Zoom is working on adding end-to-end encryption but that's still months away
Zoom Video Communications Inc. was accused by a shareholder of hiding flaws in its video-conferencing app, part of a growing backlash against security loopholes that were laid bare after an explosion in worldwide usage.
In a complaint filed Tuesday in San Francisco federal court, the company and its top officers were accused of concealing the truth about shortcomings in the app’s software encryption, including its alleged vulnerability to hackers, as well as the unauthorized disclosure of personal information to third parties including Facebook Inc.
Investor Michael Drieu, who filed the suit as a class action, claims a series of public revelations about the app’s deficiencies starting last year have dented Zoom’s stock price - though the shares are still up 67% this year as investors bet that the teleconferencing company would be one of the rare winners from the coronavirus pandemic.
From Elon Musk’s SpaceX and Tesla Inc. to New York City’s Department of Education, agencies around the world have begun to ban usage of an app that’s risen during the coronavirus lockdown as a home for everything from virtual cocktail hours to cabinet meetings and classroom learning. On Tuesday, Taiwan barred all official use of Zoom, becoming one of the first governments to do so.
Zoom Chief Executive Officer Eric Yuan has apologized for the lapses, acknowledging in a blog post last week the company had fallen short of expectations over privacy and security. Cybersecurity researchers warn that hackers can exploit vulnerabilities in the software to eavesdrop on meetings or commandeer machines to access secure files.
Weak encryption technology has given rise to the phenomenon of “Zoombombing”, where uninvited trolls gain access to a video conference to harass the other participants. Recordings of meetings have also shown up on public internet servers.
The company also routed data through servers in China and used developers there, Citizen Lab said in a report last week. Any official data routed through China poses a major risk for Taiwan, a self-ruled island that Beijing claims as part of its territory. Taiwan’s government rejects China’s assertion, viewing the island as a sovereign nation.
“The rapid uptake of teleconference platforms such as Zoom, without proper vetting, potentially puts trade secrets, state secrets, and human rights defenders at risk,” researchers at the University of Toronto’s Citizen Lab wrote.
The company said it had mistakenly sent traffic through Chinese data centers as it was dealing with a “massive increase” in demand. It said it has stopped using that capacity as backup for non-Chinese clients.
Zoom is working on adding end-to-end encryption but that’s still months away, Yuan has said. Many of the problems stem from the fact that the app was geared toward enterprise clients with their own IT security teams, instead of the broad consumer app it’s become. The number of daily meeting participants across Zoom’s paid and free services has gone from around 10 million at the end of last year to 200 million now, the company said. Most of those people are using its free service.