Thousands of Zoom video calls exposed on open web

Thousands of personal Zoom videos have been left viewable on the open web, highlighting the privacy risks to millions of Americans as they shift many of their personal interactions to video calls in an age of social distancing.

Many of the videos appear to have been recorded through Zoom's software and saved onto online storage space without a password. But because Zoom names every video recording in an identical way, a simple online search can reveal a long stream of videos that anyone can download and watch.

Zoom videos are not recorded by default, though call hosts can choose to save them to Zoom servers or their own computers. There's no indication that livestreamed videos or videos saved onto Zoom's servers are publicly visible.

But many participants in Zoom calls may be surprised to find their faces, voices and personal information exposed because a call host can record a large group call without participants' knowledge or consent. The Washington Post is not revealing the naming convention that Zoom uses, and Zoom was alerted to the issue before this story was published.

The discovery that the videos are available on the open Web adds to a string of Zoom privacy concerns that have come to public attention as the service became the preferred alternative for American work, school and social life.

The company reached more than 200 million daily users last month, up from 10 million in December, as people turned on their cameras for Zoom weddings, funerals and happy hours at a time when face-to-face gatherings are discouraged or banned.

Zoom said in a statement that it 'provides a safe and secure way for hosts to store recordings” and provides guides for how users can enhance their call security.

'Should hosts later choose to upload their meeting recordings anywhere else, we urge them to use extreme caution and be transparent with meeting participants, giving careful consideration to whether the meeting contains sensitive information and to participants' reasonable expectations,” the statement said.

Videos viewed by the Washington Post included one-on-one therapy sessions; a training orientation for workers doing telehealth calls, which included people's names and phone numbers; small-business meetings, which included private company financial statements; and elementary-school classes, in which children's faces, voices and personal details were exposed.

Many of the videos include personally identifiable information and deeply intimate conversations, recorded in people's homes. Other videos include nudity, such as one in which an aesthetician teaches students how to give a Brazilian wax.

Five people identified in the videos and interviewed by the Post said they had no idea how the footage made its way online.

'That definitely shouldn't be happening,” said Jack Crann, the owner of the Connecticut dog-training company Peace of Mind Canine, after a Post reporter alerted him to a video that included private financial details. 'That was a meeting for us, and shouldn't be put out for the public.”

Patrick Jackson, the technology chief of the privacy-software company Disconnect and a former researcher for the National Security Agency researcher, who alerted the Post to the exposed data, said Zoom could do a better job at cautioning people to protect their videos.

Zoom also could help by implementing design tweaks, such as naming videos in an unpredictable way to make them harder to find.

Jackson found the videos by using a free online search engine that scans through open cloud storage space online. One search for recordings, using Zoom's default naming convention, revealed more than 15,000 results.

'This was stuff I didn't feel good watching, and I doubt all of the people here know these videos are public,” he said.

The problem is not exclusive to Zoom video or Amazon.com storage. But in designing their service, Zoom's engineers bypassed some common security features of other video-chat programs, such as requiring people to use a unique file name before saving their own clips.

That style of operating simplicity has powered Zoom to become the most popular video-chat application in the United States, but it has also frustrated some security researchers who believe such shortcuts can leave users more vulnerable to hacks or abuse.