To Zoom or Not to Zoom, that is the Question: How a Global Pandemic Exposed the Flaws of Global Consumer Privacy Protection Laws

 

By: Angel Shah

 

A global pandemic, caused by the novel coronavirus disease or “COVID-19”, has inundated the world, with seemingly no end in sight.[i] To try to stop the spread of this highly infectious disease, governments around the world have taken strict measures, including enacting severe lockdown orders that have shut down entire countries.[ii] Even in the United States, most states are under “shelter in place” orders, whereby people are forbidden from leaving their homes, except for essential tasks, and almost all businesses and entities are closed, except for those providing essential services.[iii] In this dystopian landscape, where almost the entire population of the world is stuck at home, the need to stay connected has risen exponentially.[iv] In particular, one communications software, Zoom, has had a meteoric rise in popularity, driven by the need for businesses, institutions, governments and individuals to stay connected. [v]

Zoom, in simplest terms, is a cloud-based video conferencing service with a “local, desktop client and a mobile app that allows users to meet online, with or without video.” [vi] Zoom also offers the ability to have a chat session inside a Zoom meeting, record meetings, share screens, collaborate online and a variety of other features.[vii] It has a both a free option, allowing up to 100 individuals to connect at one time for up to forty minutes at a time, or various paid versions of software, where up to 1000 people can connect at one time, host longer sessions, and gain access to additional features.[viii] Zoom’s ease of use and affordable pricing has made it one of the most popular video conferencing applications in the world, and is used by individuals, small businesses, schools, universities, Fortune 500 companies, and even governments around the world. [ix]

Zoom was started in 2011 by Eric Yuan, a former Cisco Webex engineer, and launched in 2013.[x] Since then, it became a global hit, becoming a “unicorn” company when it hit a $1 billion valuation in 2017, and went public in 2019 with a valuation of $16 billion.[xi] Although Zoom had an extraordinary run for the past few years, Zoom really took off during the pandemic, going from an average of 10 million daily users in December of 2019 to an average of 200 million daily users in March of 2020.[xii] All of these extra users have pushed the stock price Zoom up further, and as of April 20th of 2020, Zoom had a market capitalization of $41.86 billion.[xiii]

The surge in Zoom usage is mostly driven by the pandemic and lock down measures instituted by governments. Due to the fact that most face-to-face interactions are now forbidden, individuals, businesses, institutions, and even governments have turned to online methods of communication, with Zoom being the platform of choice for many.[xiv] Many businesses, including companies of all sizes, are hosting team meetings and working from home using Zoom. Many schools and universities around the world are using Zoom as a substitute for in-person classes.[xv] Governments are also using Zoom to communicate and stay in touch. Further, many people are using Zoom to stay in touch with friends and family, host happy hours, participate in group yoga sessions, and engage in other recreational activities online.[xvi]

The explosive growth of Zoom has not all been positive though, and has exposed many vulnerabilities and flaws in the software.[xvii] A variety of issues have popped up relating to security and privacy on the software, and all of the extra attention has resulted in increased scrutiny of the company.[xviii] All of Zoom’s issues broadly fall into two main categories: (1) issues related to the privacy practices of the company itself, and (2) issues related to the exploitation of the flaws in the software that allow third-parties to use the software maliciously.. In regards to the first set of issues, multiple news outlets have exposed the fact that Zoom was harvesting and sharing information about Zoom users without their knowledge or consent with companies such as Facebook and LinkedIn, while also not being completely truthful about the security features of the software.[xix] The second set of issues relate to the fact that hackers were able exploit software flaws to hijack Zoom meetings through the practice commonly referred to as “Zoom-bombing,” hack customer accounts, steal customer information, gain access to recorded meetings, and even remotely gain access to user’s cameras without their knowledge. [xx] The second set of issues caused particular problems in the educational setting, with uninvited intruders or Zoom bombers taking over virtual classrooms and using it to express hate speech, make inappropriate comments, and even showing obscene material to children.[xxi]

