Jennifer Wu, J.D., CIPP.C, CIPM, one of our data privacy consultants, was recently asked by CMSWire to weigh in on the Zoom privacy discussion. You can read a short extract of Jen’s comments in the full CMSWire article here, while the blog below contains our fuller observations.
Prior to March 2020, Zoom was an app only a relative few had heard of — the video conferencing app had about 10 million daily users in December. By April, it was up to 200 million daily users.
Financial news site Learnbonds showed an increase in Zoom downloads of 1,270% on mobile platforms (Android and iOS) alone between 22 February and 22 March. For a brief moment, Zoom was the most-downloaded app in the Apple app store.
Zoom CEO Eric Yuan was making the most of the sudden demand for conferencing software with seemingly benevolent actions, such as removing the 40-minute time limit on free meetings, first in China and later in other affected regions as the COVID-19 pandemic spread across the world, and more and more students, teachers and other workers became reliant on remote conferencing.
But throughout all those downloads by all those users, a fatal flaw has been exposed: its security was nowhere near as advertised. Not long after Zoom became a household name, so did “Zoombombing”: the name given to hackers taking over Zoom chats and often showing pornography or other distasteful images.
By late March, word was out that Zoom was sharing user data with Facebook, and the New York attorney general sent a letter to Zoom, questioning the security practices it had in place to ensure user privacy.
Shortly after, the first of several class-action lawsuits was filed against the company, alleging the firm did not adhere to California’s Consumer Privacy Act (CCPA), which is similar to the E.U.’s General Data Protection Regulation (GDPR). The suit stated that by not obtaining proper consent from its users about its transfer of their data to Facebook, Zoom was in violation of the CCPA.
“Zoom is using its own definition of the term, one that lets Zoom itself access unencrypted video and audio from meetings.”
Further investigation by investigative site The Intercept revealed that, contrary to its advertising, Zoom did not use end-to-end encryption, which protects internet communication from all outside parties. The Intercept reported that “Zoom is using its own definition of the term, one that lets Zoom itself access unencrypted video and audio from meetings.”
Eric Yuan responded quickly, issuing an apology in a public blog post, clarifying the company’s security policies and vowing to put a freeze on new feature development, “shifting all our engineering resources to focus on our biggest trust, safety, and privacy issues.”
However, it may be too little too late as Zoom’s reputation has taken a hit. There are now four class-action lawsuits against the company, and Yuan has issued multiple public apologies – but the damage has been done.
Elon Musk’s SpaceX banned Zoom, citing privacy and security concerns, as have the German government, the Singapore Ministry of Education and the U.S. Senate, to name just a few.
Zoom’s security issues, however, are not new, and are not simply the problems of a start-up rushing to fulfil the needs of an unprecedented number of users. The security flaws in Zoom’s software go back as far as last year, when a security researcher named Jonathan Leitschuh publicly posted on Medium that he had discovered a vulnerability that would allow someone else to hijack the webcam on Mac computers, allowing them to to turn on the webcam and force the user to join a Zoom call without permission.
That discovery, said Leitschuch, was reported to Zoom on 26 March 2019. On 9 July, Zoom reported they would have a fix patching the vulnerability, and assured users they would update the application to further protect users’ privacy.
Although the privacy concerns cited in Robert Cullen’s famous 30 March 2020 lawsuit and potential class action are different ones, the fact is that issues remain. Perhaps then, for users of Zoom software, it is worth contemplating whether its business standards and ethics are in line with those of your company.
It is always necessary to examine the security practices of a company you are doing business with to determine if it meshes with your own best practices and the compliance regulations of the region in which you operate.
Jennifer Wu, one of Calligo data privacy consultants, told CMSWire that “during the initial evaluation of a tool like Zoom, ask for a Data Protection Agreement, or a similar document. This is something that is required if a company falls under the jurisdiction of the GDPR or CCPA. If your company decides it does not live up to required technical and organisational measures, there is no need to spend further time assessing the tool’s features.”
Data privacy is critical in the best of times. In today’s troubled times, when hackers are seeking to take advantage of an increasingly remote population, even more so. When in doubt, consult with data privacy experts and read the fine print. Be sure you know your data is in the right hands.