But that surge in growth and the company’s widespread usage have surfaced several concerns.
New York Attorney General Letitia James sent a letter to Zoom on Monday asking whether the company “is taking appropriate steps to ensure users’ privacy and security,” a spokesman for James’s office told CNN Business.
In a statement, Zoom said it would address James’s questions. “Zoom takes its users’ privacy, security, and trust extremely seriously,” a spokesperson for the company said in a statement. “During the COVID-19 pandemic, we are working around-the-clock to ensure that hospitals, universities, schools, and other businesses across the world can stay connected and operational. We appreciate the New York Attorney General’s engagement on these issues and are happy to provide her with the requested information.”
“We will enforce these settings in addition to training and blogs,” he said.
A Zoom spokesperson said the company was “deeply upset to hear about the incidents involving this type of attack.”
Users hosting large public meetings should review their settings to make sure only the hosts can share their screen, and activate additional privacy controls, the spokesperson added. “We also recently updated the default screen sharing settings for our education users so teachers by default are the only ones who can share content in class.”
“They’ve gone from interesting new startup product to part of the global infrastructure in days. And I think the many gaps in maturity are becoming painfully clear,” Jules Polonetsky, CEO of the Future of Privacy Forum and the former chief privacy officer of AOL, told CNN Business in an interview. “Some of them range from just stupid stuff that maybe doesn’t create risk to most users, to other things that are going to create legal liability for them.”
The revelation led to two Zoom users separately filing class action lawsuits against the company in a Northern California district court this week, with one suit alleging that the video app “has failed to safeguard the personal information of the increasing millions of users of its software” and the other claiming it gave them “no opportunity to express or withhold consent to Zoom’s misconduct.” The lawsuits accuse Zoom of collecting users’ personal information and sharing it with third parties, including Facebook, without properly notifying the users.
Instead, Zoom uses something called transport encryption, which only secures the message while it’s en route from a video chat to the company’s servers, according to David Kennedy, founder of cybersecurity firm TrustedSec and a former cyberwarfare specialist with the United States Marine Corps. That means Zoom effectively functions as a middleman in all video conversations on its platform and has access to those conversations, he said.
Zoom did not respond to multiple requests for comment on its encryption. The company released an update to its privacy policy over the weekend, stressing that it “collects only the data from individuals using the Zoom platform required to provide the service and ensure it is delivered effectively.”
The Zoom spokesperson acknowledged that the company collects “basic technical information” such as IP addresses and device details, but stressed that it has strict privacy controls to protect against unauthorized access.
“Importantly, Zoom does not sell user data of any kind to anyone,” the spokesperson added.
Without end-to-end encryption on video, Kennedy says video conversations on Zoom could technically be accessed and stored by the company.
“Zoom doesn’t seem to be very clear on what they record, what they don’t record,” he said. “There’s a lot of things that Zoom is doing that is particularly alarming and concerning, because they’re not using the right language and terminology.”