In light of COVID-19, many organizations are taking advantage of free video conferencing capabilities offered by Zoom. Almost overnight, Zoom has become one of the most popular video conferencing services among businesses and schools. Daily Zoom users have skyrocketed from 10 million users in December 2019 to 200 million users in March 2020. 

The FBI, however, has issued a recent warning about security issues associated with usage of public videoconference services, citing recent incidents involving Zoom.  The FBI reports that unauthorized individuals have been joining Zoom video conferences and taking over the screens to share racist or pornographic content.  The FBI advises that so-called “Zoombombing” can be avoided if a user adjusts Zoom’s settings to require passwords for meetings and to restrict who can share their screen. (Zoom does not apply these settings by default.) Additionally, Zoom previously stated that video conferences were encrypted end-to-end. However, recently Zoom clarified that this is actually not possible. Security researchers have also been uncovering and alerting Zoom to security vulnerabilities in Zoom’s platform. 

Zoom has also received criticism for collecting personal information from videoconferences and disclosing the information to third parties such as Facebook.  Zoom has since stated that this sharing has been disabled. This change, however, only takes effect if the user updates the application.

These privacy concerns gave rise to a recent class action lawsuit, Robert Cullen v. Zoom Video Communications, filed in the U.S. District Court for the Northern District of California and asserting violations of the California Consumer Privacy Act (CCPA).  Plaintiff argues that Zoom failed to provide adequate notice before collecting and disclosing personal information and failed to implement and maintain reasonable security procedures.  Additionally, the New York Attorney General launched an investigation into Zoom’s privacy and security practices.

In response to these privacy and data security concerns, Zoom recently made updates to its privacy policy to clarify its data collection practices. The revised privacy policy now states that Zoom only collects personal information to provide its video conferencing services and that Zoom does not sell personal information to third parties. On April 1st, Zoom stated in a blog post that the company intends to enact a “feature freeze,” refocusing R&D efforts on enhancing data protection.

As the COVID-19 pandemic continues to require employees to work from home, organizations should strive to balance the ease of using tools such as Zoom against potential security and privacy concerns.