Keeping in touch has never been so important, and suddenly we’re all using a range of videoconferencing apps to celebrate birthdays, keep up with our book clubs and talk to our loved ones.
Many have started using Zoom and Houseparty, two apps that have been around for a while, but which have jumped to prominence over the past couple of weeks. However, security concerns have come up about both apps – so are they safe to use?
Read all the latest news and advice on the Which? coronavirus hub.
Video: Find out more about security on HouseParty and Zoom
We run through the essentials on how to configure these new video calling apps, and what to watch out for.
Is it safe to use Houseparty?
Houseparty attracted all the wrong attention earlier in the week when messages began circulating on social media claiming that it had hacked users’ Spotify and Deliveroo accounts, and even their bank accounts.
Houseparty, which is owned by Epic, the games company behind Fortnite, moved quickly to dispute the allegations, claiming that it was ‘a paid commercial smear campaign’ and offered a $1m bounty for anyone who could provide evidence of the ‘smear’.
It’s unlikely that Houseparty is being used to hack other accounts. First, there doesn’t seem to be a mechanism by which this could happen unless it had some malware buried in the code to steal passwords.
While nobody, as far as we know, has reverse-engineered the code to find out definitively, Epic is a reputable company with a huge community to protect: it says that 78 million people were playing Fortnite in August 2018, and it’s extremely unlikely it would have put out an app under its brand without having checked through the code for malware itself.
We evaluated all the leading bank apps in the December issue of Which? Money and while none were perfect, they were generally very secure. It would be very difficult for a mobile app to bypass its security to steal money from your accounts. Nationwide, for example, won’t allow the setting up of a transfer in its app without using a card reader.
Houseparty hacking concerns
One feature of Houseparty could also fuel the concern that it’s being used for hacking. It’s more difficult than it should be to delete your account: you can only do this in the iOS app and you have to enter your password to complete the process.
We saw people complaining that it wouldn’t accept correct passwords, leading to fears that that was a mechanism by which the app could be stealing passwords as users cycled through trying other passwords.
We managed to delete our account on the first attempt, but we noticed two things. First, you can’t paste a password from a password manager into the field it throws up – you have to type it in. Second, it doesn’t show you the password as you type it. That makes it very easy to get your password wrong as you’re typing it in.
Houseparty privacy concerns
While there’s no concrete evidence that Houseparty is malicious, privacy is a trickier issue. Privacy researchers have raised concerns around its adherence to user data protection under GDPR, ignoring users’ opt-outs to track how they use the app – for example, by securing free access to any content you generate in the app. Your video chats aren’t encrypted, and Houseparty’s privacy terms make it clear that it can grab anything from your chats to use for marketing or advertising.
Should you continue to use the app? That’s up to you, but we think there are better choices.
Find your video is a bit choppy on a call, or generally experiencing slow broadband or wi-fi? Read our guide on five things you can do to speed up and fix your broadband.
Is it safe to use Zoom?
What about Zoom, which has also come in for criticism recently? Does the fact that prime minister Boris Johnson hosted a Cabinet meeting via the app mean it’s safe to use?
There certainly seem to be less credible concerns around Zoom than Houseparty, but it’s fallen foul of privacy experts in a couple of ways.
Zoom encryption under fire
However, security researchers also flagged up that despite claiming to use end-to-end encryption for video chats, it wasn’t doing so. End-to-end encryption means that the content is scrambled as it leaves your device and is unscrambled by the receiving device: no one else can see it, even the provider of the service.
What Zoom appears to be doing is using transport encryption: the content is scrambled as it travels between your phone or laptop and Zoom’s servers, but isn’t encrypted at Zoom’s end. This is the same as ‘https’ in a browser and it means that what you’re doing can’t be intercepted by someone on the same wi-fi network as you, but that the information arrives on the server in the clear. That means that Zoom can see your meetings recorded on their servers if they want to.
Zoom confirmed that, saying ‘currently, it’s not possible to enable E2E encryption for Zoom video meetings’.
Zoom on Apple Macs
Finally, there was concern about the way Zoom installs itself on a Mac. Researchers found that in an attempt to make it as easy as possible for the user and cut down on clicks, it uses a ‘helper’ that some researchers claim abuses the tool in a way consistent with some malware.
This was actually acknowledged by Zoom and Eric Yuan confirmed on Twitter, saying: ‘Your point is well taken and we will continue to improve.’
So is it safe to use? Zoom has cut some corners that have been exposed thanks to the scrutiny of experts that followed its explosive growth as the pandemic has unfolded. But although there are always concerns about how any app is using your data, it’s not malicious, and it’s aware of and has responded to those concerns.
All apps throw up issues with privacy, some more than others. Deciding whether or not to use any app is a balancing act between how useful it is to you and how comfortable you are with what it’s doing under the hood.
How to keep your Zoom meetings safe
While many will be using the app, the advanced settings you need to check for Zoom are found via a web browser. Go to zoom.us/profile/setting to see these and make the adjustments suggested below.
- Passwords Always make sure your meetings are protected by a password – check that ‘Require a password when scheduling new meetings’ is on. When you set up a meeting, share the password only with the participants, ideally via a secure channel such as WhatsApp. Never share meeting passwords online.
- Private meetings Don’t announce your meetings online, even if you want lots of people to join. Send meeting invites to participants via email or WhatsApp.
- Waiting room Turn on the waiting room setting. This means you can see who is waiting to join and add them when you’re ready. It stops people who might have found your meeting ID online crashing into it.
- Screen sharing Unless you need other participants to be able to share their screens with the group, turn this to ‘Host only’. You can adjust that for the meeting if necessary.
- Rejoining a meeting Make sure the ‘Allow removed participants to rejoin’ toggle is off: people have crashed meetings and then immediately jumped back into them when the host has removed them.
- Keep up to date Zoom has pledged to address the problems found by security researchers, so make sure your version of the app is up to date so that you have the latest safety patches and features.
Concerned about using Zoom or Houseparty? There are plenty of established alternatives – Skype, WhatsApp and FaceTime, to name a few. If you’re not used to making video calls, read our guide on how to make a video call on your computer or smartphone.