May 22, 2020 • Kellie Pantekoek, Esq.; FINDLAW/BLOGS/LAW AND DAILY LIFE
Should You Be Worried About Your Privacy When Using Zoom?
If you are like millions of other Americans, you are growing accustomed to using videoconferencing for work, school, or maintaining your social life during the COVID-19 pandemic. But while the convenience and accessibility of the videoconferencing service Zoom is what makes it popular, there is a flip side: privacy and security concerns.
Before the coronavirus outbreak, Zoom was mainly used by businesses to hold remote meetings and sales calls. In December, there were 10 million daily Zoom users, mainly composed of business employees. In March, there were 200 million daily users, including families, students, instructors, fitness folks, and friend groups, who depend on the easy-to-use network to stay in touch while social distancing.
The usage boom quickly revealed weaknesses and oversights with Zoom’s privacy and security for the public and school districts who don’t have their own cybersecurity professionals and policies. If you fall into this category, you should know about the red flags that have been raised.
As Zoom Meetings Increased, so Did Red Flags
In late March, Zoom’s iOS app was determined to be sending user analytics data to Facebook, even for Zoom users who did not have a Facebook account. Zoom then removed the Facebook data collection feature of its app and issued an apology.
In early April, New York’s attorney general sent a letter to Zoom questioning steps the company was taking to handle the huge increase in users and the “sensitivity of data being passed” through its platform.
Then, the FBI warned Zoom — and issued a public warning — that it had received reports of several where Zoom meetings were hijacked by strangers inflicting harassment or threats. For example, schools have reported meetings in which hijackers posted pornography, hate speech, or threatening language.
A class action lawsuit was then filed in California, alleging that Zoom violated the state’s new data protection law by not getting the requisite consent from users before transferring their Zoom data to Facebook. At least three additional lawsuits have been filed against Zoom since then.
Other security issues were soon flagged, including:
- Zoom was collecting call data without the end-to-end encryption that it said it was doing
- An issue that exposed Windows-users to password theft when using Zoom
- A bug that allowed malicious actors to take control of a Zoom user’s microphone or webcam
- A risky security lapse that allowed Zoom to gain root access on MacOS desktops
- Zoom’s app was leaking users’ email addresses and photos to strangers via a company directory feature
- A data-mining feature that allowed some Zoom participants to gain access to other users’ LinkedIn profile data
- Investigators from The Washington Post found thousands of Zoom video call recordings unprotected and viewable on the open web
What is Zoom Doing to Correct Security Issues?
Eric S. Yuan, the chief executive of Zoom, has issued multiple apologies for the issues and said the company is rushing to beef up its security and privacy practices, making these the company’s main focus. Previously, the company catered to enterprise customers and let them set their own security measures, which the general public is not equipped to do.
“If not for this crisis,” Yuan told the New York Times, “I think we would have never thought about this.”
One of the first steps the company has taken is to create default settings that require K-12 schools to admit participants individually to videoconferences from virtual waiting rooms, instead of having open access. Zoom has also created a chief information and security officer council and advisory board to conduct a full security review.