Tag: Zoom

Zoom agrees on security and privacy measures with NY Attorney General

13. May 2020

Due to the COVID-19 pandemic, Zoom has seen an exponential surge in new users over the past two months. As we have mentioned in a previous blog post, this increase in activity highlighted a range of different issues and concerns both on the security and on the privacy side of the teleconference platform.

In light of these issues, which induced a wave of caution around the use of Zoom by a lot of companies, schools, religious institutions and governmental departments, urging to stop the use of the platform, Zoom has agreed to enhance security measures and privacy standards.

In the Agreement struck on May 7th with the New York Attorney General Laetitia James, Zoom has come to terms over several new measures it will enforce over the course of the next weeks. However, most of these enhancements have already been planned in the CEO Yang’s “90-day plan” published on April 1st, and have been slowly put into effect.

These measures include:

  • a new data security program,
  • conduction of risk assessment reviews,
  • enhancement of encryption protocols,
  • a default password for every meeting,
  • halt to sharing user data with Facebook.

In response to the Agreement being struck, Attorney General James stated: “Our lives have inexorably changed over the past two months, and while Zoom has provided an invaluable service, it unacceptably did so without critical security protections. This agreement puts protections in place so that Zoom users have control over their privacy and security, and so that workplaces, schools, religious institutions, and consumers don’t have to worry while participating in a video call.“

A day prior, Zoom was also reinstated for the use of online classes by the New York City Department of Education. In order to ensure the privacy of the students and counteract “Zoombombing”, Zoom has agreed to enhanced privacy controls for free accounts, as well as kindergarten through 12th grade education accounts. Hosts, even those with free accounts, will, by default, be able to control access to their video conferences by requiring a password or the placement of users in a digital waiting room before a meeting can be accessed.

This is not the only new addition to the controls that hosts will be able to access: they will also be able to control access to private messages in a Zoom chat, control access to email domains in a Zoom directory, decide who can share screens, and more.

Overall, Zoom stated that it was happy to have been able to reach a resolution with the Attorney General quickly. It remains to see how the measures in is implementing will hold up to the still growing audience, and how fast they can be implemented for worldwide use.

The Video-conference service Zoom and its Data Security issues

20. April 2020

Amidst the Corona crisis, the video communications service Zoom gained enormous popularity. The rate of daily Zoom users skyrocketed from 10 Mio in December 2019 to 200 Mio in March 2020. As it outshined many of its competitors, Zoom labels itself as “the leader in modern enterprise video communications”. However, the company has been facing a lot of public criticism because of its weaknesses in data security and lack of awareness in data protection matters.

Basic data security weaknesses unfolded little by little starting in March 2020:

  • Zoom had to admit that it was wrongly advertising to provide full end-to-end encryption for all shared contents like video, audio or screen sharing.
  • Security experts revealed several bugs that could have allowed webcam and mic hijacking and the theft of login credentials.
  • An online Tech Magazine reported that Zoom leaked thousands of their users’ email addresses and photos to strangers.
  • Video-conferences which users did not protect with a password, enabled “Zoombombing”, a phenomenon in which strangers hijacked videocalls and disrupted them by posting pornographic and racist images as well as spamming the conversations with threatening language. In response, Zoom introduced the Waiting Room feature and additional password settings.

At the same time, Zoom’s data privacy practices came under scrutiny:

  • Zoom shared web analytics data with third-party companies for advertising purposes without having a legal basis or notifying users about this practice. In response to criticism, Zoom revised its privacy policy and now declares that it does not share data from meetings for advertising.
  • The company also shared more analytics data of its users with Facebook than stated on Zoom’s privacy policy, even if the user did not sign in with their Facebook account. Zoom introduced an update in which this sharing is terminated.
  • The New York Times revealed that Zoom used a data mining feature that matched Zoom users’ names and email addresses to their LinkedIn profiles without the users knowing about it. Zoom then enabled automatic sharing of the matched LinkedIn profiles with other meeting members that were subscribers of a LinkedIn service for sales prospecting (“LinkedIn Sales Navigator”). In response to criticism, Zoom removed this feature permanently.
  • Zoom hosted a feature called Attention Tracking, which let the meeting’s host know when an attendee had clicked away the meeting window for more than 30 seconds. In the meantime, Zoom disabled the feature.

The security and privacy issues of Zoom have led various public authorities and companies internationally to ban their workers from using the service.

On 1 April 2020, Zoom’s founder and CEO Eric S. Yuan announced a 90-day plan to significantly improve their data security in an effort to build greater trust with their users. This plan includes freezing the introduction of new features, enlarge their cybersecurity team and engage outside help from security advisors.