In this blog post, we look at the recent criticism of Zoom, the video conferencing application that has grown extremely popular during the 2020 coronavirus pandemic.

Background

While most businesses have been severely impaired by the current restrictions on travel and office access in order to stem the spread of COVID-19, there are also a few beneficiaries of the worldwide lockdown. One of them is video communications service provider Zoom, with its daily average user count rising from about 10 million in December 2019 to almost 200 million in March 2020.

As many businesses and government authorities are encouraging their employees to work remotely from home and, therefore, daily face-to-face meetings are not possible, a need for remote ways to communicate has emerged. Zoom offers a particularly intuitive way of holding video conferences, with a number of useful, user-friendly functions. It comes as no surprise that, during recent weeks, Zoom quickly established itself as a go-to solution for businesses, government entities and schools to hold conferences or lectures.

Yet, lately, a lot of criticism has been directed towards Zoom for a range of data privacy and cybersecurity issues.

Risks to Users

  1. The interception of meeting links and passwords is an ongoing issue, allowing unauthorized individuals to quickly and easily execute automated attacks. Simple passwords can be guessed by hackers, which can allow them access to private emails and other accounts if the user has used the same password for those accounts. In several "Zoombombing" cases, unauthorized individuals were able to obtain or even guess meeting IDs, allowing them to join non-public conferences that were not secured with a password. In many cases, the intruders shared lewd or obscene content, phishing messages or malware, leading the host to shut down the video conference.
  2. Zoom's sharing of personal data with social media platforms was only discovered in late March 2020, as no hints to such sharing were given in Zoom's privacy policy. What caused particular irritation was the fact that the data sharing took place even if the user did not have an account with the social media service. Zoom has reacted to criticism with an update which disabled this data sharing.
  3. Journalists discovered that Zoom had its own definition of "end-to-end encryption." Zoom later apologized for making misleading statements about its encryption methods and provided insight into the actual encryption methods it uses.
  4. Zoom's "attendee attention tracker" allowed hosts to detect whether a participant's Zoom window was in the participant's view or in the background and thus draw conclusions about the attention of the participant. Due to controversy that has arisen over what has been called a drastic control mechanism, Zoom disabled this feature on April 2, 2020.

Recommendations for Users

Even if Zoom has shown a commendable, timely response to the criticism, its operating mode is not yet perfect from a data protection and cybersecurity point of view.

In order to avoid any excessive sharing of personal data and to prevent unauthorized access to private conferences, Zoom users should take the following precautions:

  1. Always protect your Zoom account as well as your individual Zoom meetings with differing secure passwords, that you do not use for other accounts and applications.
    • Especially for European businesses, refer to the guidelines for GDPR-compliant passwords, published by German data protection authorities, which we summed up in an All About IP Blog post.
  2. If you are hosting a smaller conference, enable the Waiting Room feature, which will allow you to control who is entering your conference. As soon as all invited participants have joined, you can lock the meeting, which will prevent new participants from joining.
  3. Create a randomly generated ID that you share for each meeting instead of sharing your personal meeting link or your personal meeting ID.
  4. Make sure that your privacy settings share no more data than is necessary.
  5. Use email or the phone, rather than Zoom, to discuss strictly confidential topics.

Originally published May 04 2020

Mayer Brown is a global legal services provider comprising legal practices that are separate entities (the "Mayer Brown Practices"). The Mayer Brown Practices are: Mayer Brown LLP and Mayer Brown Europe - Brussels LLP, both limited liability partnerships established in Illinois USA; Mayer Brown International LLP, a limited liability partnership incorporated in England and Wales (authorized and regulated by the Solicitors Regulation Authority and registered in England and Wales number OC 303359); Mayer Brown, a SELAS established in France; Mayer Brown JSM, a Hong Kong partnership and its associated entities in Asia; and Tauil & Chequer Advogados, a Brazilian law partnership with which Mayer Brown is associated. "Mayer Brown" and the Mayer Brown logo are the trademarks of the Mayer Brown Practices in their respective jurisdictions.

© Copyright 2020. The Mayer Brown Practices. All rights reserved.

This Mayer Brown article provides information and comments on legal issues and developments of interest. The foregoing is not a comprehensive treatment of the subject matter covered and is not intended to provide legal advice. Readers should seek specific legal advice before taking any action with respect to the matters discussed herein.