There have been a variety of allegations leveled against the company, many which are backed up by detailed investigations and strong evidence.[xxii] A Vice Motherboard investigation revealed that Zoom sent information to Facebook for iPhone users even if they did not have a Facebook account.[xxiii] In another report, a former NSA hacker discovered that, through a bug in the system, hackers could take control of a person’s webcam or audio through Zoom, as well as get root access on a Mac device.[xxiv] The FBI also released a warning about hijacking of zoom feeds, also known as “Zoom-bombing”, and reported that it had received multiple complaints about hate speech and pornographic material that had been displayed in virtual classrooms.[xxv] Additionally, there have been reports of a feature that allowed Zoom users to data-mine LinkedIn information, automated tools that could discover Zoom meeting IDs, that supposedly private video calls were viewable online, that some meetings were being routed through Chinese servers (whereby they could potentially be intercepted by the Chinese government), that Zoom accounts were being sold on the dark web, that recorded meetings could be downloaded from the cloud, and that hackers were selling Zoom vulnerabilities for as much as $500,000 on the dark web.[xxvi]

In regards to all of these issues, multiple class-action lawsuits have been filed against the company, from both users and investors.[xxvii] The first class-action lawsuit, filed on March 30, 2020 by law firm Wexler Wallace LLP, accused the company of disclosing consumer information to Facebook and potential other third-parties, without obtaining consumer consent, in violation of California’s new privacy laws.[xxviii] The second class-action lawsuit was filed on March 31, 2020, filed by Tycko & Zavarelli LLP, also alleged that the Zoom unlawfully shared information with Facebook, as well as for negligence, unjust enrichment, breach of implied contract, violation of privacy laws, amongst other charges.[xxix] A third class-action law suit was filed against Zoom on April 3, 2020 by Clarkson Law Firm, P.C., for unauthorized data sharing with Facebook, inaccurate claims about end-to-end encryption, and vulnerabilities in webcam software.[xxx] A fourth class-action law suit was filed, this time by investors, for violations of federal securities laws by having “inadequate data privacy and security measures,” for asserting that the company offered end-to-end encryption when it did not, and not taking care of these issues earlier, even though Zoom was allegedly aware of some of the problems.[xxxi] A fifth class-action lawsuit was filed on April 13, 2020, by law firm Loevy and Loevy, against Zoom, Facebook, and LinkedIn, alleging that the companies “eavesdropped” on Zoom user’s conversations and personal information, and collected or recorded this information without user consent.[xxxii]

In response to many of the allegations stated above and other privacy concerns, many companies, institutions, and countries have banned the use of Zoom. For example, Google, Siemens, Standard Chartered, SpaceX, as well as many others, have all banned the use of Zoom for company communications.[xxxiii] Some governments and public organizations have also banned the use of Zoom, especially as it was revealed that some of the information traveled through Chinese servers, including Taiwan, Germany, the United States Senate, U.S. Department of Defense, and Australian Defense Force.[xxxiv] Many school systems around the world have also banned the use of Zoom for teaching purposes, including New York City Public Schools and Clark County public schools.[xxxv] It is likely that many other companies, schools, and institutions will follow suit.

Further, it is unlikely that the lawsuits will be the extent of Zoom’s problems.[xxxvi] Zoom is already under investigation by the state attorneys general of Connecticut, New York, and Florida to determine whether Zoom “violated any laws by failing to protect users’ privacy and secure its systems.”[xxxvii] Further, privacy watchdogs and governments around the world have also expressed concern about Zoom’s practices, including regulators in Hong Kong, the United Kingdom, South Korea, New Zealand, Australia, and Singapore.[xxxviii] Moreover, Zoom has claimed that it is compliant with a variety of privacy regulations around the world including US Federal Risk and Authorization Management Program (FedRAMP), Health Insurance Portability and Accountability Act (HIPAA), EU General Data Protection Regulation (GDPR), amongst others.[xxxix] Yet, a reputed cyber security expert has stated that Zoom may have already violated the GDPR, and may face fines or investigations from regulators of various European countries.[xl] Additionally, Democratic members of Congress have urged the Federal Trade Commission to launch an official probe in regards to Zoom’s privacy practices.[xli] It is also possible that other jurisdictions may launch probes further down the road, once the extent of the damage has been assessed.

It should be acknowledged though, that although the limelight is currently on Zoom, these issues are not unique to Zoom alone. Rather, the fault lies with patchwork of privacy laws we have in place[xlii], as there are only a few laws globally that have any “teeth”, and even those are regularly violated by repeat offenders who end up only paying fines,[xliii] or worse, entering into settlement agreements without facing any penalties at all.[xliv] As such, there are no real consequences for large multi-national companies, who essentially get to “regulate” themselves[xlv], and surprisingly, often fall short of acceptable behavior.[xlvi] And even when privacy laws do exist, and on the rare chance that they are enforced, fines do not serve as effective deterrents,[xlvii] and that is assuming  if they can even be charged at all.[xlviii] My only hope is that this debacle, which has affected all aspects of our modern society, including businesses, schools, and governments, will motivate regulators to finally start taking privacy protection seriously.

With that being said, Zoom has already fixed some of the issues that have been raised,[xlix] and the founder has apologized multiple times for the shortcomings of the company.[l] Yet, it remains to be seen if that will be enough, particularly as new flaws in software and actions the company failed to take are discovered every day.[li] The most likely reason for all of these problems is that the company was unable to handle the increased usage of the platform during the pandemic, as almost all aspects of everyday life turned to Zoom, as well as all of the unwanted attention the pandemic brought to company.[lii] Now, as the company faces five class-action lawsuits, multiple probes from regulators both in the United States and abroad, as well as the fury of its consumers over its privacy practices, it remains to be seen how the company will weather the storm.[liii] The most important lesson through all of this though, for consumers of any type of widely used software, is to understand the privacy policy of any software one uses, to make sure to adjust the default settings to make oneself more secure, and to ensure that best practices are followed for whatever software is being used, particularly if it Zoom.[liv]

[i] Hilary Brueck and Anna Miller, World Health Organization Declares the Coronavirus a Pandemic, Business Insider, March 11, 2020, https://www.businessinsider.com/who-declares-coronavirus-pandemic-covid19-2020-3.

[ii] Juliana Kaplan, Lauren Frias, and Morgan McFall-Johnson, A Third of the Global Population is on Coronavirus Lockdown — Here’s Our Constantly Updated List Of Countries  And Restrictions, Business Insider, https://www.businessinsider.com/countries-on-lockdown-coronavirus-italy-2020-3 (last accessed April 20, 2020).

[iii] Erin Schumaker, Here Are the States that Have Shut Down Nonessential Businesses, ABC News, April 3, 2020, https://abcnews.go.com/Health/states-shut-essential-businesses-map/story?id=69770806.

[iv] Ashley Carman, Why Zoom Became So Popular, The Verge, April 3, 2020,  https://www.theverge.com/2020/4/3/21207053/zoom-video-conferencing-security-privacy-risk-popularity.

[v] Id.

[vi] Keanu Gene C. Valibia, Zoom for Instructors, UC Riverside, Available at: https://sitelicense.ucr.edu/files/zoom_for_instructors.pdf.

[vii] Id.

[viii] Zoom Meeting Plans for Your Business, Zoom, https://zoom.us/pricing (last accessed April 20, 2020).

[ix] Nivas Ravichandran, How Zoom Grew to Millions of Businesses, Freshworks, https://www.freshworks.com/freshsales-crm/resources/how-zoom-grew-to-millions-of-businesses-blog/ (last visited April 20, 2020).

[x] Mansoor Iqbal, Zoom Revenue and Usage Statistics 2020, Business of Apps, April 16, 2020 https://www.businessofapps.com/data/zoom-statistics/.

[xi] Id.

