How researchers used AI to expose Zoom’s privacy holes

Ben-Gurion University researchers use AI techniques to shine a light on Zoom privacy risks

New research has revealed how AI can easily extract the personal information of video conference participants using screenshots uploaded to social media.

Researchers from Ben-Gurion University in Israel used image processing, text recognition tools and social network analysis to process a scraped image dataset of video meetings, which included 15,700 college images and over 140,000 face images of meeting participants.

By applying these AI techniques to the dataset, the researchers were able to extract participants’ ages, genders, usernames and sometimes even full names. This data was then appended by social network data to associate users with their social media profiles.

“This type of extracted data can vastly and easily jeopardize people’s security and privacy both in the online and real-world, affecting not only adults but also more vulnerable segments of society, such as young children and older adults,” the researchers wrote.

Zooming into threats

As society rapidly adopted conferencing tools such as Microsoft Teams, Zoom and Google Meets to navigate Covid-19 restrictions, many users subsequently uploaded screenshots of meetings on social media.

Ben-Gurion researchers sought to investigate how this willingly-published content could be exploited by hackers intent on seizing personal data. Not to mention a malicious participant who could scrape the information from the inside.

They amassed a data set by using online web-crawlers to collect data from Twitter and Instagram, setting the programs to search for tweets or hashtags that matched target terms like Zoom school or #zoommeeting.

This produced a dataset of 179,700 posts which was then analysed by an image classifier to determine whether the posts contained a Zoom video meeting collage of participants. This process resulted in a dataset consisting of 16,133 Zoom collage images which were then validated for duplicates.

Using this stockpile of collage photos, the researchers then set about extracting information about the participants using a variety of AI techniques.

Two facial recognition models were used to detect faces in the collages, face embedding models were used to identify facial features, and models were also deployed to detect the age, gender and usernames of participants.

“From those Zoom collages, using face recognition algorithms, we were able to extract a dataset of over 140,000 faces and over 85,000 distinct usernames, the researchers wrote.

“The faces and usernames collected in this type of process can be used to construct a facial image dataset, which contains personal details about meeting participants, including facial characteristics, age, gender, usernames, and sometimes even full names,” they added.

To avoid exposure to video conferencing-related privacy and security risks, the researchers advise users to avoid video streaming wherever possible, never upload meeting screenshots to social media and use generic usernames when a meeting cannot be missed. They also suggest the use of anti-facial recognition accessories and virtual backgrounds.

“We must be sensitive to online privacy issues that accompany changes in our lifestyle as society is pushed towards a more virtual world,” they concluded.