KMK Law Cybersecurity & Privacy Blog

As employees continue to work from home during the COVID-19 pandemic, more and more businesses (including courts) are turning to alternative forms of face-to-face meetings by utilizing video conferencing applications. These virtual video-chat meetings prompt users to use the cameras and microphones on their electronic devices (such as a phones, laptops, or tablets) to connect with other individuals using the application and see and hear the other person(s) they are chatting with in real time.

Zoom has quickly become the most popular form of video chat, with nearly 200 million user-meetings daily (a number that has increased 2000% since December of last year).[1] While there are, of course, many benefits in using these applications during this unprecedented time of social-distancing, there are also security risks that users need to be aware of. 

The Zoom application has recently seen a spike in security threats that have exposed its unexpected users to unwanted obscene photographs, racial slurs, and other profanities during their virtual meetings.[2]  Experts are worried that these forms of security infiltration go beyond embarrassment or unpleasant encounters during meetings and are a sign of a deeper security problem, which may be allowing hackers to access secure files or applications on the users’ computers.[3] In addition, a cybersecurity firm recently discovered a link to 352 compromised Zoom accounts, which included email addresses, passwords, meeting IDs, host keys and names, and Zoom account type.[4]  

Zoom has issued apologies and directly responded to several of these security issues. In a statement last week, Zoom noted “[we] did not design the product with the foresight that, in a matter of weeks, every person in the world would suddenly be working, studying, and socializing from home. . . .  We appreciate the scrutiny and questions we have been getting – about how the service works, about our infrastructure and capacity, and about our privacy and security policies. These are the questions that will make Zoom better, both as a company and for all its users.”[5]

Meanwhile, there have been several class action lawsuits filed against Zoom in California relating to their privacy and data-sharing practices, and Attorney Generals have been alerted to the issue. Many state Attorney Generals and other international governments are now looking into Zoom’s privacy practices and whether they are compliant with state and federal law, as well as GDPR regulations where applicable.[6]   

While the popularity (and necessity) of Zoom continues to rise, there are a few steps users can take to help protect their video chats from being infiltrated by hackers:

• Users should be aware and become familiar with the privacy settings available within the Zoom application and set all their meetings to “private.”
• Users should not use their Personal ID meeting code for meetings, and instead create a unique code per-meeting. In addition, users should be careful of how they are sharing their meeting “links” (hyperlinks which allow other users to access the virtual meetings directly) and not share the links publically or post them on social media.
• Meeting hosts should also utilize the “waiting room” function of Zoom, which allows them to see who is trying to join the meeting and gives the option to grant or deny a user access before joining.
• Once the meeting has begun and all users are present, hosts should utilize the option to “lock down” the meeting, preventing any new users from joining.
• Whenever possible, device cameras should be covered when they are not in use (electronic-camera “covers” are very cheap and widely available, and can be purchased through most common online retailers including Amazon and eBay, or even made with at-home items such as index cards or post it notes).

Zoom is just one of the many applications facing unprecedented spikes during the COVID-19 pandemic. Users should continue to be aware and on high-alert for new security threats that may exist and continue to take steps to protect themselves and their organizations wherever possible, and make sure using the application does not run afoul of their organization’s cybersecurity policies. If this work-at-home environment is going to continue, it is important that security threat risks do not outweigh the benefits of using popular, convenient applications like Zoom.

---

[1] Zoom, A Message to Our Users (April 1, 2020),  https://blog.zoom.us/wordpress/2020/04/01/a-message-to-our-users/

[2] Washington Post, Everybody Seems to be Using Zoom – it’s Security Flaws Could Leave People at Risk (April 2, 2020), https://www.washingtonpost.com/technology/2020/04/02/everybody-seems-be-using-zoom-its-security-flaws-could-leave-people-risk/

[3] Bloomberg, Zoom Grapples With Security Flaws that Sour Some Users On App (April 2, 2020), https://www.bloomberg.com/news/articles/2020-04-02/zoom-grapples-with-security-flaws-that-sour-some-users-on-app

[4] CNET, Zoom: Every Security Issue Uncovered in the Video Chat App (April 7, 2020), https://www.cnet.com/news/prevent-zoombombing-change-these-4-zoom-settings-now-for-secure-video-chat/

[5] Zoom, A Message to Our Users (April 1, 2020),  https://blog.zoom.us/wordpress/2020/04/01/a-message-to-our-users/

[6] Politico, Multiple State AGs Looking Into Zoom Privacy Practices (April 3, 2020), https://www.politico.com/news/2020/04/03/multiple-state-ags-looking-into-zooms-privacy-practices-162743