Zoom (software)

Zoom is a videotelephony software program developed by Zoom Video Communications. The free version provides a video chatting service that allows up to 100 devices at once, with a 40-minute time restriction for free accounts having meetings of three or more participants. Users have the option to upgrade by subscribing to one of its plans, with the highest allowing up to 1,000 people concurrently, with no time restriction.

During the COVID-19 pandemic, there was a major increase in the use of Zoom and similar products for remote work, distance education, and online social relations.

History
A beta version of Zoom, which could host conferences with up to 15 video participants, was launched on September 10, 2012. On January 25, 2013, version 1.0 of the program was released with an increase in the number of participants per conference to 25. By the end of its first month, Zoom had 400,000 users, which rose to 1 million by May 2013. After the start of the COVID-19 pandemic, by February 2020, Zoom had gained 2.22 million users in 2020 – more users than it amassed in the entirety of 2019 with the company's share spiking by 35 per cent. On one day in March 2020, the Zoom app was downloaded 2.13 million times. In April 2020, Zoom had more than 300 million daily meeting participants. On August 24, 2020, Zoom experienced widespread outages for several hours before service was restored.

Zoom was only using WebSocket technology for video calls but switched to WebRTC (without STUN / TURN servers) if it is available. The video is displayed using the HTML5 canvas element instead of the HTML5 video element.

Features
Zoom is compatible with Windows, macOS, iOS, Android, Chrome OS, and Linux. It is noted for its simple interface and usability regardless of technological expertise. Features include one-on-one meetings, group video conferences, screen sharing, plugins, browser extensions, and the ability to record meetings and have them automatically transcribed. On some computers and operating systems, users are able to select a virtual background, which can be downloaded from different sites, to use as a backdrop behind themselves.

Use of the platform is free for video conferences of up to 100 participants at once, with a 40-minute time limit if there are more than two participants. For longer or larger conferences with more features, paid subscriptions are available, costing $15–20 per month. Features geared towards business conferences, such as Zoom Rooms, are available for $50–100 per month. Up to 49 people can be seen on a screen at once. Zoom has several tiers: Basic, Pro, Business, and Enterprise. Participants do not have to download the app if they are using Google Chrome or Firefox; they can click on a link and join from the browser. Zoom is not compatible with Safari for Macs.

Zoom security features include password-protected meetings, user authentication, waiting rooms, locked meetings, disabling participant screen sharing, randomly generated IDs, and the ability for the host to remove disruptive attendees. As of June 2020, Zoom began offering end-to-end encryption to business and enterprise users, with AES 256 GCM encryption enabled for all users. In October 2020, Zoom added end-to-end encryption for free and paid users. It's available on all platforms, except for the official Zoom web client.

Zoom also offers a transcription service using Otter.ai software that allows businesses to store transcriptions of the Zoom meetings online and search them, including separating and labeling different speakers.

As of July 2020, Zoom Rooms and Zoom Phone also became available as hardware as a service products. Zoom Phone is available for domestic telephone service in 40 countries as of August 2020. Zoom for Home, a category of products designed for home use, became available in August 2020.

In September 2020, Zoom added new accessibility features to make the app easier to use for individuals who are deaf, hard of hearing, or visually impaired. New features include the ability to move around video windows in gallery view; to pin video windows to be spotlighted; improved keyboard shortcuts; new tools to adjust the size of closed captioning text; and sign language interpreters' windows can now sit directly next to the speaker.

In October 2020 at Zoomtopia, Zoom's annual user conference, the company unveiled OnZoom, a virtual event marketplace with an integrated payment system where users can host and promote free or paid live events. With OnZoom, users will be able to schedule and host one-time events or event series for up to 1,000 attendees, and sell tickets online. The company also announced Zoom Apps, a feature integrating third-party apps so they can be used within the Zoom interface during meetings. The first such apps will be available around the end of 2020, from companies including Slack, Salesforce, and Dropbox. In October 2020, Zoom gave its users better security with an upgrade to end-to-end encryption for its online meetings network.

Usage
Zoom has been used by banks, universities, and government agencies around the world, by the UK Parliament, by healthcare professionals for telemedicine, barbershops, and ceremonies such as birthday parties, funeral services, and Bar and Bat Mitzvah services. Zoom formed a partnership with Formula One to create a virtual club where fans can go behind the scenes and take part in virtual activities through Zoom, beginning with the Hungarian Grand Prix on July 19, 2020. An article published in July 2020 in the San Francisco Chronicle noted a new real estate trend in San Francisco and Oakland where some listings include "Zoom rooms" with backdrops for Zoom calls.

