Zoom’s Recent Headlines Illustrate Why Privacy and Security are a Critical Element in Product Design

Friday, April 10, 2020

As a result of the recent crisis, Zoom became the “go to” video-conferencing platform.  Employees spread across the country began using Zoom to keep in constant communication.  Fitness instructors began hosting fitness classes online.  Teachers hosted meetings to interact with their students.  Parents hosted play dates for their secluded children.  And Zoom was even being used to host “happy hour” sessions allowing isolated adults to socialize over a remote drink. 

Eric Yuan – the founder of Zoom – recently explained that Zoom’s usage had ballooned during the recent crisis to over 200 million daily meeting participants.  This is a meteoric rise in usage from the 10 million daily meeting participants Zoom was handling just last December.  But Zoom’s explosive growth has taken a devastating detour over the past several weeks.   

Zoom’s Privacy and Security Troubles Keep Growing

Indeed, as I posted here last week, Zoom’s increased usage has uncovered numerous security and privacy issues.   Just one issue – now popularly referred to as "Zoombombing" – involves unwanted or non-invited guests breaking into and hijacking a meeting.  While most documented cases of Zoombombing involve malicious actors invading meetings to spout profanities or racial slurs, the larger concern is the possibility of a hijacker quietly eavesdropping on private meetings to acquire confidential business information.

While Zoombombing has become the flashiest of the reported issues, there are additional, and possibly, more troubling issues.  Just a few of the additionally reported security and privacy issues include:

  • The cybersecurity firm Sixgill recently discovered an actor in a popular dark web forum had posted a link to a collection of 352 compromised Zoom accounts. As reported by Yahoo Finance the links found by Sixgill included email addresses, passwords, meeting IDs, host keys and names, and the type of Zoom account. Sixgill also reported that most were personal accounts.
  • A former NSA researcher told the Washington Post that he discovered thousands of private Zoom recordings stored in Amazon Web Services S3 buckets without passwords. It has been reported that searches have revealed over 15,000 separate recordings – some containing highly sensitive information.
  • Lastly, Zoom has been reported as having shared data about Zoom users to Facebook – without the user’s permission or approval. Allegedly, the Zoom app notified Facebook when a user opened the app, details on the user's device such as the model, the time zone and city the user connecting from, details about the user’s phone carrier, and a unique advertiser identifier created by the user's device which companies can use to target a user with advertisements.

Just last week the FBI even issued a warning related to many of Zoom's privacy and security issues.  And as the issues have increased, Zoom has begun to "freeze" many features until corrective measures can be taken.  

Zoom’s Legal and Regulatory Troubles

Zoom's privacy and security issues have now resulted in multiple class-action lawsuits being filed based on the California Consumer Privacy Act (“CCPA”).  These lawsuits will be interesting to watch because the allegations are based on the unauthorized disclosure of personal information – not an alleged data breach or theft of personal information.  So, these lawsuits will likely be the first to test whether an unauthorized “disclosure” is actionable under the CCPA.  These lawsuits will also be interesting to watch because Zoom has announced it is working to correct the issues that have been identified the last several weeks.  Zooms corrective measures will therefore also test the CCPA’s 30-day cure period which could nullify these class-action lawsuits.

Outside of the CCPA, Zoom has also been hit with a class-action lawsuit by Michael Drieu - a Zoom shareholder.  The lawsuit alleges Zoom of having “inadequate data privacy and security measures” and that Zoom falsely claimed that the service was end-to-end encrypted.  Drieu accuses Zoom of overselling its privacy standards.  Drieu also alleges that Zoom’s privacy and security deficiencies have negatively affected its stock price.

Aside from the private right of actions, investigations have also been commenced by the Connecticut and Florida attorney generals.  There has also been increased pressure for the FTC to begin an investigation relating to Zoom's privacy and security. If an investigation is instituted, the FTC could subject Zoom to any number of regulatory and monetary penalties.  The FTC has increased the severity of the penalties against companies with privacy and security issues.  Indeed, just last year the FTC issued a $5 billion penalty against Facebook for repeated privacy and security issues.

Zoom is Now Working to Shore Up its Privacy and Security Issues

In an April 8th post, Eric Yuan outlined Zoom’s 90-plan for corrective measures being taken. Mr. Yuan announced that Zoom had officially formed a CISO Council and Advisory Board that will include security leaders from across varying  industries.  Mr. Yuan also announced that Alex Stamos had joined Zoom as an outside advisor to assist with the comprehensive security review of Zoom’s platform.  Mr. Yuan’s recent post therefore indicates that Zoom will now review and correct any alleged security and privacy issues. 

While the pending lawsuits and investigations unfold, Zoom's problems should serve as a warning.  Specifically, companies should be actively reviewing or developing sound privacy and cybersecurity policies for all current and future products.  These policies should not only encompass how a product handles all forms of information acquired from a customer, but the policies should also be developed at the earliest stages of product design.  Incorporating security and privacy at the onset of product design might not seem “sexy,” but the resulting product would be more secure for the end-customer.  Failing to incorporate such policies at the onset could, alternatively, result in years of engineering work on a company's core product offering being undone by security and privacy issues.