[xii] Eric S. Yuan, A Message to Our Users, Zoom Blog, April 1, 2020, https://blog.zoom.us/wordpress/2020/04/01/a-message-to-our-users/

[xiii] Stock Quote for Zoom Video Communications, Inc. (ZM), https://finance.yahoo.com/quote/ZM/ (last accessed April 20, 2020).

[xiv] Rae Hodge, Using Zoom While Working from Home? Here Are the Privacy Risks to Watch Out For, CNET, April 3, 2020,  https://www.cnet.com/news/using-zoom-while-working-from-home-here-are-the-privacy-risks-to-watch-out-for/

[xv] Mark Liberman, Zoom Use Skyrockets During Coronavirus Pandemic, Prompting Wave of Problems for Schools, Education Week, April 3, 2020, https://www.edweek.org/ew/articles/2020/04/03/zoom-use-skyrockets-during-coronavirus-pandemic-prompting.html.

[xvi] Aly Walansky, Virtual Happy Hours Are The New Way To Go Out: Here’s How To Plan A Great One, Forbes, March 26, 2020, https://www.forbes.com/sites/alywalansky/2020/03/26/virtual-happy-hours-are-the-new-way-to-go-out-heres-how-to-plan-a-great-one/#5844cfa62a34.

[xvii] Rae Hodge, Zoom: Two new security exploits uncovered, CNET, April 16, 2020,  https://www.cnet.com/news/zoom-every-security-issue-uncovered-in-the-video-chat-app/

[xviii] Id.

[xix] Paul Wagenseil, Zoom Privacy and Security Issues: Here’s Everything That’s Wrong (So Far), Tom’s Guide, April 20, 2020,  https://www.tomsguide.com/news/zoom-security-privacy-woes.

[xx] Id.

[xxi] Kristen Setera, FBI Warns of Teleconferencing and Online Classroom Hijacking During COVID-19 Pandemic, FBI Boston, March 30, 2020, https://www.fbi.gov/contact-us/field-offices/boston/news/press-releases/fbi-warns-of-teleconferencing-and-online-classroom-hijacking-during-covid-19-pandemic

[xxii] Hodge, supra note 17; Wagenseil, supra note 18.

[xxiii] Joseph Cox, Zoom iOS App Sends Data to Facebook Even if You Don’t Have a Facebook Account, Vice Motherboard, March 26, 2020, https://www.vice.com/en_us/article/k7e599/zoom-ios-app-sends-data-to-facebook-even-if-you-dont-have-a-facebook-account.

[xxiv] Mike Peterson, Two More macOS Zoom Flaws Surface, as Lawsuit & Government Probe Loom, Apple Insider, April 1, 2020,  https://appleinsider.com/articles/20/04/01/two-more-macos-zoom-flaws-surface-as-lawsuit-government-probe-loom

[xxv] Setera, supra note 21.

[xxvi] Hodge, supra note 17; Wagenseil, supra note 18.

[xxvii] Hodge, supra note 17.

[xxviii] Joel Rosenblatt, Zoom Sued for Allegedly Illegally Disclosing Personal Data, Bloomberg, March 30, 2020,

https://www.bloomberg.com/news/articles/2020-03-31/zoom-sued-for-allegedly-illegally-disclosing-personal-data; Available at: https://www.scribd.com/document/454166545/Zoom-Lawsuit.

[xxix] Second class-action lawsuit, available at: https://www.dropbox.com/s/h078rfxsq4x22um/TZ_TaylorVZoom_Complaint_Final.pdf?dl=0

[xxx] Third class-action lawsuit, available at: https://www.dropbox.com/s/h078rfxsq4x22um/TZ_TaylorVZoom_Complaint_Final.pdf?dl=0

[xxxi] Carrie Mihalcik, Zoom Sued by Shareholder Over Security Issues, CNET, April 8, 2020, https://www.cnet.com/news/zoom-sued-by-shareholder-over-security-issues/; Available at: https://www.scribd.com/document/455562311/Drieu-v-Zoom-Video-Communications-Inc-Et-Al.

