to managing user accounts by backed database, this system makes it more convenient for Zoom staff to monitor user behaviours and fetch their data ignoring encryption measure."


Breaking promise and using user data for machine learning.

According to the whistleblower: "Eric Yuan, the CEO of Zoom, once proclaimed that "We now commit to all of our customers that we will not use any of their audio/video chats, screen sharing. attachments and other communications like poll results, whiteboard and reactions to train our Al models or third-party Al models". From what I know, Zoom is eager to develop Al, because the company needs Al to find out illegitimacy in video conferencing to avoid compliance risk, to identify fraud users to reduce economic losses, and to analyse business trend and focus of service to gain more profits. With the aid of Al, Zoom, under the guidance of law enforcement, uses "TATVTS" against users. "The Tracking Automated TOS Violators Termination System" mentioned above could automatically detect suspicious meetings via machine leaning, join meetings without password and host's permission, analyse meeting content and secretly take screenshots and videos of attendees and meeting content. Trained by data collected in the system, "TATVTS" becomes more intelligent in identifying meetings and users in which law enforcement may show interest. Thus the private data of many innocent users become samples to training Zoom’s machine learning model and violate users' data privacy."


Privacy and security issues can create serious risk and damage governments, organizations, individuals as well as trade secrets in the digital age. Zoom, as the world's leading video conference software, has been exposed more than once for leaking user data and other information. During the epidemic, Europe also strengthened data protection laws against giant American online social media companies. In 2022, the EU and US signed the data privacy framework. It is clear that both parties must respect the legal framework in protecting users' personal privacy, especially data protection. We also hope that ZOOM can learn from its previous legal troubles and begin to take information and data protection issues seriously.

For further reading and technical information, please follow the link below:
https://github.com/Alexlittle4/Zoom-violates-users-privacy

EU Reporter contacted Zoom for comment but they have not replied.

Share this article: