NY AG and Zoom Come To An Agreement on Security, Privacy

New York Attorney General Letitia James announced an agreement with Zoom for security protections for its users. The agreement calls for new security measures to “support and protect consumers, students, schools, governments, religious institutions, and private companies using the application for work, education, prayer, and socializing.” The agreement comes in light of Zoom’s growing popularity during the COVID-19 pandemic.

Zoom went from having 10 million meeting participants per day in January to nearly 300 million meeting participants per day by the end of April.  As a result of this surge in popularity, “Zoom had a sudden surge in both the volume and sensitivity of data being passed through its network, but the exponential increase in users also exposed security flaws and vulnerabilities in Zoom’s platform and software, and a lack of privacy protections.” For example, users were being “Zoombombed,” where an uninvited participant disrupts a meeting. AG James began an investigation into Zoom and its privacy and security practices.

“Our lives have inexorably changed over the past two months, and while Zoom has provided an invaluable service, it unacceptably did so without critical security protections,” Attorney General James said. “This agreement puts protections in place so that Zoom users have control over their privacy and security, and so that workplaces, schools, religious institutions, and consumers don’t have to worry while participating in a video call. As the coronavirus continues to spread across New York State and this nation and we come more accustomed to our new normal, my office will continue to do everything in its power to help our state’s residents and give them every tool to continue living their lives.”

It was revealed that Zoom was not end-to-end encrypted, as it had advertised, and some users’ personal information was leaked. Users’ information was also shared with Facebook without their permission, resulting in numerous lawsuits. The investigation and subsequent agreement will ensure Zoom complies with the agreement, privacy and security practices, and state and federal laws.

In the agreement, Zoom “has agreed to implement and maintain a comprehensive data security program to protect all users that will be designed and run by the company’s Head of Security. Zoom will also conduct risk assessment and software code reviews to ensure that the company’s software does not have vulnerabilities that would allow hackers to exploit users’ information.” Zoom will take measures to protect users’ information and keep it safe from hackers. Zoom will also be upgrading its encryption methods, and it will operate a software vulnerability management program to test for weaknesses.

Zoom has also agreed to provide enhanced privacy controls. For example, hosts by default will “be able to control access to their video conferences by requiring a password or the placement of users in a digital waiting room before a meeting can be accessed.” Hosts can control access to messages in Zoom’s chat feature, and access to email domains in Zoom’s directory, who can share screens, limit participants of a meeting based on certain criteria. Zoom will also stop sharing data with Facebook and stop its LinkedIn integration, which also generated complaints. Zoom will provide its annual data security report to the Attorney General.

Zoom additionally agreed to protect users from abuse. Zoom will maintain its procedure for users to report Zoom policy violations. Zoom will also update its Acceptable Use Policy and it has agreed to investigate reported misconduct and take appropriate actions in a timely manner.

In addition to lawsuits filed for security and privacy complaints by users, the SEC sued Zoom last month.