Zoom moves quickly to address cybersecurity and privacy concerns

Video conferencing platforms have quickly become essential tools enabling businesses and individuals to stay connected during the Covid-19 pandemic. As businesses embrace remote working models from necessity and at pace, privacy and cybersecurity concerns arise as people adjust their approach to work and the need to respect the obligations imposed by law.

We recently highlighted some of the privacy concerns of remote working in our previous article. In particular, we reported on some of the concerns being raised by users of Zoom, and other video conferencing platforms.  We were pleased therefore to engage in a webinar with Zoom about their services and their responses, and this article highlights the good news.

On April 8th 2020 the founder of Zoom, Eric Yuan, held a webinar to update users of Zoom on how the company planned to tackle these issues.  Here are some of the key points from the webinar, and what Zoom plans to do to address the issues over the coming months:

Expansion of user base and privacy policy

• The massive increase in its user base to over 200 million users worldwide in such a short period of time has taken the company by surprise.   This led to challenges for them to ensure they met people’s expectations, and Zoom points out that many other video conferencing platforms are experiencing similar issues.
• Zoom has acknowledged that it may have ‘missed things,’ ‘not educated users enough’ and ‘may not have provided enough guidance.’  They are now actively addressing this.
• Zoom has stressed that it is looking into every issue and will engage with users and business in an open and transparent way.
• In response to recent concerns, Zoom has updated its Privacy Policy to be more clear and transparent around what data it collects and how it is used, explicitly clarifying that it does not sell users’ data.
• Zoom has issued guidance for educational users and changed settings for educational users so that only teachers can share content in a Zoom classroom.

Global data centres

• Zoom has clarified the position concerning its ‘global data centres.’  Zoom has explained that when a user in the U.S. tries to connect, one of Zoom’s five U.S. data centres is ‘pinged.’
• For a limited time, if there was not a response from a U.S. data centre, routing would be via a data centre in China.  This has now been changed, and the data centres in the U.S. are ‘re-pinged’ instead.
• Zoom has acknowledged that it should never have been an option for data centres in China to be used for users not based in mainland China.

Features & planned updates

• Zoom has stated that it may not have adequately considered the impact of all of its features on the business community.  For example, historically the participant ‘tracking’ feature (a feature which enabled hosts to see if participants had clicked away from a Zoom screen) had been very well received by users in the training sector. However, concerns have since been raised by other sectors.  This function, as well as the LinkedIn navigator function, has now been removed from the platform in response.
• Zoom has frozen all work on new platform features for 90 days while it focuses on addressing privacy concerns and consults with external third party experts.
• Zoom will eventually introduce a ‘background blurring’ feature enabling users to obscure the background of their room when using video and remote working.

Encryption and new security feature

• Zoom has acknowledged the confusion that has arisen concerning encryption of the platform. The company has said that it will be focusing on encryption over the next 45 days, and will then update users on any changes.
• Zoom are working on a new security feature so that all ‘security options’ will soon appear under a single tab, making it easier for users to navigate and understand the options available.

‘Zoombombing’ and Facebook incident

• Zoom acknowledges that ‘Zoombombing’ can be a problem but it largely derives from users not controlling access.  Zoom has reiterated its advice that meeting IDs and passwords should never be shared or stored on social media.
• Zoom has stated that it has never provided or sold sensitive personal data to Facebook or any other social media platform – only ‘device data’ was provided.

Use of Zoom by governments and healthcare providers

• Zoom and government meetings:  Zoom has acknowledged that the governments of many countries are using the platform to hold official meetings. Zoom will be providing a more secure product for these purposes with all ‘consumer’ features disabled.
• Zoom and healthcare: Zoom has acknowledged that many of the leading providers of telehealth services are using Zoom, and in the U.S. such use is compliant with the Health Insurance Portability and Accountability Act (HIPAA).  Zoom will continue to consider how encryption can be further improved for the delivery of telehealth.

Finally, it is understood that Zoom plans to hold weekly cybersecurity and privacy update webinars.  We will continue to monitor and report on any significant developments and guidance provided by Zoom, but these changes show how proactively they are working with their new global community.