With the coronavirus pandemic closing offices around the world, many businesses and individuals are turning to video conferencing platforms and other technology to hold meetings and stay connected with colleagues and friends. However, recent concerns over the video conferencing platform Zoom have highlighted the serious privacy concerns and potential dangers of using these platforms. In this article, we consider some of the data security and privacy concerns users of Zoom and other video conferencing platforms should be aware of, as well as offering other practical advice to minimise risks to personal data and confidential information when working remotely

As the ongoing coronavirus crisis and resulting worldwide lockdowns have forced most business activities online, many companies are turning to the latest technology and video conferencing platforms to stay connected and to conduct business meetings online. On the one hand the technology available today is incredibly helpful and many people are able to work from home, but doing so creates issues that may not have been considered.

Apart from the need to ensure remote working staff have sufficient equipment to carry out their jobs, there are concerns about printing out materials and safe disposal at home where you are less likely to have confidential waste disposal options. It is also worth considering if you have any voice activated devices whether they are fully turned off when you are working. In some homes people might be sharing devices, and many will not be IT savvy enough to ensure that there is no risk of your home partner seeing confidential work product. Then there is the biggest concern, the online platforms you use and where your confidential information and personal data goes. It is the latter that we largely address in this article.

While the explosion in the use of video conferencing software and apps, and Zoom in particular, has facilitated and enabled companies and individuals to continue to conduct business and stay connected, their use does not come without risk, as recent privacy concerns and data breaches have demonstrated. Internet-enabled remote working and video conferencing make open connections through the normal firewall defences of the office network. The risk will depend on the type of data and information being shared, and the level of access that different individuals have to that information.

Zoom – Cybersecurity and Privacy Concerns

The video conferencing app Zoom has experienced an unprecedented increase in users since the Covid-19 pandemic emerged. It has been reported that in the first two months of 2020 alone, Zoom signed up more users as the pandemic took hold than during all of 2019. However, since its meteoric rise in popularity, Zoom has faced mounting concerns over its data security and privacy practices, despite the company stating that it has been compliant with its obligations under the General Data Protection Regulation (GDPR) since its introduction in May 2018. Issues vary from the common issue, that its approach to default cookie settings does not match the European standard, as currently advertising cookies are enabled by default, to the more significant concerns over data sharing to other companies, routing data via China, and security of certain aspects of the platform. To Zoom’s credit it has been engaging on these matters, but the pace of use has left many concerned that the company is behind where it should be.

Concerns over Zoom have attracted particular attention in the UK in recent days after widely circulated pictures showed the Prime Minister using Zoom to chair an online Cabinet meeting, despite the concerns of the Ministry of Defence (MoD) over the security implications of using Zoom. However, the National Cyber Security Centre (NCSC) has stated that “there is no security reason for Zoom not to be used for conversations below a certain classification.” They did not of course tell us what classification, and if that means the cabinet were not discussing anything of note when using it!

In the sections below, we consider some of the key data security and privacy concerns that users of Zoom, and other conferencing platforms, should be aware of. It is important for companies requiring employees to use these platforms to understand these issues, and to be transparent about who has access to employees’ personal data.

The use of recording and screen sharing features which process users’ data without a proper legal basis could expose companies to regulator fines and sanctions, and even to the possibility of claims being brought by aggrieved employees who object to how these platforms use their personal data. For example, organisations should consider if a distressed employee with concerns over privacy can really give GDPR-compliant consent to the processing of their personal data if they fear losing their job.

Administrators and User Tracking

Previously, the Zoom platform allowed administrators to monitor the activities of participants while screen-sharing, including a feature which enabled a host to see if a participant had clicked away from a Zoom window for 30 seconds or longer. On April 1st 2020, Zoom announced that it had permanently removed the attendee attention tracker feature. However other functionality remains, including the dashboard tab providing statistics on users, meetings and Zoom Rooms. For example, Zoom ranks and displays top users by the total amount of meeting minutes (including participants), for meetings hosted by the user.

Furthermore, if a user records any calls via Zoom, the administrator can access the contents of the recorded call, including video, audio, transcript, and chat files, as well as analytic data. Zoom also allows administrators to see the operating system, IP address, location data, and device information of each meeting participant.

Concerns have also been raised about a data mining feature which allowed some participants of Zoom meetings to have access to LinkedIn data about other users, without Zoom asking for permission or even notifying users that their data was being mined. Zoom has since confirmed on its official blog that it has permanently removed the LinkedIn Sales Navigator app after identifying unnecessary data disclosure by the feature.

