Zoom got to an arrangement with the New York Attorney General’s office and has determined to carry out better privacy and security controls for its teleconferencing system. New York Attorney General Letitia James started an investigation into Zoom after experts discovered several privacy and security concerns with Zoom early this year.
Zoom has become one of the most well-liked teleconferencing programs at the time of the COVID-19 crisis. In March, over 200 million people were taking part in Zoom conferences with usership increasing by 2,000% in the interval of only three months. As more persons use the platform more often, problems in the system began to appear.
Meeting participants began to report incidents of uninvited individuals joining and troubling private conferences. Many of these “Zoombombing” attacks made meeting participants racially mistreated and harassed based on religion and sexuality. There were additionally a number of documented instances of uninvited people joining meetings and showing pornographic pictures.
Then security experts began discovering privacy and security problems with the system. Zoom explained on its web page that Zoom meetings were safeguarded with end-to-end encryption, however, it was found that Zoom had utilized AES 128 bit encryption instead of AES 256 bit encryption, and so its end-to-end encryption promise was untrue. Zoom was additionally found to have issued encryption keys via data centers in China, even if meetings were happening between end people in the U.S.A.
Zoom utilized Facebook’s SDK for iOS to permit end-users of the iOS mobile application to sign in via Facebook, which suggested that Facebook was supplied with technical information associated with users’ devices whenever they launched the Zoom application. While Zoom did say in its privacy policy that third-party apps may gather details about users, information was found to have been transferred to Facebook even if users hadn’t utilized the Facebook login with Zoom. There were additionally privacy problems connected with the LinkedIn Sales Navigator function, which permitted meeting participants to see the LinkedIn information of other meeting attendees, even if they had taken measures to stay anonymous by using pseudonyms. The Company Directory function of the program was found to defy the privacy of certain users by leaking personal details to other users when they had a similar email domain.
Zoom reacted immediately to the privacy and security problems and fixed most in a couple of days of discovery. The company additionally announced that it was ceasing all improvement work to focus on privacy and security. Zoom likewise enacted a CISO Council and Advisory Board to target privacy and security and Zoom lately made an announcement that it has obtained the start-up company Keybase, which is going to help to apply end-to-end encryption for Zoom conferences.
As per the terms of the arrangement with the New York Attorney General’s office, Zoom agreed to employ an extensive information security program to make sure its users are secured. The program is going to be monitored by Zoom’s head of security. The firm has likewise agreed to do a complete security risk evaluation and code review and will resolve all identified security problems with the system. Privacy controls will additionally be implemented to safeguard free accounts, like those utilized by schools.
As per the terms of the settlement, Zoom should continue to evaluate privacy and security and use more protections to provide its users with better control of their privacy. Action should additionally be taken to control profane activity on the system.