Richard Nelson's play What Do We Need to Talk About? takes place on Zoom, with its main characters congregating online during the coronavirus pandemic using Zoom. Written and directed by Nelson, it was commissioned by The Public Theater and premiered on YouTube on April 29, 2020, as a benefit performance. The New Yorker called it "the first great original play of quarantine". Oprah's Your Life in Focus: A Vision Forward was a live virtual experience hosted by Oprah Winfrey on Zoom from May 16 through June 6, 2020. In Source Material's play In These Uncertain Times, directed by Samantha Shay, characters communicate on Zoom. The play premiered on Zoom on July 25, 2020. In the 2020 British found-footage Zoom-based horror film Host, directed by Rob Savage, a group of young people have a remote séance in which they try contacting spirits over Zoom. It premiered on Shudder in July 2020. A live reading of Kristoffer Diaz's 2009 play The Elaborate Entrance of Chad Deity over Zoom streamed on Play-PerView from August 15–20, 2020.

On July 3-4, using Zoom Webinar, the International Association of Constitutional Law and Alma Mater Europaea organized the first "round-the-clock and round-the-globe" event that traveled through time zones, featuring 52 speakers from 28 countries. Soon after, a format of conferences which "virtually travel the globe with the sun from East to West", became common, some of them running for several days.

On September 17, 2020, a live table read of the script for the 1982 film Fast Times at Ridgemont High was hosted by Dane Cook, with performers including Brad Pitt, Jennifer Aniston, Julia Roberts, original cast member Sean Penn, Matthew McConaughey, Shia LaBeouf, Morgan Freeman (who served as the narrator), Jimmy Kimmel, Ray Liotta, and John Legend, to raise money for the charity CORE. The broadcast of the 72nd Primetime Emmy Awards on September 20, 2020, hosted by Jimmy Kimmel, featured nominees participating through Zoom. On an alternate music video for the 2020 single "Ice Cream" by Blackpink featuring Selena Gomez, the artists appeared via Zoom from their homes. The series Zoom Where It Happens, airing on Zoom as a partnership between Zoom and Black female artists, launched in September 2020 with a virtual table read of an episode of The Golden Girls, reimagined with an all-Black cast. The second episode featured an all-Black cast in a table read of an episode of Friends, hosted by Gabrielle Union and featuring Sterling K. Brown and Uzo Aduba.

Reception
Zoom has been criticized for "security lapses and poor design choices" that have resulted in heightened scrutiny of its software. Many of Zoom's issues "surround deliberate features designed to reduce friction in meetings," which Citizen Lab found to "also, by design, reduce privacy or security." In March 2020, New York State Attorney General Letitia James launched an inquiry into Zoom's privacy and security practices, the inquiry was closed on May 7, 2020, with Zoom not admitting wrongdoing, but agreeing to take added security measures. In April 2020, CEO Yuan apologized for the security issues, stating that some of the issues were a result of Zoom's having been designed for "large institutions with full IT support," he noted that in December 2019, Zoom had a maximum of 10 million daily users, and in March 2020 the software had more than 200 million daily users, bringing the company increased challenges. Zoom agreed to focus on data privacy and issue a transparency report. In April 2020, the company released Zoom version 5.0, which addressed a number of the security and privacy concerns. It includes passwords by default, improved encryption, and a new security icon for meetings. In September 2020, Zoom added support for two-factor authentication to its desktop and mobile apps; the security feature was previously Web-only.

As of April 2020, businesses, schools, and government entities who have restricted or prohibited the use of Zoom on their networks include Google, Siemens, the Australian Defence Force, the German Ministry of Foreign Affairs, the Indian Ministry of Home Affairs, SpaceX, and the New York City Department of Education. In May 2020, the New York City Department of Education lifted their ban on Zoom after the company addressed security and privacy concerns.

By September 2020, Zoom had 370,200 institutional customers with more than 10 employees, up about 458 percent from the same quarter to the year before. The company's revenue rose 355 percent to $663.5 million, topping analysts' average estimate of $500.5 million. They were able to raise their annual revenue forecast by more than 30 percent after many of their free users converted to paid subscriptions.