Unauthorised Selling of Users’ Data

Zoom’s privacy policy defines personal data broadly to include user content and information uploaded and created while using Zoom, in addition to account data including users’ phone numbers, billing names and details of payment methods. Concerns were first raised when it emerged that the Zoom platform and App had been extracting data concerning users’ devices and sharing it with third parties, including Facebook, in order to create targeted advertising. It has also been reported that Zoom is sharing users’ data with Facebook, even when its users do not have a Facebook account. We reported on these issues in our earlier Data Blast, which can be read here.

New York’s attorney general, Letitia James, has said she is examining Zoom’s privacy practices since the issue of Zoom sharing users’ data with Facebook and other third parties emerged, and that she has written to Zoom to ask what measures the company is taking to address the security concerns and to accommodate the rise in the number of users.

In response, on March 29th 2020 Zoom released a statement to explain that it “takes its users’ privacy, security, and trust extremely seriously” and that it had updated its privacy policy to be more clear and transparent around what data it collects and how it is used – explicitly clarifying that “We do not sell our users’ data, we have never sold user data in the past, and have no intention of selling users’ data going forward.”

‘Zoom-bombing’ and hacking

It has also been reported that Zoom has been investigated by the FBI in the U.S. after several online conferences had been hacked by trolls, or ‘Zoombombed’, with pornography and hateful messages. Malicious individuals, or ‘Zoombombers’ as they have quickly come to be referred to, collect meeting invitation links and then share them in private chat groups with other miscreants enabling them to infiltrate conferences and cause disruption. Though to be fair it appears in some instances the issue was poor user control of access codes enabling people to simply join rather than hack a meeting.

The issue of Zoombombing is particularly concerning as schools as teachers turn to use the platform as an online classroom and to connect with students. To address the concerns of educators, on April 1st 2020, Zoom published a guide for administrators setting up a virtual classroom, and a guide to best practices for ensuring virtual classrooms. Meeting hosts are advised to disable “file transfer” to prevent any malware being shared, and users should be trained not to publicly share meeting IDs and passwords. The links to a teleconference or classroom should be sent directly to the individual participants and should never be made publicly available on a social media post.

No End-to-End Encryption

End-to-end encryption (‘E2E encryption’) is intended to prevent data being read or secretly modified, other than by the sender and the recipient. E2E encryption ensures that all communications are encrypted between devices so that not even the organisation hosting the service has access to the contents of the connection.

Zoom had originally indicated in its marketing messages and materials that its video conferencing meetings are fully E2E encrypted. The App offers meeting hosts the option to enable an ‘E2E encrypted meeting’ with a green padlock claiming that “Zoom is using an end to end encrypted connection.” However, it has become apparent that the technology used by Zoom does not fully enable E2E encryption. Though, some commentators have stated that the encryption used by Zoom is at least as good, if not better, than the solutions used by Microsoft or Google. Zoom has recently clarified the position in an official blog statement in which it stated that full E2E encryption is not currently possible on the platform, and apologised for the confusion caused. The company now accepts that there is a discrepancy between the commonly accepted definition of E2E and how Zoom were using it: Zoom explained that it uses the term ‘end to end’ only in reference to the connection being encrypted from Zoom endpoint to Zoom endpoint.

Previous Data Security Concerns

Despite the barrage of issues experienced in recent weeks, this is not the first time that data security concerns have been raised over Zoom. Past problems have included a vulnerability which allowed an attacker to remove attendees from meetings, spoof messages from users, and conversation screens being hacked and hijacked.

In particular, in July 2019 concerns were raised when a serious bug in the platform was identified which if left unpatched would have enabled malicious third parties to access Mac users’ webcams. It was identified that the programming bug enabled the Zoom App to install a web server on Mac computers that would accept requests regular browsers otherwise would not. Zoom initially treated the vulnerability as ‘low risk’, but was later forced to issue an emergency software patch to fix the problem.

Some commentators have questioned whether the platform may be more susceptible to the misuse of personal data and data breaches due in part to Zoom’s large research and development operations based in mainland China. However, such speculation has been strongly dismissed by Zoom.

Recognising the importance of these issues, Zoom is responding in a timely manner, and engaging directly with users on the issues. Zoom’s founder and CEO, Eric Yuan, released a further statement on April 1st 2020 to explain to users what measures it had already taken to address the issues identified, the guidance recently produced, and what steps it would take in the future, including the publication of a transparency report.

