In adapting to the restrictions imposed during the COVID-19 pandemic, workplaces have been relying on Zoom Video Communications’ (Zoom) videoconferencing technology which has enabled people working from home to connect with colleagues and the public. However, as Zoom’s popularity increases, workplaces should consider whether Zoom is the appropriate forum to hold private and confidential workplace discussions. This article discusses Zoom’s existing privacy and security practices and whether they are sufficient to adapt to the recent and sudden surge in volume and sensitivity of data across the network. In particular, the article discusses:
- Zoom’s Privacy Policy and its gaps,
- Zoom’s Privacy Risks, and
- Strategies for protecting private and confidential information.
Zoom’s Privacy Policy
How Zoom uses personal data
Zoom’s Privacy Policy emphasises that they do not allow marketing companies, advertisers or similar companies to access personal data in exchange for payment[i]. However, Zoom’s Privacy Policy also states that Zoom uses certain advertising tools on their marketing sites which send personal data to tool providers such as Google, unless users have opted-out by changing their Cookie Preferences.
This functionality was recently exposed when Zoom was required to update their software after users reported that software inside the Zoom iPhone application was sending user’s personal data to Facebook, regardless of whether the user has an account with Facebook[ii].
Zoom collects technical information about a user’s device and network connection including IP addresses, user’s approximate location and metadata. Some of the reasons Zoom collects this information includes: to enable them to respond to user’s requests for support, monitor performance of data networks and to conduct anonymised, aggregated analytics to improve Zoom’s service performance[iii]. However, until Zoom further inform users on the specifics about how they will safeguard user’s data, the entities to which Zoom provides consumer data and the countries in which these entities are located, workplaces should avoid holding confidential discussions on the platform.
Monitoring and Storing Meetings
Zoom’s Privacy policy states that Zoom does not monitor meetings nor do they store a meeting, unless they are requested to record and store the meeting by the meeting host[iv]. Zoom alerts participants via both audio and video when they join meetings if the host is recording a meeting, and the participants have the option to leave the meeting[v].
When a meeting is recorded, it is, at the host’s choice, stored either locally on the host’s machine or in the Zoom cloud[vi]. Zoom insists they have robust and validated access controls to prevent unauthorised access to meeting recordings saved to the Zoom cloud[vii]. However, again, until Zoom further informs users on the specifics about how they will safeguard user’s data, workplaces should avoid holding confidential discussions on the platform.
Despite this, Zoom does store user chat logs[viii]. Although this enables users to review and search their chat history, it would be prudent for workplaces holding confidential discussions to use other forms of communication.
Privacy Risks using Zoom
Can hackers take over webcams using Zoom?
In July 2019, security researcher Jonathan Leischuh disclosed that Zoom would allow someone to turn on another person’s Mac webcam and force that person to join a Zoom call[ix]. This affects not only those with Zoom installed on their Mac but also those who ever had Zoom installed on their Mac. The vulnerability would allow a malicious person to repeatedly barrage the user to join an invalid call and lock up their computer[x].
Zoom addressed the problem after the Electronic Privacy Information Centre, a public interest research centre, filed a complaint about Zoom with the Federal Trade Commission last year[xi]. Nonetheless, until Zoom provide details about the changes the company put in place to prevent hackers from accessing Zoom webcams, workplaces should avoid holding confidential discussions on the platform[xii].
Screen-sharing and public events
Workplaces who wish to hold public events on Zoom should be prepared for online trolls who are increasingly exploiting Zoom’s privacy settings[xiii]. Links to public Zoom meetings are easily accessible on Facebook groups, Twitter and other public event pages meaning it is possible for “zoombombers” to disrupt an event.
“Zoombombers” are jumping into public Zoom meetings and screening graphic content to conference participants by using the platform’s screen-sharing feature, forcing hosts to shut down their events[xiv]. The screen-sharing feature is a default feature which allows any meeting participant to share their video, screen and audio without permission from the event’s host[xv]. However, under the settings tab in Zoom accounts, event hosts can control how users communicate on the platform by allowing only hosts to share their screen or content during meetings[xvi].
Under Zoom’s Terms of Service, users agree not to use the platform to communicate material that is harassing, libellous, threatening, obscene, indecent or would violate intellectual property rights[xvii].
As traffic surges on Zoom during the pandemic, Zoom is under pressure to address these security vulnerabilities that could enable malicious third parties to gain surreptitious access to consumer webcams. At present, their approach has been reactive, scrambling to address such data privacy and security problems.
Managing participants
Hosts holding public workplace meetings should establish a two-factor authentication to further prevent unwanted guests and content from disrupting their meetings[xviii]. Hosts can require customised passwords to be entered before a user enters the meeting[xix]. This enables businesses to share a meeting link publicly, but provide the password to only those who register for an event. However, this feature does not prevent workers from sending a link to someone who might have malicious intentions.
In addition to customised passwords, hosts have control over the following features:
- Muting participants[xx];
- Stop a participant’s video[xxi];
- Lock the meeting to prevent anyone new from joining a meeting that has begun[xxii];
- Restrict participants who can join a meeting to those who are logged into Zoom, or even restrict it to Zoom users who’s email address uses a certain domain[xxiii].
Further, public meetings held by workplaces should not be created with a user’s Personal meeting ID[xxiv]. A user’s Personal Meeting Room is a virtual meeting room permanently reserved for the user that the user can access with their PMI. A user’s Personal Meeting Room should only be used with people a user meets with regularly. Once a participant has the link to a user’s PMI, they can join it at any time the meeting room is in use, unless the user locks the meeting or uses the Waiting Room feature[xxv].
