16 April 2020

Data Blast: Apple & Google offer contact tracing, and Zoom updates including a bug bounty scheme….

See below our latest Data Blast from our Legal team.

Apple and Google announce contract-tracing proposal

On April 10th, it was announced that Google and Apple are in the process of developing a means of notifying individuals who have come into contact with someone infected by the coronavirus.

While their initial plan is to aid third-party tracing apps (such as the PEPP-PT app, discussed here), the companies ultimately wish to establish contact-tracing, on a voluntary basis, without requiring a dedicated app. Like the PEPP-PT app, this approach would use a smartphone’s Bluetooth to determine whether users had come close enough, and for long enough, to infected individuals to have established a risk of Infection. If such an individual tests positive, those deemed to have been close enough to that individual would be sent a warning.

Critically, no GPS location data or other personal data would be recorded, and the companies have stated that they will publish the application’s information for public analysis in an attempt to be completely transparent. The proposal has received positive reviews from the EU’s data protection supervisor, who stated ‘the initiative will require further assessment, however, after a quick look it seems to tick the right boxes as regards user choice, data protection by design and pan-European interoperability.’ However, critics have pointed out that the success of such a system would require wide-spread testing, which very few countries have been able to achieve to date.

Several countries have been developing and rolling out their own contact-tracing apps. However, the companies’ solution would make all third party contact-tracing apps interoperable, so that tracing would work for people travelling overseas, where different tracing tools may be deployed.

Regarding concerns over identifiable data, any digital identification would be stored on remote servers, and would not be used to identify specific users. Furthermore, the contact-matching process would occur on mobile devices, as opposed to centrally, making it possible for individuals to be notified of their exposure to the coronavirus without anyone else being notified.

Zoom’s latest cybersecurity and privacy update

Video conferencing platform Zoom, on April 16th, provided a further update on how it is proactively addressing cybersecurity and privacy concerns.

Video conferencing platforms have quickly become essential tools enabling businesses and individuals to stay connected during the Covid-19 pandemic and widespread lockdown. We recently highlighted some of the privacy concerns of remote working in our previous article, including some of the concerns being raised by users of Zoom, and other video conferencing platforms.

Zoom has moved quickly to address users’ concerns and has initiated weekly privacy webinars to update users. We reported on Zoom’s first webinar here, during which the company set out its ambitious strategy for the next 90 days. On April 15th, the founder of Zoom, Eric Yuan, held a further webinar to update users on the progress made to tackle issues. Here are some of the key points from the latest webinar, and what to expect over the coming weeks and months:

Expansion of user base and external advisers

  • Zoom started the briefing by explaining how the massive expansion in its user base is unprecedented, and how it is likely that no other company has ever had to scale and support so many new users so quickly. Zoom acknowledges the challenges this presents, but is committed to addressing issues and users’ concerns.
  • Zoom has moved quickly to appoint a number of external advisers and privacy consultants.  In particular, Zoom has appointed Alex Stamos, professor at Stanford University’s Center for International Security and Cooperation, and former chief security officer (CSO) at Facebook. Alex Stamos is not an employee or executive of Zoom, and was contacted directly by Zoom after he posted a series of tweets discussing the security challenges for Zoom, and how they could respond.
  • It is also reported that Zoom has engaged with Lea Kissner, former Global Lead of Privacy at Google, as well as security auditors BishopFox, the NCC Group, and Trail of Bits.

Global data centres and routing

  • Zoom has clarified the position concerning its ‘global data centres’ and the new measures to be put in place. From April 18th, all account holders will be able to customise which data centre regions their account will use for real-time traffic with an account/group/user setting. Account holders will be able to opt-out, or opt-in, to specific data centres.  However, it will not be possible to opt out of the cluster’s home region where the account is provisioned.

Update on encryption

  • Zoom has previously acknowledged the confusion that has arisen concerning encryption of the platform.
  • Zoom has stated that it is working in the short term to upgrade the encryption of compressed data streams from AES-256 in ECB mode, to the more secure AES-256 GCM mode.
  • In the longer term, Zoom plans to move to new E2E encryption similar to the encryption used by WhatsApp. Zoom noted that of all the video platforms available, Facetime has the longest E2E encryption. However, Facetime only allows up to 32 participants, whereas Zoom allows 1000’s of participants and this creates specific challenges in dealing with encryption.

Passwords and hacking

  • It has been reported in the press that cybercriminals are attempting to sell the account credentials and passwords of 500,000 Zoom users on the ‘dark web. Zoom has stated that these problems affect all platforms and are difficult to deal with and may result from prior password breaches.  Zoom are building systems to check if username and password ‘pairs’ are being used. Further two-factor authentication is being developed as a longer term project.
  • Passwords are encrypted when they are stored. To increase security, Zoom has introduced new requirements for passwords. All new passwords are required to be alphanumeric (6 characters). Meeting administrators will have the ability to define meeting password requirements. Zoom will clarify if existing 4-digit passwords will need to be changed.

‘Zoombombing’ and the new security icon

  • Zoom has introduced a new security feature so that all ‘security options’ appear under a single tab, making it easier for users to navigate and understand the options available, and to help tackle the issue of Zoombombing.
  • Using the new security feature, meeting hosts can now turn off the video of misbehaving participants (but hosts will continue to be unable to activate a participant’s video).
  • From April 19th, meeting hosts will be able to use the security icon to directly report participants to Zoom.

Use of Zoom by governments

  • Zoom has acknowledged that the governments of many countries are using the platform to hold official meetings. Zoom has confirmed that its product for government use has all ‘consumer’ features disabled, and is never routed through data centres based in mainland China.

‘Bug Bounty’ scheme

  • Zoom has stated that it will rebuild its ‘bug bounty’ scheme to help address privacy concerns. The scheme is similar to programs employed by all responsible tech companies, whereby tech-savvy users are encouraged to ‘hack themselves’ in order to identify bugs. Zoom has engaged Luta Security to administer the scheme.  Luta Security is best known for establishing bug bounty schemes for Microsoft, Symantec, and the Pentagon.  Zoom will investigate and reward users who help identify issues.
  • It is clear that Zoom is committed to addressing security concerns and that much progress has already been made, with many more measures expected in the weeks to follow. We will continue to monitor and report on any significant developments and guidance provided by Zoom as they proactively engage with their new global community.

For more information please contact Partner, James Tumbridge at,