author photo
By Bruce Sussman
Thu | Apr 2, 2020 | 2:31 PM PDT

It feels like the whole world is using Zoom right now for virtual meetings, videoconferencing, and digital happy hours. This tweet from @JustinMinkel sums it up:

And Zoom Founder and CEO Eric Yuan just confirmed that the world is using the platform by sharing these big data facts:

"...over 90,000 schools across 20 countries have taken us up on our offer to help children continue their education remotely.

To put this growth in context, as of the end of December last year, the maximum number of daily meeting participants, both free and paid, conducted on Zoom was approximately 10 million. In March this year, we reached more than 200 million daily meeting participants, both free and paid."

Year-over-year daily active user count is up 378% from where it was last March.

So the world is u-s-i-n-g Zoom.

Will it also be s-u-i-n-g Zoom as a result? Some already are.

New privacy lawsuit against Zoom

A lawsuit filed March 30, 2020, against Zoom seeks class-action status because of what it describes as Zoom's failure to keep its privacy promises to users. 

And the lawsuit says this includes violations of the California Consumer Privacy Act (CCPA).

[Related podcast: Cybersecurity & Privacy Law Strategy]

One of the key points is that Zoom allegedly violated users' privacy by sharing information with Facebook.

Here's what the lawsuit says about what was happening in the background of the Zoom app: 

"The unauthorized information is sent to Facebook, when a user installs, and each time a user opens, the Zoom App. This information includes, but is not limited to, the users' mobile OS (operating system) type and version, the device time zone, the device model and the device's unique advertising identifier.

The unique advertising identifier allows companies to target the user with advertisements. This information is sent to Facebook by Zoom regardless of whether the user has an account with Facebook."

And the lawsuit claims that the plaintiff and others were misled:

"Had Zoom informed its users that it would use inadequate security measures and permit unauthorized third-party tracking of their personal information, users like plaintiff and Class Members would not have been willing to use the Zoom App. Instead... members would have... chosen a different video conferencing product that did not send their personal information to Facebook or any other third party."

Now, attorneys in the case are asking for class-action status. 

Zoom admits privacy gaffe, makes changes

Zoom admitted in a blog post that it implemented a "Login with Facebook" feature which many platforms use as a login option. You've probably used it elsewhere because it's fast and easy to use.

Zoom claims it did not know that interface was sending "unnecessary" details to Facebook from the app, but it found out on March 25, 2020, and took action two days later:

"Our customers' privacy is incredibly important to us, and therefore we decided to remove the Facebook SDK (Software Development Kit) in our iOS client and have reconfigured the feature so that users will still be able to log in with Facebook via their browser. Users will need to update to the latest version of our application...."

That latest version has already rolled out, so you may want to update it now if you have auto-updates turned off. Zoom has since updated its            Privacy Policy.

Zoom updates confusion over end to end encryption

Zoom's CEO also took to the blog to clear up what he calls "confusion" over Zoom's supposed end-to-end encryption, which had been questioned in media reports.

It sounds like "end-to-end" may have been taking encryption claims a little too far:

"Zoom has always strived to use encryption to protect content in as many scenarios as possible, and in that spirit, we used the term end-to-end encryption. While we never intended to deceive any of our customers, we recognize that there is a discrepancy between the commonly accepted definition of end-to-end encryption and how we were using it."

Here is the Zoom encryption diagram:

zoom-meeting-encryption-diagram

Read more about this on the Zoom encryption blog post.

5 things Zoom is doing about cybersecurity

On top of everything else, bad actors and security researchers alike started really kicking the tires on Zoom's security. This led to Twitter posts like this one, detailing a vulnerability:

The company says it has closed this vulnerability.

Now, Zoom's CEO has suddenly announced five steps the organization is taking during the next 90 days to improve trust with customers and quickly ramp up its cybersecurity.

This includes taking all engineers who are working on new features and immediately shifting them to the following security tasks:

  • Conducting a comprehensive review with third-party experts and representative users to understand and ensure the security of all of our new consumer use cases
  • Preparing a transparency report that details information related to requests for data, records, or content
  • Enhancing their current bug bounty program
  • Launching a CISO council in partnership with leading CISOs from across the industry to facilitate an ongoing dialogue regarding security and privacy best practices
  • Engaging a series of simultaneous white box penetration tests to further identify and address issues

We can say this much: Zoom appears to be taking swift and decisive action around both cybersecurity and privacy. We'll keep watching for updates on the progress.

Do privacy laws and regulations still apply in emergencies?

With all the good that Zoom has done for so many in keeping the world connected, will it be off the hook in its class-action privacy lawsuit?

That is for the courts to decide. However, all organizations, including yours, should remain in compliance even during a worldwide pandemic.

Cyber attorney Jordan Fischer of  XPAN Law Group tells SecureWorld:

"It's important to remember that even when you're moving to remote work, even when you're dealing with these critical time periods, all of these privacy regulations are still going to be in effect and need to be complied with.

So that means that even if you're dealing with shifting data around, moving to different servers, moving to different infrastructures, you need to make sure that you're staying in compliance with the obligations that you have under these regulations."

This includes the CCPA, mentioned in the Zoom lawsuit. And it includes things like HIPAA and GDPR privacy regulations for those covered by them.

"Looking at HIPAA, we have seen the Office of Civil Rights which enforces HIPAA on behalf of the US Department of Health and Human Services, they put out a bulletin in February of 2020, specifically related to coronavirus.

I want to highlight that while they recognize that these are extreme situations, and there is some sharing of patient information that needs to be going on, the protections of the Privacy Rule are not set aside during this emergency.

Additionally, the European Data Protection Board which oversees the general data protection regulation in the European Union, also has provided some guidance around the processing of personal data in the context of the coronavirus outbreak.

I want to highlight again, and you're going to see this as a similar theme to the HIPAA context, which is that they recognize that this is a critical time. But it says even in these exceptional times, the data controller must ensure the protection of personal data."

Fischer spoke about remote work privacy and security pitfalls on our SecureWorld Remote Sessions, which is a daily security briefing. Listen to the episode here.

Lessons learned from the Zoom case

Zoom's CEO says he has learned business lessons from the coronavirus pandemic, which created things within his organization that he never expected to see.

"...our platform was built primarily for enterprise customers – large institutions with full IT support...thousands of enterprises around the world have done exhaustive security reviews of our user, network, and data center layers and confidently selected Zoom for complete deployment. 

However, we did not design the product with the foresight that, in a matter of weeks, every person in the world would suddenly be working, studying, and socializing from home. We now have a much broader set of users who are utilizing our product in a myriad of unexpected ways, presenting us with challenges we did not anticipate when the platform was conceived."

Yes, at this point in history, new use cases seem to be everywhere.

Read more here about what Zoom is doing over the next 90 days.

Tags: Privacy,
Comments