Zoom (software)


Zoom is a videoconferencing software program developed by Zoom Video Communications. It provides a video chatting service that allows up to 100 devices at once for free, with a 40-minute time restriction for free accounts having meetings of three or more participants. Users have the option to upgrade by subscribing to one of its plans, with the highest allowing up to 1,000 people concurrently, with no time restriction.
During the COVID-19 pandemic, Zoom has seen a major increase in usage for remote work, distance education, and online social relations.

History

A beta version of Zoom was launched in September 2012 that could host conferences with up to 15 video participants. In January 2013, version 1.0 of the program was released with an increase in the number of participants per conference to 25. By the end of its first month, Zoom had 400,000 users, which rose to 1 million by May 2013. After the start of the COVID-19 pandemic, by February 2020, Zoom had gained 2.22 million users in 2020 — more users than it amassed in the entirety of 2019. On one day in March 2020, the Zoom app was downloaded 2.13 million times. In April 2020, Zoom had more than 300 million daily meeting participants.

Features

Zoom is compatible with Windows, macOS, iOS, Android, Chrome OS and Linux. It is noted for its simple interface and usability, specifically for non-tech people. Features include one-on-one meetings, group video conferences, screen sharing, plugins, browser extensions, and the ability to record meetings and have them automatically transcribed. On some computers and operating systems, users are able to select a virtual background, which can be downloaded from different sites, to use as a backdrop behind themselves.
Use of the platform is free for video conferences of up to 100 participants at once, with a 40-minute time limit if there are more than two participants. For longer or larger conferences with more features, paid subscriptions are available, costing $15–20 per month. Features geared towards business conferences, such as Zoom Rooms, are available for $50–100 per month. Up to 49 people can be seen on a screen at once. Zoom has several tiers: Basic, Pro, Business, and Enterprise. Participants do not have to download the app if they are using Google Chrome or Firefox; they can click on a link and join from the browser. Zoom is not compatible with Safari for Macs.
Zoom security features include password protected meetings, user authentication, waiting rooms, locked meetings, disabling participant screen sharing, randomly generated IDs, and the ability for the host to remove disruptive attendees. As of June 2020, Zoom will soon begin offering end-to-end encryption to business and enterprise users, with AES 256 GCM encryption enabled for all users.
Zoom also offer a transcription service using Otter.ai software that allows businesses to store transcriptions of the Zoom meetings online and search them, including separating and labeling different speakers.
As of July 2020, Zoom Rooms and Zoom Phone are also available as hardware as a service products. Zoom for Home, a category of products designed for home use, is expected to be available in August 2020.

Usage

Zoom has been used by banks, universities, and government agencies around the world, by the UK Parliament, by healthcare professionals for telemedicine, barbershops, and ceremonies such as birthday parties, funeral services, and Bar and Bat Mitzvah services. Zoom formed a partnership with Formula One to create a virtual club where fans can go behind the scenes and take part in virtual activities through Zoom, beginning with the Hungarian Grand Prix on July 19, 2020. An article published in July 2020 in the San Francisco Chronicle noted a new real estate trend in San Francisco and Oakland where some listings include "Zoom rooms" with backdrops for Zoom calls.
Richard Nelson's play What Do We Need to Talk About? takes place on Zoom, with its main characters congregating online during the coronavirus pandemic using Zoom. Written and directed by Nelson, it was commissioned by The Public Theater and premiered on YouTube on April 29, 2020, as a benefit performance. The New Yorker called it "the first great original play of quarantine". Oprah's Your Life in Focus: A Vision Forward was a live virtual experience hosted by Oprah Winfrey on Zoom from May 16 through June 6, 2020. In Source Material's play In These Uncertain Times, directed by Samantha Shay, characters communicate on Zoom. The play premiered on Zoom on July 25, 2020.