Privacy
Zoom has been criticized for its privacy and corporate data sharing policies, as well as enabling video hosts to potentially violate the privacy of those participating in their calls. There may also be issues with unauthorized surveillance of students and possible violations of students’ rights under the Family Educational Rights and Privacy Act (FERPA). According to the company, the video services are FERPA-compliant, and it collects and stores user data only for tech support.

In March 2020, a Motherboard article found that the company's iOS app was sending device analytics data to Facebook on startup, regardless of whether a Facebook account was being used with the service, and without disclosing it to the user. Zoom responded that it had recently been made aware of the issue, and had patched the app to remove the SDK after learning that it was collecting unnecessary device data. The company stated that the SDK was collecting information on the user's device specifications (such as model names and operating system versions) only in order to optimize its service and that it was not collecting personal information. In the same month, Zoom was sued by a user in U.S. Federal Court for illegally and secretly disclosing personal data to third parties including Facebook. Zoom responded that it "has never sold user data in the past and has no intention of selling users' data going forward."

In April 2020, a Zoom data-mining feature was found that automatically sent user names and email addresses to LinkedIn, allowing some participants to surreptitiously access LinkedIn profile data about other users. The companies disabled their integration. In May 2020, the Federal Trade Commission announced that it was looking into Zoom's privacy practices. The FTC alleged in a complaint that since at least 2016, "Zoom maintained the cryptographic keys that could allow Zoom to access the content of its customers’ meetings, did not provide advertised end-to-end encryption, falsely claimed HIPAA compliance, installed the ZoomOpener webserver without adequate consent, did not uninstall the web server after uninstalling the Zoom App, and secured its Zoom Meetings with a lower level of encryption than promised." On November 9, 2020, a settlement was reached, requiring the company to stop misrepresenting security features, create an information security program, obtain biannual assessments by a third party, and implement additional security measures.

Security
In November 2018, a security vulnerability was discovered that allowed a remote unauthenticated attacker to spoof UDP messages that allowed the attacker to remove attendees from meetings, spoof messages from users, or hijack shared screens. The company released fixes shortly after the vulnerability was discovered.

In July 2019, security researcher Jonathan Leitschuh disclosed a zero-day vulnerability allowing any website to force a macOS user to join a Zoom call, with their video camera activated, without the user's permission. Attempts to uninstall the Zoom client on macOS would prompt the software to re-install automatically in the background, using a hidden web server that was set up on the machine during the first installation and remained active even after attempting to remove the client. After receiving public criticism, Zoom removed the vulnerability and the hidden webserver, allowing complete uninstallation.

In April 2020, security researchers found vulnerabilities where Windows users' credentials could be exposed. Another vulnerability allowing unprompted access to cameras and microphones was made public. Zoom issued a fix in April 2020. In the same month, "Zoombombing," when an unwanted participant joins a meeting to cause disruption, prompted a warning from the Federal Bureau of Investigation. Motherboard reported that there were two Zoom zero-days for macOS and Windows respectively, selling for $500,000, on April 15, 2020. Security bug brokers were selling access to Zoom security flaws that could allow remote access into users' computers. Hackers also put up over 500,000 Zoom user names and passwords for sale on the dark web. In response to the multitude of security and privacy issues found, Zoom began a comprehensive security plan, which included consulting with Luta Security, Trail of Bits, former Facebook CSO Alex Stamos, former Google global lead of privacy technology Lea Kissner, BishopFox, the NCC Group, and Johns Hopkins University cryptographer Matthew D. Green. On April 20, 2020, the New York Times reported that Dropbox engineers had traced Zoom's security vulnerabilities back over two years, pushing Zoom to address such issues more quickly, and paying top hackers to find problems with Zoom's software. In the same article, the New York Times noted that security researchers have praised Zoom for improving its response times, and for quickly patching recent bugs and removing features that could have privacy risks. In April 2020, Zoom made many of its security settings default settings, and advised users on ways to mitigate Zoombombing. In a blog post on April 1, 2020, Yuan announced a 90-day freeze on releasing new features, to focus on fixing privacy and security issues within the platform. The company created a new "report a user to Zoom" button, intended to catch those behind Zoombombing attacks. On July 1, 2020, at the end of the freeze, the company stated it had released 100 new safety features over the 90-day period. Those efforts include end-to-end encryption for all users, turning on meeting passwords by default, giving users the ability to choose which data centers calls are routed from, consulting with security experts, forming a CISO council, an improved bug bounty program, and working with third parties to help test security. Yuan also stated that Zoom would be sharing a transparency report later in 2020.

