Zoom is worth almost $38 billion as video calls explode, but experts worry about its security and privacy

• Zoom is enjoying a record performance as coronavirus forces millions of workers around the world to switch to videoconferencing.
• On Monday, the firm's stock price climbed 22%. The firm is currently worth around $37 billion.
• But cybersecurity experts told Business Insider the firm had questions to answer over past security issues, questionable in-app features, and the way it handles user data.
• Zoom insisted it does not sell user data 'of any kind to anyone' - but does share information with third-party partners such as Google.
• Click here for more BI Prime stories.

Video call firm Zoom is enjoying record performance as the coronavirus pandemic forces millions of people around the world to work from home.

The company went public in April 2018 and, on Monday, the firm's stock price surged 22% to $159.07 per share, a new intraday high. Zoom's stock has skyrocketed more than 100% since January 31.

Zoom hasn't revealed yet how many new users it has added but indicated in an investor filing on Friday that soaring usage will drive up its infrastructure costs.

Complimentary Tech Event

Transform talent with learning that works

Capability development is critical for businesses who want to push the envelope of innovation.Discover how business leaders are strategizing around building talent capabilities and empowering employee transformation.Know More

Over the past few weeks, the company has started scrapping the 40-minute limit on conference calls and making itself free for schools forced to shut their doors in the US, the Middle East, and Europe.

But as Zoom extends its reach into hundreds of thousands of home offices and schools throughout the world, experts have raised concerns about its security and data protection policies.

Speaking to Business Insider, a number of cybersecurity insiders highlighted an in-app feature that lets Zoom hosts track users' engagement, the ease with which files could be incorrectly shared, and a lack of clarity over the firm's privacy policy.

Attackers will target Zoom as it grows in popularity

In January, cybersecurity firm Check Point Research discovered a flaw within Zoom that would have allowed hackers to listen in on videoconferences uninvited, potentially gaining access to internal files and other sensitive information.

Tom Lysemose Hansen, chief technology officer at in-app security firm Promon, told Business Insider that Zoom's vulnerabilities "became clear" after this incident.

He said: "As with any type of software, videoconference platforms are vulnerable to hacking and, unfortunately, as more and more people begin to make use of this technology, attackers will start to target them with increasing frequency."

Zoom told Business Insider the issues pointed out by Check Point had been resolved before they were made public, adding that it had updated a number of features (such as Meeting ID Validation and a Device Blocker) which will "limit the effectiveness of malicious tools."

One Zoom feature would potentially let employers monitor if you're paying attention

But Hansen also criticized Zoom's use of an in-app "employee tracker", which allows hosts to monitor whether other users have kept the application at the front of your screen for the last 30 seconds.

Camilla Winlo, director of privacy consultancy DQM GRC, agreed, telling Business Insider this information was "open to misinterpretation" by bosses.

"It doesn't differentiate between someone opening a document to take notes or playing Solitaire," she said.

"Organizations should be providing detailed training on how and when these kinds of features should and should not be used but, frankly, most just want to get remote-working up and running right now."

Zoom told Business Insider this feature is switched off by default, can be turned on by a host, and is only available if a call host is sharing their screen.

"The feature allows the meeting host to see an indicator if a participant does not have the Zoom app in focus for 30 seconds only when the host is sharing their screen," a spokesman said.

"If the host does not share their screen, then no indication is given to them regarding whether participants have the Zoom app in focus. It does not track any aspects of the audio or video content of a call."

More recently, "Zoombombing" has become more of an issue, in which trolls hop into videoconferences made publicly available and share indecent images or other spam. Chipotle and other organizations have been hit by such trolls.

In response to the problem, Zoom issued new guidance explaining how hosts can prevent unknown incomers from sharing unwanted material.

As it grows in popularity, the company faces calls for transparency on the way it handles user data.

In an open letter published by digital rights group Access Now last week, activists called on Zoom to publish a "transparency report", like those shared by Google and Microsoft, to clarify how it handles user data and its stance on freedom of expression.

A spokesman for Zoom told Business Insider the company "does not sell user data of any kind to anyone".

"Like most software companies, we use third-party advertising service providers (like Google) for marketing purposes: to deliver tailored ads to users about products they may find interesting.

"If you do not want to receive targeted ads about Zoom, simply click the "Cookie Preferences" link at the bottom of any page on the Zoom site and adjust the slider to 'Required Cookies'.

"Zoom only collects user data to the extent it is absolutely necessary to provide technical and operational support, and to improve our services. Zoom must collect technical information like users' IP addresses, OS details and device details in order for our service to function properly.

"[We take] users' privacy seriously, and we stand by our commitment to protect the privacy of our users' data."

The firm said it had received Access Now's open letter and was "in the process of reviewing it".