Zoom’s video communications platform service and its data privacy issues and security vulnerabilities have been a very hot topic of late, covered by numerous media outlets and in our recent Password Protected post. Due in part to the COVID-19 pandemic and resulting “stay-at-home” orders, as well as Zoom’s user-friendly set up and ability for large numbers of people to join a meeting for free, Zoom use has grown exponentially, from 10 million daily meeting participants pre-pandemic, to over 300 million daily meeting participants in April 2020. In an April 23, 2020 executive letter, Zoom touted use of its platform by over 100,000 schools and universities, U.S. and foreign governments, and numerous companies, including many Fortune 500 companies, located in over 226 countries and territories around the world.
Zoom’s rapid adoption rate and increased popularity have led to the discovery, exposure and magnification of a number of security risks associated with the platform, as well as certain alleged misleading privacy practices. In March and April, many meetings experienced “Zoom-bombing,” where uninvited individuals intruded, disrupted and/or hijacked videoconferences, sometimes exposing meeting participants to illegal, immoral and/or discriminatory content. Other data privacy and security issues alleged over the past few months include:
- platform vulnerabilities to malicious actors covertly installing malware and making unauthorized recordings;
- hackers posting of more than 500,000 Zoom accounts for sale on the dark web;
- the ability of third parties to access and view meeting recordings saved to Zoom’s cloud servers that were not password protected;
- a lack of “end-to-end” encryption of the Zoom platform as advertised;
- the sharing of users’ personally identifiable information (“PII”) for targeted advertising without proper notice; and
More recently, ABC News disclosed that a report issued by the Department of Homeland Security’s Cyber Mission and Counterintelligence Mission centers indicated the Zoom videoconferencing platform “could be vulnerable to intrusions by foreign government spy services, including China,” and that hackers could introduce malware to make a Zoom user’s computer system susceptible to a security breach.
Due to these security and privacy issues, many governmental agencies, companies and other entities, including the U.S. Senate, the German Ministry of Foreign Affairs, the UK government and parliament, the Taiwanese government, and some school districts have issued bans or recommended restrictions on the use of Zoom to public, non-confidential business only. The Colombian government is also investigating Zoom’s compliance with Colombian data protection laws. In addition, numerous class action lawsuits have been filed against Zoom, alleging that Zoom violated The California Consumer Privacy Act by sharing user information with Facebook without proper consent, and made misrepresentations regarding third parties’ access to personal data that Zoom collected from its customers. The company is also subject to a shareholder class action, in which some of Zoom’s investors accused the company of making false statements in its initial public offering registration statement and prospectus regarding the adequacy of its data privacy and security measures, which may have influenced share price.
For his part, Zoom CEO Eric Yuan has been quick to respond with public apologies and a vow to quickly improve Zoom’s privacy and security practices and patch up security flaws. Within the past few months, Zoom has implemented (or has promised to soon implement) the following actions:
- Yuan launched a 90-day security improvement plan, hosts weekly webinars to discuss the development of the plan, and posts weekly progress reports to update the public on Zoom’s ongoing progress in resolving privacy and security issues;
- In April, Yuan introduced a new Security icon in the toolbar to provide meeting hosts with one click access to a number of Zoom security features, and changed waiting room defaults and other features of how users interact with the system, including issuing new password guidelines;
- Paying subscribers may now choose where their data is being routed, opting in or out of specific data center regions;
- Zoom engaged Luta Security to create a world-class bug bounty program to reward users and security researchers for identifying Zoom security flaws; and
- Yuan recruited Alex Stamos, former chief security officer of Facebook, as a security consultant, and announced the formation of a new chief information and security officer council and advisory board tasked with conducting a full security review of Zoom’s technology, and identifying and implementing enhanced security measures.
On April 28, Oracle announced that Zoom would deploy its core videoconferencing service on the Oracle cloud. During his April 29 progress report, Yuan introduced the release of Zoom 5.0, which includes support for AES 256 GCM, which is a more sophisticated encryption standard with system-wide enablement (an “end-to-end” standard is not yet available, but is currently being designed), addition of a “report a user” button, controlled and transparent data routing, meeting host control, encrypted cloud recordings, requirement for complex passwords, and other new security features and enhancements. Zoom also states that it now meets the following industry and security standards: SOC 2 (Type 2); FedRAMP (Moderate); compliant with GDPR, CCPA, COPPA, FERPA and HIPAA requirements; Privacy Shield Certified; and TrustArc Certified. Further, on May 7, Zoom resolved a probe by New York’s attorney general concerning its privacy and data protection practices, which requires Zoom to establish a comprehensive data security program that will, among other things, be designed to encrypt users’ information both in storage and transit. Also on May 7, Zoom announced the acquisition of Keybase, a secure messaging and file-sharing service. In connection with this acquisition, Zoom will leverage Keybase’s team of security and encryption engineering experts to accelerate its plan to build a scalable end-to-end encryption standard. On May 22, Zoom published details of its proposed end-to-end encryption design on GitHub to solicit public feedback for integration into a final design.
With so many employees working remotely during COVID-19, companies are using video conferencing now more than ever, for internal business meetings and meetings with customers, potential customers, vendors and partners. During these meetings, participants may disclose confidential and/or proprietary information, including PII, making such meetings a rich target for malicious actors attempting to hack and profit from such information. Therefore, companies and their employees should be especially careful when using Zoom or any other video conferencing application for work purposes, should avoid sharing sensitive confidential information during the meeting, and should closely scrutinize how the application is configured and what permissions and rules are established. Additionally, companies on the free basic plan may wish to consider transitioning to a paid business plan in order to access more administrative controls such as data center routing. Companies should also require all users to promptly update the Zoom client to version 5.0 (or higher when available), in order to take full advantage of all the new security tools and settings provided in this new version. Other recommendations include:
- protecting meetings with passwords;
- authenticating users;
- prohibiting unauthorized participants;
- prohibiting local recordings of meetings;
- controlling what participants may do during meetings;
- using the Report a User feature;
- changing personal meeting IDs;
- using webinars in lieu of meetings when appropriate (as webinars have fewer interactive privileges); and
- checking for software updates often.
These days, there is no dearth of conferencing/collaboration solutions available for corporate users, including WebEx, Skype, Microsoft Teams, Slack, GoToMeeting, AnyMeeting, BlueJeans Meeting, Soho Meeting, and of course, Zoom. Each has its detractors, and no solution is 100% safe. However, remote communications are essential, especially during the pandemic, and with all the recent scrutiny on Zoom policies, practices and security standards, the full transition to Zoom 5.0 on May 30, and Zoom’s commitment to providing paid users an end-to-end scalable encryption platform in the near future, Zoom may now present a promising solution for a company’s video conferencing needs.