Until recently, the only people who utilized the video conferencing app Zoom were people who worked in the tech industry. However, with the rise of work-at-home arrangements during the COVID-19 pandemic, first-time installations of Zoom’s mobile app have skyrocketed 728% since March 2, 2020. In the hopes of going remote efficiently and arranging virtual meetings, many companies have chosen the Zoom app over other platforms. However, significant security and privacy concerns began coming to the surface. Privacy experts have even called Zoom “a bucket of red flags.”
The platform’s data collection policies are concerning since Zoom shares the personal data of the users with third parties for business purposes, whatever that may be. Consumer Reports indicated that instant messages or videos could be used to target advertising campaigns or develop a facial recognition algorithm. This may be especially threatening for individuals who use Zoom to communicate extremely confidential information, such as that shared between corporate management or in therapy sessions. Citizen Lab’s findings also discouraged the use of Zoom in cases where strong confidentiality is required, including “governments worried about espionage; businesses concerned about cybercrime and industrial espionage; healthcare providers handling sensitive patient information; and activists, lawyers and journalists working on sensitive topics”. The company also had a feature that exposed individual’s personal information to others, as well as not having appropriate end-to-end encryption on its data, meaning Zoom itself has access to the data that flows between users. Due to these serious concerns, multiple organizations such as SpaceX, NASA, the United States Senate, Google, the German Foreign Ministry and the Taiwanese government, have banned their employees from using Zoom.
Moreover, Zoom has been hit by several lawsuits, which damaged the company’s reputation. Subsequently, consumers and investors started losing trust, which resulted in the company’s stock price falling 28% since the end of March. Zoom is facing a lawsuit by an investor who claimed that the company had violated securities law regulations by failing to disclose known problems with its software encryption and privacy, leading to damaged share value. Zoom faces additional class action court filing in the US after it was found out that Facebook and LinkedIn were able to snoop video calls under certain circumstances.
Due to all the ongoing and upcoming litigation and public outcry, the CEO of Zoom, Eric Yuan, has publicly addressed Zoom’s privacy and security issues. Yuan has stated, “you know, lesson learned” and promised to double down on privacy and security. Not only did Zoom institute a 90-day plan aimed at improving the areas of concern were brought forward, but the company also established a cybersecurity advisory board where Facebook’s former chief security officer Alex Stamos was hired to be a central consultant. The company has also improved its previously outdated 128-bit encryption standard to AES 256-bit TLS to provide better cybersecurity protection to its users. However, whether these privacy and cybersecurity improvements would be sufficient to comply with the privacy legislation, such as the Personal Information Protection and Electronic Documents Act (PIPEDA) or the General Data Protection Regulation (GDPR) is another story.
An expert has stated that Zoom privacy policies would get a C- for its transparency and accountability standards according to the European GDPR standards. Moreover, the Canadian PIPEDA requires meaningful consent to collect user disclosed information according to the identified purposes; and must be appropriately safeguarded. Zoom may not sufficiently meet these standards, as the users are required to passively accept the collection of their personal data if they are required to use the program for an interview, for example. The terms for identified purposes for data collection are vague in Zoom’s privacy policies. The drastic effect of the privacy concerns demonstrates the importance of cybersecurity measures, not only for commercial success, but also for legal compliance and the public’s trust in the company.
Written by Elif Babaoglu, who is a contributing IPilogue Editor and the Co-Director of Events of the Osgoode Privacy Law Society.