Zoom faces global scrutiny over privacy missteps as US states begin probes

Connecticut, New York, Florida and other US states are investigating whether Zoom, the videoconferencing platform that’s exploded in popularity during the Covid-19 pandemic, has violated any laws by failing to protect users’ privacy and secure its systems, the Connecticut attorney general announced today.

The states are joining regulators around the world in scrutinizing the Silicon Valley company's privacy practices after a series of recent stumbles and missteps, from so-called "Zoombombing" to accusations of unauthorized data-sharing with Facebook.

Privacy watchdogs in Hong Kong and the UK have issued advisories about using Zoom. In South Korea, government officials held an emergency meeting to discuss how Zoom’s privacy issues could affect teachers and students in particular, while in New Zealand, the prime minister’s use of the platform has become a subject of contention.

Connecticut Attorney General William Tong said today he witnessed Zoombombing firsthand when he and the state’s lieutenant governor were bombarded with racist comments during a virtual town hall about the 2020 Census.

“This is certainly a law enforcement issue writ large,” Tong said at a telephone press conference today from his home in Stamford, Connecticut. “I don’t know if I’m prepared to say whether any specific laws have been violated. We’re trying to understand what Zoom does, what its privacy practices are ... Frankly, we’re in the investigative stage, and we’ll know more as we get information from Zoom.”

Zoombombing has become so prevalent that the US Federal Bureau of Investigation this week issued a warning to users. But it’s just one of several privacy and security issues facing the California company around the globe, such as undisclosed data sharing, complaints about features that allowed users to mine data from other users without their knowledge, and misleading statements about its encryption capabilities.

Zoom, which went public in April 2019, has scrambled to address the problems and has updated its privacy policies several times to clarify its practices. Zoom Chief Executive Officer Eric Yuan announced this week that the company is deploying all its engineering resources to fix its privacy and security issues instead of developing new features.

Yuan said the company never imagined that “in a matter of weeks every person in the world would suddenly be working, studying, and socializing from home.”

But Yuan admitted “that we have fallen short of the community’s — and our own — privacy and security expectations. For that, I am deeply sorry."

Those steps, however, may do little to quell growing concern among data-protection regulators around the world.

Last month, the news site Motherboard reported that software inside Zoom’s iPhone app was sending user data to Facebook. Zoom said on March 27 it was removing the tracking software.

Soon after, Zoom users filed a proposed class action in California federal court accusing the company of illegally disclosing their personal information, and seeking damages under the state’s new consumer privacy law, the California Consumer Privacy Act.

The New York attorney general and members of the US Senate demanded an explanation.

“The millions of Americans now unexpectedly attending school, celebrating birthdays, seeking medical help, and sharing evening drinks with friends over Zoom during the Coronavirus pandemic should not have to add privacy and cybersecurity fears to their ever-growing list of worries,” US Senator Richard Blumenthal wrote in a letter March 31.

Meanwhile, US states such as Connecticut, which has been active in multistate privacy and data-security investigations of companies such as Google, Equifax and Facebook, are coordinating their investigation into Zoom “on the fly,” Tong said. “This is obviously a fast-moving situation,” he said.

Both Tong and Lt. Governor Susan Bysiewicz said they were upset Zoom allowed “hundreds” of racist comments to be posted on their Zoom video chat Tuesday as the two Connecticut officials discussed the state’s Census response rate.

"I’ve never been Zoombombed before,” Tong said, noting that the comments scrolling along the side of the video conference image during the Census meeting “by and large seemed to be quite racist, using the most hateful language, bigoted, profane, pornographic, and it was very disturbing.”

Bysiewicz said several other Zoom public meetings held by the Connecticut towns of Cromwell and Middletown have been similarly disrupted, and she has directed her staff to procure video conference services that are more secure. She also said she's asked the US attorney for Connecticut, John Durham, to investigate.

“I think we have to be very careful about the kind of virtual meeting service that our state ends up purchasing, based on our experience this week,” Bysiewicz said.

Bysiewicz said her message to Zoom and other video chat companies is to “please secure your software so it is safe for people to use, both for public business and for private sector business.”

Data-protection regulators in others countries, such as Hong Kong’s data-protection authority (see here), have said they are also taking a closer look at Zoom’s practices, and are warning companies and individuals to be particularly vigilant about their privacy settings on Zoom.

The UK Information Commissioner's Office also urged caution for Zoom users and said “at this stage, we are considering various concerns that have been raised regarding video conferencing apps.”

Officials with the Irish Data Protection Commission told MLex they are speaking to other privacy regulators in Europe to find out whether they are receiving complaints about Zoom or have concerns.

In South Korea, the central government held an urgent meeting Thursday about Zoom’s privacy and security concerns, MLex has learned. The meeting was attended by officials from the Ministry of Science and ICT, which deals with cybersecurity threats, the Korea Communications Commission, which deals with privacy concerns, and the Ministry of Education, because schools are using Zoom during the pandemic.

The Science Ministry is drafting guidelines outlining security measures that Zoom users, especially teachers who are holding classes online, can follow.

In New Zealand, the use of Zoom has turned into a political battle, with Prime Minister Jacinda Ardern facing criticism from the opposition center-right New Zealand National Party for using the platform to conduct meetings.

In a recent statement, national Government Communications Security Bureau and Security Intelligence Service spokesman Gerry Brownlee said Ardern has "serious questions to answer about why she is using the video conferencing system Zoom for [non-public government] meetings."

Brownlee went on to criticize Ardern for using Zoom despite having been advised of security issues with the platform.

According to local media, Ardern has said the platform has been vetted by security agencies and that conversations that fall below a "secret" or "top secret" level, are permitted to go ahead via Zoom.

A four-page guidance note from New Zealand’s Government Communications Security Bureau and addressed to public servants says that “under no circumstances should Zoom be used" for "information classified above restricted.”

The government advice applies to Covid-19 alert levels 3 or 4. New Zealand is currently operating under a level 4 alert status.

The bureau said it has relaxed usual security and accreditation processes for video conferencing during the 3 and 4 alert levels, but that agencies seeking to continue to use Zoom once alert levels fall would need to carry out standard accreditation.

Any organization that previously used Microsoft Teams or Skype for Business for videoconferencing is advised to continue using those platforms instead of Zoom, the bureau said.

If Zoom is used, the bureau has advised users to employ the desktop application or in-browser function from a laptop or mobile device. The Zoom mobile app “should be avoided if at all possible,” according to the guidelines, because of reports of user tracking on mobile applications “and a permissive privacy policy.”

In Australia, the government’s cybersecurity agency doesn’t comment on individual platforms, but has released guidance on teleconferencing setups and cybersecurity.

The head of the Australian Cyber Security Centre, Abigail Bradshaw, said “in deciding on a platform for teleconferencing, close attention should be paid to whether a service provider claims ownership of any recorded conversations and content, metadata, or files that are created or shared when using their web conferencing solution.”

Australia’s privacy watchdog wasn't immediately available for comment.