The insatiable demand among people and businesses for videoconferencing software during the COVID-19 pandemic reveal a rash of privacy and security issues related to the platforms used for remote working, such as Zoom.

The app’s maker is weathering a storm of criticism from various quarters, including privacy advocates, security experts, several U.S. state attorneys general, a U.S. lawmaker, and the FBI.

On Wednesday, the firm’s founder and CEO Eric S. Yuan apologized for the issues and outlined measures to beef up Zoom’s security and privacy. He also announced a 90-day feature freeze, adding that the company was shifting all its engineering resources to “focus on our biggest trust, safety, and privacy issues”.

Here’s a rundown of five of the key issues Zoom has had to address since last week:

• Zoom’s privacy policy failed to mention that the iOS version of the its app was sending analytics data to Facebook even when the users don’t have a Facebook account. The company acknowledged the issue and removed the Facebook Software Development Kit (SDK) for iOS. Zoom is facing a class-action lawsuit in California over the practice.
• Despite claims to the contrary, the app’s video and audio meetings don’t support end-to-end encryption. Zoom later apologized and clarified that it uses transport encryption known as TLS. The difference is that the latter doesn’t put users’ communications out of the company’s reach.
• The app was also found to contain several security vulnerabilities, though they were all fixed. Its Windows client was found susceptible to a UNC path injection flaw that could expose people’s Windows login credentials and even lead to the execution of arbitrary commands on their devices. Two more bugs, this time affecting Zoom’s MacOS client, could have enabled a local attacker to take control of a vulnerable computer.
• The company has also dropped Zoom’s ‘attendee tracking’, a feature that made it possible for a meeting’s host to check whether the participants were actually paying attention when the host was in screen-sharing mode.
• The FBI has released a warning against a phenomenon dubbed “Zoom-bombing” following multiple reports that trolls and pranksters invaded private meetings and school classes to display disturbing images. Zoom said it would soon turn on passwords and waiting rooms by default for all meetings. The new defaults will take effect starting April 5th.
• Security researchers at Citizen Lab reported that some Zoom calls as well as the encryption keys used to secure those calls made in North America were routed through China. The video conferencing platform has offered an apology and a partial explanation. Zoom said that during its efforts to ramp up its server capacity to accommodate the massive influx of users over the past few weeks, it "mistakenly" allowed two of its Chinese data centers to accept calls as a backup in the event of network congestion.

From Zoom's CEO Eric Yuan:

During normal operations, Zoom clients attempt to connect to a series of primary datacenters in or near a user’s region, and if those multiple connection attempts fail due to network congestion or other issues, clients will reach out to two secondary datacenters off of a list of several secondary datacenters as a potential backup bridge to the Zoom platform. In all instances, Zoom clients are provided with a list of datacenters appropriate to their region. This system is critical to Zoom’s trademark reliability, particularly during times of massive internet stress."

Zoom said this happened in "extremely limited circumstances."

Bill Marczak, one of the Citizen Lab researchers said:

"The bigger issue here is that Zoom has apparently written their own scheme for encrypting and securing calls," he said, and that "there are Zoom servers in Beijing that have access to the meeting encryption keys." "If you're a well-resourced entity, obtaining a copy of the internet traffic containing some particularly high-value encrypted Zoom call is perhaps not that hard."

The most effective measures you can take to protect your security and privacy when using Zoom include:
• Using passwords and/or vetting meeting participants with the help of Zoom’s ‘Waiting Room‘ feature.
• Limiting screen sharing to the host.
• Running Zoom’s latest version.
• Refraining from sharing links or meeting IDs on social media.
• Indeed, consider using meeting IDs rather than links when inviting other participants, as there’s been a surge in malicious Zoom-themed domains that seek to capitalize on the app’s unexpected success.