Zoom is under scrutiny once again, this time for leaking the personal information of users such as their email address, photos, and giving strangers the option to start a video call with them, according to a report on Vice. This comes even as a lawsuit has been filed against Zoom for sharing data with third-parties such as Facebook without user permission.
It was also revealed in a report by The Intercept, that Zoom calls are not really end-to-end encrypted as claimed by the company. Zoom has conceded to this, admitting that video calls are not end-to-end encrypted at least in the way it is commonly understood.
In the latest privacy leak, Vice reports that Zoom’s ‘Company Directory’ setting is to blame, because it automatically “adds other people to a user’s lists of contacts if they signed up with an email address that shares the same domain.” Users have also complained that even when they signed up with personal email addresses, Zoom was pooling them with other people if they worked in the same company.
According to Zoom’s support page, the contacts directory “contains internal users in the same organisation, who are either on the same account or who’s email address uses the same domain as yours (except for publicly used domains including gmail.com, yahoo.com, hotmail.com, etc) in the Company Directory section.” Zoom says that owners of Pro accounts or higher can turn off this setting in the settings.
However as some users pointed out on Twitter, they were able to see over 1000 names and email addresses, including pictures of people in the company directory, even when they registered with their private email.
@zoom_us I just had a look at the free for private use version of Zoom and registered with my private email. I now got 1000 names, email addresses and even pictures of people in the company Directory. Is this intentional? #GDPR pic.twitter.com/bw5xZIGtSE
— Jeroen J.V Lebon (@JJVLebon) March 23, 2020Subscriber Only Stories
In response to the report, Zoom has said that, “maintains a blacklist of domains and regularly proactively identifies domains to be added, ” and that the specific domains highlighted in the report would be blacklisted. They also said that users can request other domains to be removed from the Company Directory feature.