Criticism

Zoom has been criticized for "security lapses and poor design choices" that have resulted in heightened scrutiny of its software. Many of Zoom's issues "surround deliberate features designed to reduce friction in meetings", which Citizen Lab found to "also, by design, reduce privacy or security". In March 2020, New York State Attorney General Letitia James launched an inquiry into Zoom's privacy and security practices; the inquiry was closed on May 7, 2020, with Zoom not admitting wrongdoing, but agreeing to take added security measures. In April 2020, CEO Yuan apologized for the security issues, stating that some of the issues were a result of Zoom's having been designed for "large institutions with full IT support"; he noted that in December 2019, Zoom had a maximum of 10 million daily users, and in March 2020 the software had more than 200 million daily users, bringing the company increased challenges. Zoom agreed to focus on data privacy and issue a transparency report. In April 2020, the company released Zoom version 5.0, which addressed a number of the security and privacy concerns. It includes passwords by default, improved encryption, and a new security icon for meetings.
As of April 2020, businesses, schools, and government entities who have restricted or prohibited the use of Zoom on their networks include Google, Siemens, the Australian Defence Force, the German Ministry of Foreign Affairs, the Indian Ministry of Home Affairs, SpaceX, and the New York City Department of Education. In May 2020, the New York City Department of Education lifted their ban on Zoom after the company addressed security and privacy concerns.

Privacy

Zoom has been criticized for its privacy and corporate data sharing policies, as well as enabling video hosts to potentially violate the privacy of those participating in their calls. There may also be issues with unauthorized surveillance of students and possible violations of students’ rights under the Family Educational Rights and Privacy Act. According to the company the video services are FERPA-compliant, and it collects and stores user data only for tech support.
In March 2020, a Motherboard article found that the company's iOS app was sending device analytics data to Facebook on startup, regardless of whether a Facebook account was being used with the service, and without disclosing it to the user. Zoom responded that it had recently been made aware of the issue, and had patched the app to remove the SDK after learning that it was collecting unnecessary device data. The company stated that the SDK was collecting information on the user's device specifications only in order to optimize its service and that it was not collecting personal information. In the same month, Zoom was sued by a user in U.S. Federal Court for illegally and secretly disclosing personal data to third parties including Facebook. Zoom responded that it "has never sold user data in the past and has no intention of selling users' data going forward."
In April 2020, a Zoom data-mining feature was found that automatically sent user names and email addresses to LinkedIn, allowing some participants to surreptitiously access LinkedIn profile data about other users. The companies disabled their integration. In May 2020, the Federal Trade Commission announced that it was looking into Zoom's privacy practices.

Security

In November 2018, a security vulnerability was discovered that allowed a remote unauthenticated attacker to spoof UDP messages that allowed the attacker to remove attendees from meetings, spoof messages from users, or hijack shared screens. The company released fixes shortly after the vulnerability was discovered.
In July 2019, security researcher Jonathan Leitschuh disclosed a zero-day vulnerability allowing any website to force a macOS user to join a Zoom call, with their video camera activated, without the user's permission. Attempts to uninstall the Zoom client on macOS would prompt the software to re-install automatically in the background, using a hidden web server that was set up on the machine during the first installation and remained active even after attempting to remove the client. After receiving public criticism, Zoom removed the vulnerability and the hidden webserver, allowing complete uninstallation.
In April 2020, security researchers found vulnerabilities where Windows users' credentials could be exposed. Another vulnerability allowing unprompted access to cameras and microphones was made public. Zoom issued a fix in April 2020. In the same month, "Zoombombing", when an unwanted participant joins a meeting to cause disruption, prompted a warning from the Federal Bureau of Investigation. Motherboard reported that there were two Zoom zero-days for macOS and Windows respectively, selling for $500,000, on April 15, 2020. Security bug brokers were selling access to Zoom security flaws that could allow remote access into users' computers. Hackers also put up over 500,000 Zoom user names and passwords for sale on the dark web. In response to the multitude of security and privacy issues found, Zoom began a comprehensive security plan, which included consulting with Luta Security, Trail of Bits, former Facebook CSO Alex Stamos, former Google global lead of privacy technology Lea Kissner, BishopFox, the NCC Group, and Johns Hopkins University cryptographer Matthew D. Green. On April 20, 2020, the New York Times reported that Dropbox engineers had traced Zoom's security vulnerabilities back over two years, pushing Zoom to address such issues more quickly, and paying top hackers to find problems with Zoom's software. In the same article, the New York Times noted that security researchers have praised Zoom for improving its response times, and for quickly patching recent bugs and removing features that could have privacy risks. In April 2020, Zoom made many of its security settings default settings, and advised users on ways to mitigate Zoombombing. In a blog post on April 1, 2020, Yuan announced a 90-day freeze on releasing new features, to focus on fixing privacy and security issues within the platform. The company created a new "report a user to Zoom" button, intended to catch those behind Zoombombing attacks. On July 1, 2020, at the end of the freeze, the company stated it had released 100 new safety features over the 90-day period. Those efforts include end-to-end encryption for all users, turning on meeting passwords by default, giving users the ability to choose which data centers calls are routed from, consulting with security experts, forming a CISO council, an improved bug bounty program, and working with third parties to help test security. Yuan also stated that Zoom would be sharing a transparency report later in 2020.

