Photo by Edward Jenner on Pexels.com

By: Emily Donohue

Since the Covid-19 virus hit the United States in late January many schools and businesses have shifted their operations online, with the video and teleconferencing platform Zoom being the popular choice for most. The platform is currently one of the most downloaded apps for both iOs and Android devices, and has seen an increase in daily meeting participants from 10 million to 200 million between December 2019 and March 2020. While call quality and user-friendly functions like the “beautification filter” and virtual backgrounds have helped Zoom edge out competitors like Skype and Google Hangouts, technology experts are raising concerns over issues with Zoom’s privacy and security practices.

What are Zoom’s Major Privacy Flaws?

Zoom’s platform does not have end-to-end encryption, despite marketing claims that suggested it did. What Zoom does offer is called “transport layer security,” an encryption protocol similar to what is used on HTTPS websites. This means that Zoom can access the unencrypted video and audio content of your meetings, unlike end-to-end encryption that would limit audio and video content only to participants of the meeting. While Zoom has claimed it does not directly access, mine, or sell user data, recent reports suggest that many users have been unknowing victims of the unauthorized collection and sharing of their user data.

Zoom has also come under fire for its easily exploitable security holes that have led to a multitude of issues ranging from the easy theft of Windows login credentials, to the exposure of thousands of Zoom recordings, to the influx of unauthorized parties crashing Zoom meetings to harass participants. As discussed in an FBI warning published on March 30, Zoom meetings have been the target of “Zoom-bombings” where uninvited attendees disrupt conferences, often through the use of racist, sexist, and homophobic speech or pornographic images. Safety concerns caused by these security issues have impacted businesses and school districts, prompting some to disable access to Zoom entirely.

What Is Zoom Doing to Address Concerns and What Can You Do to Protect Your Organization?

After the recent onslaught of negative press, Zoom CEO, Eric Yuan, took to the company blog to apologize for the issues, outline the changes the company has made in response to the public backlash, and make assurances that no new features will be added for the next 90 days while “shifting…engineering resources to focus on our biggest trust, safety, and privacy issues.” Notable policy changes include removing “login with Facebook” feature that allowed Facebook to collect user data, removing the attendee attention tracking feature, and removing the LinkedIn Sales Navigator app, among other changes.

Some organizations like SpaceX, New York City schools, the German health ministry, Taiwanese and Canadian governments, and Google have chosen to ban the use of Zoom altogether. But for others who have invested a great deal of money into Zoom services or whose operations are too large to easily shift to a different platform, simply banning Zoom may not be an option.

If your organization is committed to using Zoom, there are some privacy setting options that can be selected to mitigate potential harm. To prevent Zoom-bombers from hacking your video conferences, it is advised that hosts never publicly share Meeting ID information or links, and that a new random Meeting ID is generated for each meeting. Hosts should also require passwords for participants to access meetings. It also is advised to limit the screensharing function to hosts or cohosts to lower the risk of a hijacker (or participants) sharing sensitive content.

What are the Legal Repercussions for Zoom?

On March 30, New York Attorney General, Letitia James sent a letter Zoom outlining the security flaws and questioning what the company is doing to address the concerns. It is also possible that the Federal Trade Commission could bring unfair or deceptive trade practice charges against Zoom in connection with its end-to-end encryption marketing claims.

Zoom is also party to two separate lawsuits at the time of publishing. A Zoom shareholder recently filed suit alleging the company failed to disclose issues with privacy and security, leading to a drop in stock prices. A separate class-action suit was filed in District Court for the Northern District of California by a Zoom user alleging that the company failed to properly safeguard users’ personal information and for disclosing information to Facebook without notice or authorization in violation of California’s Unfair Competition Law, Consumer Legal Remedies Act, and the Consumer Privacy Act.

Of course, only time will tell if any new issues come to light and whether the company makes good on its promises to fix existing issues. It is likely the company may see more lawsuits before the end of the Covid-19 pandemic.