On 16 November 2020, Zoom announced a new security feature to combat disruptions during a session. The new feature was said to be a default for all free and paid users and made available on the Zoom clients for Mac, PC, and Linux, as well as Zoom mobile apps. There are also new security enhancements: (1) Suspend Participant Activities and (2) Report by Participants, where the former allows hosts and co-hosts to now have the option to temporarily pause their meeting and remove a disruptive participant, and the latter which allows participants to also report a disruptive participant. Both of these new features are available on the Zoom desktop clients for Mac, PC, and Linux, and our mobile apps, with support for the web client and VDI to come later this year in 2020.

Encryption practices
Zoom encrypts its public data streams, using TLS 1.2 with AES-256 (Advanced Encryption Standard) to protect signaling, and AES-128 to protect streaming media.

Security researchers and reporters have criticized the company for its lack of transparency and poor encryption practices. Zoom initially claimed to use "end-to-end encryption" in its marketing materials, but later clarified it meant "from Zoom end point to Zoom end point" (meaning effectively between Zoom servers and Zoom clients), which The Intercept described as misleading and "dishonest." Alex Stamos, a Zoom advisor who was formerly security chief at Facebook, noted that a lack of end-to-end encryption is common in such products, as it is also true of Google Hangouts, Microsoft Teams, and Cisco Webex. On May 7, 2020, Zoom announced that it had acquired Keybase, a company specializing in end-to-end encryption, as part of an effort to strengthen its security practices moving forward. Later that month, Zoom published a document for peer review, detailing its plans to ultimately bring end-to-end encryption to the software.

In April 2020, Citizen Lab researchers discovered that a single, server-generated AES-128 key is being shared between all participants in ECB mode, which is deprecated due to its pattern-preserving characteristics of the ciphertext. During test calls between participants in Canada and United States, the key was provisioned from servers located in mainland China where they are subject to the China Internet Security Law.

On June 3, 2020, Zoom announced that users on their free tier will not have access to end-to-end encryption so that they could cooperate with the FBI and law enforcement. Later, they said that they do not "proactively monitor meeting content". On June 17, 2020, the company reversed course and announced that free users would have access to end-to-end encryption after all.

On September 7, 2020, cryptography researcher Nadim Kobeissi accused Zoom's security team of failing to credit his open-source protocol analysis research software, Verifpal, with being instrumental during the design phase of Zoom's new encryption protocol, as described in their whitepaper published in June 2020. Kobeissi published a week's worth of conversations with Zoom's security leadership in support of his claim, including Max Krohn, which included eight Verifpal models that Zoom's team asked for feedback on, promises of a citation to credit Kobeissi for his contributions and an admission that the Verifpal citation was pulled from the whitepaper at the last moment for unspecified reasons. Kobeissi also linked to a tweet by Zoom security consultant Lea Kissner which he described as a public character assassination attempt issued in response to his repeated requests to have his work cited in the research paper published by Zoom.

Data routing
Zoom admitted that some calls in early April 2020 and prior were mistakenly routed through servers in mainland China, prompting governments and businesses to cease their usage of Zoom. The company later announced that data of free users outside of China would "never be routed through China" and that paid subscribers will be able to customize which data center regions they want to use. The company has data centers in Europe, Asia, North America, and Latin America.

Censorship
An April 2020 Citizen Lab report warned that having much of Zoom's research and development in China could "open up Zoom to pressure from Chinese authorities." Lee Cheuk Yan's (Chairman of Hong Kong Labour Party) account was also closed in early May 2020, and human rights activist Zhou Fengsuo's was closed in June after he held an event discussing the 1989 Tiananmen Square protests. In June 2020, Zoom acknowledged that it had terminated two accounts belonging to U.S. users and one of a user from Hong Kong connected to meetings discussing 1989 Tiananmen Square protests, the accounts were later re-opened, with the company stating that in the future it "will have a new process for handling similar situations." Zoom also announced upcoming technology that could prevent participants from specific countries from joining calls that were deemed illegal in those areas.