Zoom has had the fastest rise of any technology company in 2020, but the video conferencing platform has experienced some giant growing pains. A seemingly non-stop parade of privacy and security issues has developed in the past few weeks as the company has rapidly onboarded millions of new users due to the coronavirus crisis. While all of this began with “Zoom bombing” pranks, some of the issues that have emerged since have become serious enough to spark lawsuits.
Zoom’s day(s) in court
A class action suit filed in California is accusing the company of covering up a number of the privacy and security issues that have made the news since the beginning of March. A shareholder has alleged that the company has violated federal securities laws and seeks to recover damages for anyone who invested in the company between April of this year and last.
The primary focus of the suit is the misrepresentation of the use of end-to-end encryption measures to secure video conferences. Zoom was using the term “end-to-end” to describe its features in marketing materials up until the end of March. The company clarified in an April 1 blog post that data ceases to be encrypted if any participant in a meeting is using anything other than the Zoom app.
The company also verified that it is in possession of encryption keys, which are stored in its internal cloud architecture and could theoretically be used for decryption as the video passes through their servers. This piece of information was revealed prior to the company’s blog post, and there has been particular concern about it as some of the Zoom servers that generate these keys are based in China yet are encrypting sessions in other parts of the world. The Chinese government requires all companies storing user data within its borders to turn it over upon demand, including granting access to encrypted information.
Zoom faces an additional class action court filing in Sacramento, which alleges that both Facebook and LinkedIn were able to “eavesdrop” on video calls under certain circumstances. If a Zoom conference host had LinkedIn’s Sales Navigator app installed, they were able to view the LinkedIn profile information of participants even if they had not given the host access to it. Facebook had undisclosed access to the personal information of any iOS users in the conference (such as their unique advertising ID) even if those participants did not have a Facebook account.
The company may be facing further trouble from the New York Attorney General’s Office, which has formally asked Zoom to describe the security measures it has added to handle its sudden traffic boom. This is not an investigation, but a request such as this can be a precursor to one. The Connecticut Attorney General has issued a similar request.
Is Zoom addressing its privacy and security issues?
Zoom CEO Eric Yuan has publicly addressed most of the platform’s privacy and security issues, laying out a 90-day plan aimed at getting the company caught up to its sudden and explosive growth.
The company has established a cybersecurity advisory board and has brought in Alex Stamos, Facebook’s former chief security officer, as a central consultant to address its privacy and security issues.
Zoom has already made some small changes and tweaks to address specific security and privacy flaws. For example, the platform no longer shows the video conference ID number in the title bar. Numerous conference participants accidentally “doxxed” themselves in this way by posting screenshots of their conferences to social media. The company also added a “security” button to meetings that allows the host to quickly remove anyone who is “Zoom bombing” or otherwise crashing the proceedings. And the Zoom.us site indicates that the vulnerable 128-bit encryption standard that had formerly been in use has been updated to AES 256-bit TLS.
Other changes have been announced. Geo-fencing is being implemented to ensure that encryption keys generated in China are limited to meetings hosted in that country. Meeting passwords are also going to be on by default. And the company is temporarily suspending any non-security feature updates and additions as it gets the numerous privacy and security issues under control.
Though Zoom’s stock has only had a relatively slight tumble after soaring in Q1 of 2020, the company sees a proactive response as crucial to its fortunes. Numerous governments and organizations have banned Zoom due to its privacy and security issues: the United States Senate, the German Foreign Ministry, Google, NASA, Elon Musk’s SpaceX, and numerous school districts around the world, just to name some of the more high-profile examples.
These changes will help the company going forward, and in general Zoom’s response to the various privacy and security issues has been received positively. However, none of this will be of any help to the company in its existing lawsuits. It remains to be seen if more secure alternatives such as Microsoft Teams capture a significant share of the coronavirus pandemic market as a result.