By now, most of us have participated in at least one videoconference from the comfort of our homes, be it for a work meeting, a fitness class, or a virtual happy hour with friends across the country. Easing the transition from business-as-usual to social distancing and sheltering-in-place, these video communications platforms and apps have no doubt helped us stay connected and productive as we settle into the new normal of staying indoors indefinitely. But just as more and more people are turning to videoconferencing, more hackers and cybercriminals are exploiting the surge in teleworking, and the privacy practices of videoconferencing platforms are quickly coming under scrutiny, with pressure for increased transparency and data security.
Zoom, one of the most popular and prosperous video platforms, has seen an exponential increase of global active users since the start of the year. The number of users continued to soar after Zoom CEO Eric Yuan announced in early March that he was removing the time limit from video chats in regions affected by the outbreak and was offering free services to K-12 schools around the world. Yet at the height of its popularity, Zoom has become one of the most targeted apps for cyberattacks and cybercrime (including dozens of new fake Zoom-themed domain registrations and phishing websites, intended to lure users into providing credit card details and other sensitive data and/or infiltrate malware), ultimately illuminating holes in the platform’s data protection and privacy policies and inviting a firestorm of criticism and challenges.
A rising phenomenon referred to as “zoom-bombing,” where hackers hijack Zoom meetings and use the screen-sharing feature to disseminate disruptive and often obscene or inappropriate material to the meeting attendees has been particularly concerning to the community. There have been a number of reported Zoom hacks in virtual conferences through schools, churches, and political meetings. Particularly disheartening are those virtual classrooms that have been interrupted with pornographic images and racial slurs, and religious services attacked with uploads of anti-Semitic propaganda. Many school districts have prohibited educators from using Zoom for distance learning, citing concerns about child data privacy (for a full discussion of how FERPA applies to videoconferencing, stay tuned for our next post). The FBI is making efforts to curtail Zoom-bombing, and advises zoom-bombing victims to report such incidents via the FBI’s Internet Crime Complaint Center.
Zoom has also been forced to make changes to its privacy policy and sign-in configuration after it was discovered that the app was sending some analytics data to Facebook (e.g., when the user opened the app, their timezone, city, and device details). Privacy activists noticed that there was nothing in the Zoom privacy policy that addressed this transfer of data. With regard to data security, consumers are also questioning whether Zoom actually implements end-to-end (“E2E”) encryption, as it claims, potentially teeing up a claim for unfair or deceptive trade practices before the FTC. With E2E encryption, the video and audio content can be decrypted only by the meeting participants, such that the service provider does not have the technical ability to listen in on your private meetings and use the content for ad targeting.
Due to the lack of clarity with regard to exactly what data Zoom is collecting from its users and what is does with that data, on March 18th, human rights group Access Now published an open letter calling on Zoom to release a transparency report to help users better understand the company’s data protection efforts. On March 30th, New York Attorney General, Letitia James, sent a similar letter to Zoom, requesting information about its security measures in light of user concerns about data privacy and zoom-bombing. While Zoom stated that it would readily comply with the AG’s request, this will not be the last fire to put out. Just yesterday, a class action (case no. 5:20-cv-02155) was filed against Zoom in the Northern District of California, citing violations of California’s Unfair Competition Law, Consumers Legal Remedies Act, and the CCPA by using inadequate security measures, permitting the unauthorized disclosure of personal data to third parties like Facebook, and failing to provide adequate notice before collecting and using personal data.
While the repercussions of Zoom’s privacy and data security transgressions remain to be seen, users of the videoconferencing platform can take actions to minimize the risks of zoom-bombing and data breaches by disabling certain features of the conference and abiding by the company’s best practices for securing a virtual classroom.