Zoom FAQ

Zoom answers the question of how to deal with data mining:
"Importantly, Zoom does not mine user data or sell user data of any kind to anyone."

Source:

• https://theintercept.com/2020/03/31/zoom-meeting-encryption/

In response to the data protection gap of 26 March 2020, where it became known that the Zoom client under iOS sends data to Facebook even without a Facebook account, Zoom reacted within a few days and closed this gap. (Provided you do not log in via a Facebook account).

Sources:

• https://www.vice.com/en_us/article/k7e599/zoom-ios-app-sends-data-to-facebook-even-if-you-dont-have-a-facebook-account
• https://blog.zoom.us/wordpress/2020/03/27/zoom-use-of-facebook-sdk-in-ios-client

On 30 March 2020, security problems were detected in the Mac Zoom client, which could be exploited by phishing, among other things.

Zoom claims to have closed this bug in their blog on 1 April 2020: "Released fixes for both Mac-related issues raised by Patrick Wardle."

Both security issues have been fixed in the currently downloadable Mac Zoom client (timestamp of the codesigning for the installer: 2 Apr 2020 at  15:15:06).

Sources:

• https://techcrunch.com/2020/04/01/zoom-doom/, https://heise.de/-4695129
• https://blog.zoom.us/wordpress/2020/04/01/a-message-to-our-users/
• https://objective-see.com/blog/blog_0x56.html

On or around 13 April, about 500,000 accounts with open passwords were published, which apparently also work with Zoom. It is assumed that this access data were collected by means of credential stuffing, i.e. the automated testing of login data from previous hacks of other websites. ZOOM itself was not compromised. Users should change their password for security reasons.

Source:

• https://www.heise.de/security/meldung/Zugangsdaten-fuer-hunderttausende-Zoom-Accounts-zum-Kauf-im-Darknet-entdeckt-4701838.html

Zoom always provides TLS-based transport encryption (if you are not participating with a regular phone), but end-to-end encryption (E2EE) for video group conferences only with endpoints that are at Zoom. Accordingly, Zoom used this term differently than it is normally used, where the endpoints are the devices of the video conference participants.

For the chat and file transfer areas, we have configured Zoom to use an Advanced Encryption Standard (AES) 256-bit encryption in each case, and a lawsuit filed in the U.S. is intended to clarify whether Zoom has gained an unfair competitive advantage through the unusual use of the term "end-to-end encryption" for Zoom.

In principle, the Pexip conferences that we use from DFN are not end-to-end encrypted either, and Zoom has now published a statement regarding end-to-end encryption

It states:

"To be clear, in a meeting where all of the participants are using  Zoom clients, and the meeting is not being recorded, we encrypt all  video, audio, screen sharing, and chat content at the sending client,  and do not decrypt it at any point before it reaches the receiving  clients."

If the Zoom client is used and the meeting is not recorded, then according to Zoom, all content is encrypted and not recorded.

Sources:

• https://theintercept.com/2020/03/31/zoom-meeting-encryption/
• https://blog.zoom.us/wordpress/2020/04/01/facts-around-zoom-encryption-for-meetings-webinars/

When using a browser, less data is collected, e.g. about the devices used for the conference. The "Virtual Background" function, which provides increased privacy protection for the home, cannot be used with the browser.

The Zoom client usually provides a better conferencing experience and often works more smoothly. In return, more data is collected about the equipment used, such as your computer and audio/video equipment. The use of the "Virtual Background" function allows a limited protection of home privacy.

Zoom switched off this function on 1 April 2020.

Source:

• https://blog.zoom.us/wordpress/2020/04/01/a-message-to-our-users/

We do not use Zoom rooms and this feature is disabled.

In order to prevent the outflow of data from Zoom in this way, third-party apps are not permitted.

Anyone who creates video conferences without further access protection (e.g. a password) and then makes the URL publicly available exposes himself to the risk of unwanted conference participants entering and undesired behavior occurring. These problems can be attributed to spam, trolling, or possibly also phishing, which disrupts ongoing communication that is freely accessible on the network.

It can be reduced by using passwords for conferences. The term zoom-bombing is based on the current popularity of the zoom platform on the one hand, and on the other hand it was possible to guess the URLs for a zoom video conference.

Newly created conferences are created by default with a password in Hohenheim.

Sources:

• https://www.golem.de/news/zoombombing-trolle-uebernehmen-zoom-konferenzen-2003-147606.html

The problem with UNC links was fixed by Zoom on 2 April 2020, and UNC links are no longer executed.

Sources:

• https://www.tomsguide.com/news/zoom-password-malware-flaw

• SOC2
• TRUSTe
• FedRAMP
• GDPR (with Privacy Shield)

Sources:

• https://zoom.us/docs/doc/Zoom-Security-White-Paper.pdf

We encrypt chats and file transfers with Advanced Encryption Standard (AES) 256-bit.