Waiting Room
The Waiting Room feature on Zoom allows a host to control when a participant joins a meeting[xxvi]. The feature allows a host to admit attendees one by one or hold all attendees in the waiting room and admit them all at once. Further, not all participants must wait to be admitted. The host can either send all participants to the waiting room when joining a meeting or only guests, participants who are not on the host’s Zoom account or are not signed in. Through this feature, users can protect their privacy by controlling who enters meetings.
Strategies for protecting private and confidential information
- Workplaces should not use Zoom to discuss content which is confidential and sensitive without first ensuring that appropriate security configurations and/or encryption are implemented,
- Ensure that your staff have technical knowledge of features and functionality on Zoom, in respect of privacy and security settings on Zoom, so that those are implemented before each Zoom conference session,
- Understand what type of data including personal information is collected and managed by Zoom and who is authorised to access this information,
- Provide staff with appropriate training in relation to which discussions are appropriate on videoconferencing platforms,
- Implement and update appropriate security measures for the protection of confidential information/data, including controls such as encryption and password protection,
- Keep up to date in relation to any further security breaches on videoconferencing platforms. Useful resources for updates include:
-
- Stay Smart Online – an online alert service which provides alerts on the latest threats and information on how to reduce the risk of cyber threats
- ACCC Scam watch
- Australian Cyber Security Centre (ACSC)
- Australian Cybercrime Online Reporting Network (Acorn).
Disclaimer: This article is not intended to replace obtaining legal advice.
Authored by Peter Divitcos, 21 April 2020
© Copyright April 2020 — Stephens Lawyers & Consultants
For Further Information contact:
Peter Divitcos
Assistant to Principal
Stephens Lawyers & Consultants
Suite 205, 546 Collins Street
Melbourne VIC 3000
Phone: (03) 8636 9100
Fax: (03) 8636 9199
Email: [email protected]
Website: www.stephens.com.au
All Correspondence to:
PO Box 16010
Collins Street West
Melbourne VIC 8007
[i] Zoom Video Communications, ‘Privacy Policy’, 29 March 2020, https://zoom.us/privacy.
[ii] Joseph Cox, ‘Zoom Removes Code that Sends Data to Facebook’ 28 March 2020, VICE, https://www.vice.com/en_us/article/z3b745/zoom-removes-code-that-sends-data-to-facebook.
[iii] Zoom Video Communications, ‘Privacy Policy’, 29 March 2020, https://zoom.us/privacy.
[iv] Ibid.
[v] Ibid.
[vi] Ibid.
[vii] Ibid.
[viii] Ibid.
[ix] Emily Stewart, ‘Hackers can hijack your Mac webcam with Zoom. Here’s how to prevent it.’ 11 July 2019, Vox, https://www.vox.com/recode/2019/7/9/20687689/zoom-mac-vulnerability-medium-jonathan-leitschuh-camera.
[x] Ibid.
[xi] The Electronic Privacy Information Center, Complaint, Request for Investigation, Injunction and Other Relief, 11 July 2019 https://epic.org/privacy/zoom/EPIC-FTC-Complaint-In-re-Zoom-7-19.pdf.
[xii] See Danny Hakim and Natasha Singer, ‘New York Attorney General Looks Into Zoom’s Privacy Practices’, 30 March 2020, The New York Times, https://www.nytimes.com/2020/03/30/technology/new-york-attorney-general-zoom-privacy.html.
[xiii] Alex Hern, ‘Trolls exploit Zoom privacy settings as app gains popularity’ 27 March 2020, The Guardian, https://www.theguardian.com/technology/2020/mar/27/trolls-zoom-privacy-settings-covid-19-lockdown.
[xiv] Ibid.
[xv] Zoom Video Communications, ‘Sharing your screen’, https://support.zoom.us/hc/en-us/articles/201362153-Sharing-your-screen.
[xvi] Zoom Video Communications, ‘Managing participants in a meeting’, https://support.zoom.us/hc/en-us/articles/115005759423.
[xvii] Zoom Video Communications, ‘Terms of Service’, 27 March 2020, https://zoom.us/terms.
[xviii] Zoom Video Communications, ‘Setting up and using two-factor authentication’, https://support.zoom.us/hc/en-us/articles/360038247071-Setting-up-and-using-two-factor-authentication.
[xix] Zoom Video Communications, ‘Meeting and Webinar Passwords’, https://support.zoom.us/hc/en-us/articles/360033559832-Meeting-and-Webinar-Passwords-.
[xx] Zoom Video Communications, ‘Managing participants in a meeting’, https://support.zoom.us/hc/en-us/articles/115005759423.
[xxi] Ibid.
[xxii] Ibid.
[xxiii] Zoom Video Communications, ‘Authentication Profiles for Meetings and Webinars’, https://support.zoom.us/hc/en-us/articles/360037117472-Authentication-Profiles-for-Meetings-and-Webinars.
[xxiv] Zoom Video Communications, ‘Personal meeting ID (PMI) and personal link’, https://support.zoom.us/hc/en-us/articles/201362843-Personal-meeting-ID-PMI-and-personal-link.
[xxv] Ibid.
[xxvi] Zoom Video Communications, ‘Waiting Room’, https://support.zoom.us/hc/en-us/articles/115000332726-Waiting-Room.