[xxxii] Fifth class-action lawsuit, available at: https://www.law360.com/articles/1263127/attachments/0.

[xxxiii] Jitendra Soni, More Top Companies Ban Zoom Following Security Fears, Tech Radar, April 15, 2020,  https://www.techradar.com/news/more-top-companies-ban-zoom-following-security-fears

[xxxiv] Brandon Vigliarolo, Who Has Banned Zoom? Google, NASA, and More, Tech Republic, April 9, 2020, https://www.techrepublic.com/article/who-has-banned-zoom-google-nasa-and-more/

[xxxv] Id.

[xxxvi] Amy Miller, Zoom Faces Global Scrutiny Over Privacy Missteps as US States Begin Probes, MLex, April 3, 2020,  https://mlexmarketinsight.com/insights-center/editors-picks/area-of-expertise/data-privacy-and-security/zoom-faces-global-scrutiny-over-privacy-missteps-as-us-states-begin-probes.

[xxxvii] Id.

[xxxviii] Id.

[xxxix] Zoom Privacy Policy, available at: https://zoom.us/privacy.

[xl] Kevin Townsend, Zoom’s Security and Privacy Woes Violated GDPR, Expert Says, Security Week, April 2, 2020,   https://www.securityweek.com/zooms-security-and-privacy-woes-violated-gdpr-expert-says.

[xli]Cristiano Lima, Zoom’s legal perils mount as Democrats call for FTC probe, Politico, April 7, 2020, https://www.politico.com/news/2020/04/07/zoom-legal-threats-democrats-ftc-probe-173966.

[xlii] Nuala O’Connor, Reforming the U.S. Approach to Data Protection and Privacy, Council on Foreign Relations, Jan. 30, 2018,  https://www.cfr.org/report/reforming-us-approach-data-protection.

[xliii] GDPR Enforcement Tracker, https://www.enforcementtracker.com/.

[xliv] Alfred Ng, Government Watchdog Finds Weak Enforcement of US Privacy Regulations, CNET, Feb. 13, 2019,   https://www.cnet.com/news/government-watchdog-finds-weak-enforcement-in-us-privacy-regulations/.

[xlv] Lou Mastria, A Milestone for Privacy Self-Regulation, International Association of Privacy Professionals, April 19, 2019,  https://iapp.org/news/a/a-milestone-for-privacy-self-regulation/.

[xlvi]  Jamie Condliffe, The Week in Tech: Huge Fines Can’t Hide America’s Lack of a Data Privacy Law, New York Times, July 26, 2019, https://www.nytimes.com/2019/07/26/technology/facebook-data-privacy.html.

https://fas.org/sgp/crs/misc/R45631.pdf

[xlvii] Id.

[xlviii] Ng, supra note 43.

[xlix] Wagenseil, supra note 18.

[l] Tilley and McMillan, Zoom CEO: ‘I Really Messed Up’ on Security as Coronavirus Drove Video Tool’s Appeal, Wall Street Journal, April 4, 2020, https://www.wsj.com/articles/zoom-ceo-i-really-messed-up-on-security-as-coronavirus-drove-video-tools-appeal-11586031129; Yuan, supra note 12.

[li] Natasha Singer and Nicole Perlrath, Zoom’s Security Woes Were No Secret to Business Partners Like Dropbox, New York Times, April 20, 2020, https://www.nytimes.com/2020/04/20/technology/zoom-security-dropbox-hackers.html.

[lii] https://www.marketplace.org/shows/marketplace-tech/covid-19-zoom-video-conferencing-privacy-security/.

[liii] Violet Blue, Zoom is now ‘the Facebook of video apps’, Engadget, April 10, 2020,  https://www.engadget.com/zoom-is-now-the-facebook-of-video-apps-190024369.html.

[liv] Best Practices for Securing Your Zoom Meetings, Zoom, https://zoom.us/docs/doc/Securing%20Your%20Zoom%20Meetings.pdf.