Follow us:
  1. Home
  2. News
  3. Cybersecurity News

Zoom’s privacy practices questioned by New York Attorney General

Consumers need to know exactly what data they’re letting platforms see and use

Photo (c) Andrei Stanescu - Getty Images
As the spread of COVID-19 forced the world to start hunkering down from home and using technology like videoconferencing to hold virtual meetings, religious services, and family get-togethers, remote conferencing service Zoom has taken off like a rocket. In Italy alone, during the peak week of its crisis, the Zoom app was downloaded more than a half-million times.

Getting lots of love is welcome at any technology company, but Zoom’s rise has created a lift-the-covers look-see from New York Attorney General Letitia James, who wants to make sure the company’s data privacy and security practices are up to snuff.

According to the New York Times, the Attorney General’s office sent Zoom a letter pointedly asking what, if any, new security measures the company has put in place to handle increased traffic on its network and to detect hackers.

Who’s zooming who?

While the Attorney General says her office regards Zoom as “an essential and valuable communications platform,” her letter details several concerns. James suggests that the company has slacked on its efforts to address security flaws such as vulnerabilities “that could enable malicious third parties to, among other things, gain surreptitious access to consumer webcams” -- a novelty some refer to as “Zoombombing.” 

Unfortunately, this novelty is anything but fun. It has allowed mavericks to take advantage of a Zoom screen-sharing feature to hijack meetings and butt in on educational teleconferences and Sunday School group meetings. Some hackers have even gone so far as posting white supremacist messages while a webinar on anti-Semitism was going on. 

Someone bringing up the subject of security flaws is nothing new to Zoom. In July, 2019, security research company Checkpoint Research notified Zoom that it had detected a flaw in the company’s system that “allowed a threat actor to potentially identify and join active meetings” by using randomly generated meeting IDs. When Checkpoint tested out the hackers’ method, it was able to successfully mimic that break-in technique roughly 4 percent of the time. 

In response, Zoom made changes that would keep those bad actors from joining meetings at their will by building in a trigger that would cause hackers’ devices to be blocked for a period of time if they repeatedly attempted to scan for meeting IDs. 

Zoom updates its privacy policy

ConsumerAffairs thought it might be interesting to take a comparative look at Zoom’s privacy policy as of March 29 -- about the time the company should have received the AG’s letter -- to see how it framed its privacy policy a week or so before (March 18, 2020). What we found indicates that Zoom has taken a much harder look at how it articulates what its users should expect when it comes to privacy and what uses the company allows for itself.

To its credit, Zoom made its policy easier to understand and more straightforward. For example, it did away with the whitewashing of how it went about data collection and scrapped gauzy phrases like: “We use this information to offer and improve our services, trouble shoot, and to improve our marketing efforts.” 

One big change that ConsumerAffairs found to be more consumer-friendly was dispensing with the laundry list of bullet points and paragraphs detailing its privacy policy and going with a table where the company laid out a far more understandable portrayal of what data it collects, examples, and how it uses that information. You can find the company’s revamped privacy policy on its website here.

Take an Identity Theft Quiz

Get matched with an Authorized Partner

    Share your comments