Gloom, Doom, and Zoom: Privacy, Security, and Hindsight
Privacy Plus+
Privacy, Technology and Perspective
Gloom, Doom, and Zoom: Privacy, Security, and Hindsight. This week, we pick up on our previous post regarding the privacy and security risks associated with videoconferencing, which you can read by clicking on this link:
https://www.hoschmorris.com/privacy-plus-news/videoconferening-privacy-security
Skype™, Microsoft Teams™, Facetime™ and WebEx™ are all prominent videoconferencing technologies. Chances are that you have also heard of Zoom™ because it is exploding in popularity for schools, businesses groups and courts – reportedly up from 10 million to over 200 million users.
But Zoom is facing scrutiny for both its privacy and security practices.
Regarding Zoom’s privacy practices, on Thursday, March 26th, Motherboard reported that Zoom’s iOS version of its app was sending analytics data to Facebook without people knowing it. The Motherboard articles may be found by clicking the following links:
https://www.vice.com/en_us/article/z3b745/zoom-removes-code-that-sends-data-to-facebook
Zoom then updated its Privacy Notice on March 29, 2020 to state it does “sell” personal information within the definition of the California Consumer Protection Act:
Does Zoom sell Personal Data?
We do not sell your data.
We do not allow marketing companies, advertisers or similar companies to access personal data in exchange for payment. We do not allow third parties to use any personal data obtained from us for their own purposes, unless you consent (e.g., when you download an app from the Marketplace). Our customers may use the webinar service to generate their own marketing leads and they may provide marketing information to you. When you register for a webinar, you provide your data to the host of the webinar, and if required, any consent that you give about your data would be to them, as well. Zoom may keep the data about the registration in our system in order to facilitate the webinar, but Zoom does not use or share that data other than to provide the services. A customer may also charge for their webinars. Again, that transaction is between the host and participant of the webinar. Zoom is not selling any data.
As described in the Zoom marketing sites section, Zoom does use certain standard advertising tools on our marketing sites which, provided you have allowed it in your cookie preferences, sends personal data to the tool providers, such as Google. This is not a “sale” of your data in the sense that most of us use the word sale. However, California’s CCPA law has a very broad definition of “sale”. Under that definition, when Zoom uses the tools to send the personal data to the third-party tool providers, it may be considered a “sale”. It is important to know that advertising programs have always worked this way and we have not changed the way we use these tools. It is only with the recent developments in data privacy laws that such activities may fall within the definition of a “sale”.
Because of CCPA’s broad definition, as is the case with many providers since the CCPA became law, we provide a “Do Not Sell My Personal Information” link at the bottom of our marketing sites. You can use this link to change your Cookie Preferences and opt out of the use of these advertising tools. If you opt out, Personal Data that was used by these tools will no longer be shared with third parties in a way that constitutes a “sale” under CCPA.
Zoom’s Privacy Notice may be found by clicking the following link:
Note that on April 3rd, we scanned Zoom’s website, and found that Zoom appears to have made a number of functional changes at the end of March, presumably aimed at easing privacy issues associated with certain third-party technologies.
Specifically, at the end of March, Zoom appears to have eliminated a number of third-party advertising technologies (Google Remarketing, LinkedIn Ads, Google Floodlight Sales, Google Floodlight Counter, Beeswax, Openads/OpenX, and LinkShare) as well as some Facebook technologies (Facebook Signal, Facebook Pixel, Facebook Conversion Tracking, Workplace by Facebook, Facebook SDK, and Facebook Custom Audiences). However, Zoom appears to still use Doubleclick Ads and certain Facebook features (Facebook Domain Insights, Facebook Sharer, Facebook Domain Verification; and Facebook for Websites). While it is unclear whether or not Zoom understands the technologies that it relies on (many platforms do not), what is clear is that its updated Privacy Notice still does not expressly reference Facebook.
Zoom’s privacy practices have attracted the attention of both New York’s and Connecticut’s Attorney Generals. Each has written Zoom asking for more and better particulars about its privacy and security practices with respect to businesses, individuals, and schools/children. Links to articles about their inquiries follow:
https://www.nytimes.com/2020/03/30/technology/new-york-attorney-general-zoom-privacy.html
Meanwhile, security is also a significant Zoom concern. On March 30th, the FBI’s Boston division issued warning about Zoom, and particularly teleconferencing and online classroom hijacking, which you can read by clicking on the following link:
The warning describes “Zoom-bombing,” and especially how the “FBI has received multiple reports of conferences being disrupted by pornographic and/or hate images and threatening language” in connection with Zoom. It suggests the following steps to mitigate teleconference hijacking threats:
- Use Access Controls: In Zoom, require a meeting password or use the waiting room feature, and control the admittance of guests.
- Don’t share links: Provide the links to a teleconference or classroom directly to specific people; do not share them on social media.
- Limit screensharing options. In Zoom, change screensharing to “Host Only.”
- Update your software: Ensure users are using the updated version of remote access/meeting applications.
- Ensure your organization has appropriate policies: Ensure that your organization’s telework policy or guide addresses requirements for physical and information security.
But Tom’s Guide reports a variety of other Zoom security problems that have arisen and been fixed, from password stealing to malware injections and more – with a note that when Zoom professes to have “end to end encryption,” it actually means “from Zoom end point to Zoom end point,” and not the whole length of the transmission—meaning communications over Zoom are not fully encrypted. A link to this article follows:
https://www.tomsguide.com/news/zoom-security-privacy-woes
All of these issues paint a picture of a nice platform that has suddenly been thrust into glaring public view, attracting the corresponding but unwelcome attention of every digital low-life imaginable, and trying to fix the problems as fast as it can. Zoom’s CEO has just announced a 90-day “feature freeze” while it concentrates on fixing any remaining security/privacy problems:
With this much attention on Zoom, this story is likely to evolve several times a day for a while.
Meanwhile, if you’re about to discuss highly confidential and sensitive material, think hard before you talk about it on a videoconference. And if your organization has not done its diligence in selecting a videoconferencing provider, as well as developing policies in and around videoconferencing, now is the time to reevaluate.
Update, April 7, 2020: Wired Magazine has posted a great article that has suggestions for securing your Zoom conferences. A link is available here:
See also the following post from the Electronic Frontier Foundation, explaining how to harden your Zoom settings:
---
Hosch & Morris, PLLC is a Dallas-based boutique law firm dedicated to data protection, privacy, the Internet and technology. Open the Future℠.