With social distancing mandates and some statewide shelter-in-place orders, people are doing what they can to connect while flattening the coronavirus curve.
One of the main platforms that businesses and individuals have resorted to is Zoom. Over the last month, Zoom experienced a rise of over 500% in daily traffic to the Zoom.us download site and its app has been the most downloaded app in the country. Its daily meeting participants have grown from 10 million in December 2019 to 200 million in March. Unsurprisingly, during this same period, Zoom’s shares increased 74% in a time when the stock market is down 21%.
Yet, while the pandemic and resulting shelter-in-place mandates have thrust Zoom into the daily lives of people and businesses, many privacy and cybersecurity concerns have been raised, including allegations of:
- Zoom sending data from users of its iOS app to Facebook for advertising persons, even if the user does not have a Facebook account;
- The Windows version of Zoom being vulnerable to attackers who could send malicious links to users’ chat interfaces and gain access to their network credentials;
- Zoom not requiring a user’s consent before allowing the host of the meeting to record the session;
- The presence of a security flaw that would enable hackers to take over a user’s Mac, including tapping into the microphone and webcam; and
- Despite frequently asserting it used “end-to-end encryption for video meetings” which would ensure neither external attackers nor Zoom itself could access the contents of a video meeting, Zoom using only transport encryption for video meetings, meaning Zoom has access to unencrypted audio and video from meetings.
Alleged Violations of the California Consumer Protection Act
In addition to federal and state investigations, Zoom has also drawn attention from individual users as it became one of the first companies sued under the California Consumer Protection Act. Zoom is facing at least two putative class actions, filed in federal court by California residents Robert Cullen and Samuel Taylor, that accuse Zoom of violating the CCPA by gathering and sharing personal information with third parties like Facebook without informing consumers.
Cullen’s class-action complaint filed on March 30, cited to news reports finding that Zoom’s iOS app had been using a Facebook login feature to send details on Zoom users including information about users’ device, phone carrier, and time zone. The complaint alleges CCPA violations due to Zoom’s “collecting and using personal information without providing consumers adequate notice consistent with the CCPA” and “failing to prevent Plaintiff’s and the Class members’ nonencrypted and nonredacted personal information from unauthorized disclosure.”
Zoom Responds: What They’ve Done, What They Will Do
Zoom’s founder and CEO, Eric Yuan also posted a message to users addressing the concerns raised.
Ways to Increase Security and Privacy
With the numerous privacy concerns being raised, businesses should carefully weigh the risks and benefits of using Zoom conferencing over other platforms such as WebEx or Skype. Businesses continuing to use Zoom should revise or implement privacy protocols that address proper use of video conferencing software and include provisions designed to mitigate some of the associated privacy risks, such as:
- To reduce the “Zoom bombing” risk, hosts should be required to adjust their setting so that only the host can share the screen. In addition, hosts should be instructed to use a “waiting room” for all meetings—a feature that allows the host to have new attendees placed there for approval by the host instead of just appearing in the meeting room.
- Meeting hosts should be required to generate random meeting IDs instead of relying on Zoom-generated links or their personal meeting ID (PMI). Zoom links, a link that starts with “https://zoom.us/” followed by a string of numbers and letters, can easily be used as part of a potential phishing scheme and create a data security incident. And a PMI is, in essence, one continuous meeting, which would allow access to all meetings going forward in the event of an incident. As such, businesses should require hosts to email or send a meeting invite that includes a random meeting ID and password—not the Zoom-generated link or PMI.
- Users should also be instructed to keep their cameras and microphones turned off unless they are speaking. If users want to keep their cameras on, Zoom also allows users to set a photo as a background. The photo can be uploaded by users or selected from Zoom’s catalog of backgrounds.
- Hosts should also be instructed to prohibit local recording—which allows users to record a meeting video and audio locally to a computer—to mitigate the risks of disclosure of confidential information. Where the employee is not the host, businesses should require employees to confirm that local recording has been disabled before discussing confidential or proprietary information.
- Businesses should encourage the use of Zoom webinars over meetings whenever possible. Because webinars do not include group participation, they are less attractive targets for hacking and have fewer security vulnerabilities.
This column does not necessarily reflect the opinion of The Bureau of National Affairs, Inc. or its owners.
Wynter L. Deagle is a member of Troutman Sanders LLP’s Cybersecurity, Information Governance and Privacy practice group, and is a partner in the firm’s Business Litigation group. An experienced trial lawyer, Wynter specializes in defending clients from privacy and cybersecurity consumer class actions, regulatory investigations, and enforcement actions. She also guides clients through compliance with state and federal privacy laws and data breach incident response.
Anne-Marie Dao is a member of Troutman Sanders LLP’s Cybersecurity, Information Governance and Privacy practice group, and is an associate in the firm’s Business Litigation group. She has extensive experience defending against privacy class actions in both state and federal courts. Dao also counsels litigation clients on various business and privacy issues and manages disputes through alternative dispute resolution.
Yarazel Mejorado is a member of Troutman Sanders LLP’s Cybersecurity, Information Governance and Privacy practice group, and is an associate in the firm’s Business Litigation group. Mejorado advises clients on data security and privacy compliance matters.