Encryption practices

Zoom encrypts its public data streams, using TLS 1.2 with AES-256 to protect signaling, and AES-128 to protect streaming media.
Security researchers and reporters have criticized the company for its lack of transparency and poor encryption practices. Zoom initially claimed to use "end-to-end encryption" in its marketing materials, but later clarified it meant "from Zoom end point to Zoom end point", which The Intercept described as misleading and "dishonest". Alex Stamos, a Zoom advisor who was formerly security chief at Facebook, noted that a lack of end-to-end encryption is common in such products, as it is also true of Google Hangouts, Microsoft Teams, and Cisco Webex. On May 7, 2020, Zoom announced that it had acquired Keybase, a company specializing in end-to-end encryption, as part of an effort to strengthen its security practices moving forward. Later that month, Zoom published a document for peer review, detailing its plans to ultimately bring end-to-end encryption to the software.
In April 2020, Citizen Lab researchers discovered that a single, server-generated AES-128 key is being shared between all participants in ECB mode, which is deprecated due to its pattern-preserving characteristics of the ciphertext. During test calls between participants in Canada and United States the key was provisioned from servers located in mainland China where they are subject to the China Internet Security Law.
On June 3, 2020, Zoom announced that users on their free tier will not have access to end-to-end encryption so that they could cooperate with the FBI and law enforcement. Later, they said that they do not “proactively monitor meeting content”. On June 17, 2020, the company reversed course and announced that free users would have access to end-to-end encryption after all.

Data routing

Zoom admitted that some calls in early April 2020 and prior were mistakenly routed through servers in mainland China, prompting governments and businesses to cease their usage of Zoom. The company later announced that data of free users outside of China will “never be routed through China” and that paid subscribers will be able to customize which data center regions they want to use. The company has data centers in Europe, Asia, North America, and Latin America.

Censorship

An April 2020 Citizen Lab report warned that having much of Zoom's research and development in China could "open up Zoom to pressure from Chinese authorities". On June 1, 2020, Zoom closed the paid account of human rights activist Zhou Fengsuo a week after he held an event discussing the 1989 Tiananmen Square protests. Social activist Lee Cheuk Yan's account was also closed in early May 2020. In June 2020 Zoom acknowledged that it had terminated two accounts belonging to U.S. users and one of a user from Hong Kong connected to meetings discussing 1989 Tiananmen Square protests; the accounts were later re-opened, with the company stating that in the future it "will have a new process for handling similar situations." Zoom also announced upcoming technology that could prevent participants from specific countries from joining calls that were deemed illegal in those areas.