Client Alert: Zoom-Users Beware! Reports of Significant Privacy and Data Security Flaws
Date: April 7, 2020
With this massive rate of adoption, Zoom's platform came under scrutiny from the data protection community. Researchers and others reported concerns regarding some of Zoom’s privacy and data security practices. The concerns ranged from dismay at the availability of certain features (e.g., an "attendee attention tracking" feature that allows a meeting host to see if meeting participants click away from the main Zoom meeting screen) to alarm (e.g., serious flaws allowing hackers to take over users' computers). Some complaints were informal and published in popular media, while others have been brought formally to Attorney General's offices, the Federal Trade Commission, and the courts.
Reported Data Protection Risks
The FBI recently warned that reports of Zoom video-teleconferencing hijacking, also known as "Zoom-bombings," have increased in number. Online trolls and other bad actors Zoom-bomb conferences by disrupting them with pornography, hate messages, and profanities or threatening language. Security researchers also reported vulnerabilities in the past week. The Apple macOS version of Zoom reportedly allowed hackers to install malware or spyware on users' computers and to inject code to access webcams and microphones. Zoom subsequently patched these vulnerabilities, and Apple released an update for Mac users to address the problem.
Cybersecurity professionals report concerns that remote working and the rise in popularity of videoconferencing platforms increase the attack surface of organizations. The high frequency of Zoom-bombing may be an early warning sign that these platforms will become regular targets for more harmful attacks.
In a recent press release, A Message to Our Users, Zoom itself recognizes that "we have fallen short of the community’s – and our own – privacy and security expectations." Zoom committed to enacting a feature freeze over a period of 90 days to refocus all engineering resources on fixing data protection issues with the platform. In another press release, Zoom apologizes for "the confusion we have caused by incorrectly suggesting that Zoom meetings were capable of using end-to-end encryption," and then went on to clarify how it actually uses encryption in The Facts Around Zoom and Encryption for Meetings/Webinars.
In addition to the reported security risks, Zoom came under fire for violating users' privacy. Zoom allowed Facebook to collect information about certain users that was unrelated to those users' meetings, including device OS type and version, device time zone, mobile carrier, screen size, processor cores, disk space, as well as a unique identifier created by devices and used by advertisers to target users with marketing. Per Zoom's March 27 press release, Zoom’s Use of Facebook’s SDK in iOS Client, it stopped this practice. Zoom is already facing at least one class action lawsuit arising out of its sharing of data with Facebook.
There is no dispute that Zoom is a convenient tool that has gained rapid popularity during the COVID-19 pandemic. Its security vulnerabilities and privacy failures are, however, reported to be significant. Some security researchers and professionals are recommending that Zoom not be used by any organizations for which privacy and data security are important. News outlets report that school districts, including New York City's schools, and companies such as SpaceX and Apple, are banning the use of Zoom. Similarly, it is reported that the Department of Justice is banning its attorneys from using Zoom for privileged, attorney work product-protected, and other confidential communications.
Notwithstanding these concerns, many private and public organizations continue to use Zoom widely. We recommend that any user of Zoom give thought to the newly reported vulnerabilities and to make an informed decision as to continued use.
HIPAA Covered Entities
Note that we recently alerted clients to guidance issued by the Office of Civil Rights (OCR), Notification of Enforcement Discretion for Telehealth Remote Communications During the COVID-19 Nationwide Public Health Emergency, concerning the use of video-teleconferencing platforms for telehealth services covered by HIPAA Rules. The OCR advises that it will not take enforcement actions against covered health care providers for using certain platforms, including Zoom. The OCR also encourages covered providers "to notify patients that these third-party applications potentially introduce privacy risks" and recommends the enabling of "all available encryption and privacy modes when using such applications." As of the date of this publication, the OCR has not updated its guidance and Zoom continues to be listed among the permitted and preferred platforms.
Tips to Minimize Risk
Data protection researchers and other professionals make the following recommendations to improve the Zoom experience for meetings that involve confidential or sensitive information:
- Using Zoom should not be a DIY project for organizations in industries that are regulated or have high data protection standards, and IT experts should be involved.
- Use the most up-to-date version of Zoom.
- Ensure each private meeting is password-protected, including for participants dialing in by phone.
- Use one-time meeting IDs to host public meetings (i.e., not using personal meeting IDs).
- Enable "waiting rooms" to screen meeting participants.
- Do not share meeting links, IDs or passwords outside of the group of intended participants; if possible, to avoid malicious links, do not share links at all and rely on meeting IDs only.
- Take attendance at the beginning of each meeting when practical.
- Control screen sharing by enabling the "Host Only" feature.
- Consult cybersecurity professionals for any wide adoption of Zoom within an organization.
- Revise the organization's policies regarding the use of video-teleconferencing and other online services.
The information contained here is not intended to provide legal advice or opinion and should not be acted upon without consulting an attorney. Counsel should not be selected based on advertising materials, and we recommend that you conduct further investigation when seeking legal representation.