The statement commented that Zoom is “Committed to doing the right thing by users when it comes to both security and privacy, and understand the enormity of this moment. With hospitals, universities, schools, and other organizations across the world relying on Zoom to stay connected and operational, we are proud of the work we have done to protect the data of those critical institutions.

Zoom also stated that it will freeze all new features for the next 90 days to concentrate on proactively addressing data security and privacy issues, which will include a comprehensive review with third party experts and weekly webinars open to all interested users.

Other Video Conferencing Apps

Using a video conferencing service built on a dedicated conferencing network rather than the public internet may be a safer option, but not necessarily a practical one for most businesses. Even if safer alternatives are identified, since many companies will already have a paid-up subscription to Zoom they may not be willing, or indeed able, to consider switching.

Zoom is certainly not the only conferencing platform giving rise to privacy concerns. For example, users of the video chatting app Houseparty, have recently complained that their PayPal, Spotify, and Netflix accounts have been hacked as a result of using the Houseparty app.

Microsoft Teams, like Zoom, has also experienced a significant increase in users during the Covid-19 crisis. Although Microsoft states that Teams is E2E encrypted, details about support for E2E encryption are considered to be vague. Microsoft Teams is not immune to security vulnerabilities, with a commentator in Germany in an article called “Teams: Erfolgreich, aber ein Sicherheits-GAU” stating that they had found two issues with Microsoft Teams: Its updater being capable of use to download malware, and that the Teams-Installer was vulnerable to DLL hijacking. On an upside commentators have argued that Microsoft has a more transparent privacy policy, a better track record than Zoom in protecting user data, and more capability and resource to address security problems when they do arise.

If you care about encryption then Cisco’s Webex conference platform offers E2E encryption and has traditionally been used by the financial services industry and the healthcare sector since its introduction in the mid-1990s. However, the platform has faced security issues in the past over concerns that hackers may exploit the file-sharing feature to enable arbitrary code execution on the system of a targeted user. It however, remains a popular platform with a good security reputation overall.

Other Remote Working Data Security Concerns

The onset of the Covid-19 crisis and commentary by various regulators has led to some confusion as to whether the enforcement of national data legislation and the GDPR has been softened or altered. As we discussed in an earlier update which can be read here, the pandemic is not a legal reason to ignore data protection law and its safeguards, and the obligations imposed by the law remain.

When working remotely it can be more difficult to not only track a data breach, but also to identify and track how that breach has occurred. Therefore, as employees adapt to remote working, careful attention and consideration should be given to the impact of the home office environment on privacy and data protection.

It is clear that video conferencing apps are not the only cause of concern. Recent years have seen an explosion in the use of voice-activated virtual assistants in the home such as Alexa, Google Home and Microsoft’s Cortana. The same ‘listening’ technology is also employed in mobile phones. However, while access to mobile devices is protected by some form of user authentication (password, PIN code or biometric validation), this is not the case for the majority of home digital assistants, which instead have a ‘hot word’ that activates them to start recording voice data and streaming it to cloud-based servers where it is deciphered by machine learning algorithms.

These devices were already causing privacy and data protection concerns with a growing number of reports of data breaches. We first reported on some of these issues in our earlier article, which can be read here. With remote workers discussing clients’ financial and other personal information during video conference meetings or phone calls, the potential for smart assistants to cause a breach of personal data is significantly increased. It is strongly recommended that remote workers mute, or preferably disable, any visual- or voice-enabled devices and smart speakers for the duration of any business call or video conference.

Data Storage and Destruction

The GDPR has strict rules concerning the storage and destruction of both electronic and paper documents containing personal data. Home workers should be reminded that all business-related documents should only be stored and accessed directly from their employers file management system and should not be stored locally on home computers wherever possible.

The security of paper documents is even harder to regulate than that of electronic documents, and employees working remotely should be encouraged (or preferably required) to go paperless as much as possible.  Certainly, the printing of documents containing any personal information should be kept to an absolute minimum. When paper documents are required, they should be retained and returned to the office for proper destruction, as it is highly unlikely that most home office work setups will enable documents containing personal data to be destroyed in a GDPR-compliant manner.

While the coronavirus pandemic will ultimately pass, it is likely that the working patterns of many employees will be forever changed with more electing to work remotely. Hopefully, the privacy and cybersecurity lessons learned during the current crisis will stand employers and their workers in good stead for the future.