- Zoom is leaking information of users to strangers.
- This is caused to the algorithm that groups contacts.
- Zoom has replied to the concerns.
Zoom is embroiled currently in a myriad of controversies, thanks to the sudden surge in its consumption across the globe amid coronavirus lockdown. Among them is a new finding that alleges that Zoom is leaking information of at least thousands of users and allowing strangers to contact them through it. Personal information of users, such as email address and photo, is available to unknown users in an unsolicited manner, Vice has reported. This is happening due to an issue that is grouping individuals to a particular 'Company Directory' that is otherwise meant for the users within the same company having similar email domain.
The Vice has mentioned in its report that Zoom's functionality to group contacts based on their email domain, belonging to a company, is also affecting users who signed up using their personal email addresses. Zoom is said to have pooled these users within different company directories, hence allowing existing contacts to access their information without asking for it. The users having accounts with a company email domain can find each other within the company directory without having to need a permission, including, in this case, the strangers.
Several people have flagged the issue online, marking Zoom in their comments. "I was shocked by this! I subscribed (with an alias, fortunately) and I saw 995 people unknown to me with their names, images and mail addresses," wrote a user named Barend Gehrels in an email, obtained by Vice. Gehrels also provided the publication with a redacted screenshot that shows at least 1,000 strangers in a company directory that he is unfamiliar with. Even his partners faced the same issue, as per the report, who began to see about 300 unknown people in the list of contacts for a company directory.
But, this case in point, also highlights that both users had a "non-standard" email provider. A non-standard email provider is essentially used for email domains other than @gmail.com, @yahoo.com, @hotmail.com, and those provided by the companies to their employees. On its website, Zoom has stated: "By default, your Zoom contacts directory contains internal users in the same organization, who are either on the same account or who's email address uses the same domain as yours (except for publicly used domains including gmail.com, yahoo.com, hotmail.com, etc) in the Company Directory section."
Gehrels told Vice that Zoom does not recognise all email domains and exempt them from those marked for personal use. The issue is impacting Dutch users, particularly who have email address ending with xs4all.nl, dds.nl, and quicknet.nl. Several other users with email addresses from Dutch internet service providers too have encountered the same issue. "I just had a look at the free for private use version of Zoom and registered with my private email. I now got 1000 names, email addresses and even pictures of people in the Company Directory. Is this intentional?," wrote another user on Twitter.
Dutch ISP XS4ALL acknowledged the issue and replied to one of the complaints, saying that this is an issue that the ISP "cannot disable." "You could see if Zoom can help you with this," wrote the ISP on Twitter. In an emailed response, XS4ALL told Motherboard that it was aware of the problem but it had not heard from its customers directly about this problem.
Zoom also took cognisance of the problem affecting users. A Zoom spokesperson told Motherboard, "Zoom maintains a blacklist of domains and regularly proactively identifies domains to be added. With regards to the specific domains that you highlighted in your note, those are now blacklisted." In addition to this, the spokesperson also pointed out to an option available on Zoom website where other domains can be requested for removal from the Company Directory feature.
With its skyrocketing adoption, Zoom has also come under the scanner for its vague and ambiguous policies and features that do not align with privacy principles. It recently removed the Facebook SDK for iOS after it was found sharing confidential data with the social media platform. Zoom also admitted that the video meetings on the platform are not end-to-end encrypted.