We all know about the security and privacy issues that Zoom and other videoconferencing providers wrestled with at the start of the COVID-19 pandemic and how those companies addressed those issues since then.
However, a new study from Ben-Gurion University suggests that a combination of image processing, text recognition and forensics allowed them to cross reference Zoom data with social network data.
According to Venture Beat, the study explores the privacy issues at play when attending a Zoom meeting using social media.
The researchers first curated an image data set containing screenshots from thousands of meetings by using Twitter and Instagram web scrapers, which they configured to look for terms and hashtags like “Zoom school” and “#zoom-meeting.” They filtered out duplicates and posts lacking images before training and using an algorithm to identify Zoom collages, leaving them with 15,706 screenshots of meetings.
The researchers next performed an analysis of each Zoom screenshot beginning with facial detection. Using a combination of open source pretrained models and Microsoft’s Azure Face API, they say they were able to spot faces in images with 80% accuracy; detect gender; and estimate age (e.g., “child,” “adolescent,” and “older adult”). Moreover, they claim a freely available text recognition library allowed them to extract 63.4% of usernames from the screenshots correctly.
Cross-referencing 85,000 names and over 140,000 faces yielded 1,153 people that likely appeared in more than one meeting, as well as networks of Zoom users where all the participants were coworkers. According to the researchers, this illustrates that not only individuals’ privacy is at risk from data exposed on video conference meetings, but also the privacy and security of organizations.
The researchers say this method allows a cybercriminal to perform a linkage attack on specific targets, thus jeopardizing an individual’s privacy by using different meetings to discover different types of connections.
According to the researchers, companies that use Zoom should take additional steps to secure their privacy, like:
- Choose generic pseudo-names and backgrounds,
- Inform employees of the privacy risks
- Require Zoom and other providers to add privacy modes that prevent facial recognition.