Zoom, the videoconferencing app whose traffic has surged during the coronavirus pandemic, is under scrutiny by the office of New York’s attorney general, Letitia James, for its data privacy and security practices.
On Monday, the office sent Zoom a letter asking what, if any, new security measures the company has put in place to handle increased traffic on its network and to detect hackers, according to a copy reviewed by The New York Times.
While the letter referred to Zoom as “an essential and valuable communications platform,” it outlined several concerns, noting that the company had been slow to address security flaws such as vulnerabilities “that could enable malicious third parties to, among other things, gain surreptitious access to consumer webcams.”
Over the last few weeks, internet trolls have exploited a Zoom screen-sharing feature to hijack meetings and do things like interrupt educational sessions or post white supremacist messages to a webinar on anti-Semitism — a phenomenon called “Zoombombing.”
The New York attorney general’s office is “concerned that Zoom’s existing security practices might not be sufficient to adapt to the recent and sudden surge in both the volume and sensitivity of data being passed through its network,” the letter said. “While Zoom has remediated specific reported security vulnerabilities, we would like to understand whether Zoom has undertaken a broader review of its security practices.”
With millions of Americans required to shelter at home because of the coronavirus, Zoom video meetings have quickly become a mainstay of communication for companies, public schools and families. Zoom’s cloud-meetings app is currently the most popular free app for iPhones in the United States, according to Sensor Tower, a mobile app market research firm.
Even as the stock market has plummeted, shares of Zoom have more than doubled since the beginning of the year.
As Zoom’s popularity has grown, the app has scrambled to address a series of data privacy and security problems, a reactive approach that has led to complaints from some consumer, privacy and children’s groups.
In a statement for this article, the company said it took “its users’ privacy, security and trust extremely seriously,” and had been “working around the clock to ensure that hospitals, universities, schools and other businesses across the world can stay connected and operational.”
“We appreciate the New York attorney general’s engagement on these issues and are happy to provide her with the requested information,” the statement added.
Last week, after an article on news site Motherboard reported that software inside the Zoom iPhone app was sending user data to Facebook, the company said it was removing the tracking software.
As many school districts adopted Zoom to allow teachers to host live lessons with students, some children’s privacy experts and parents said they were particularly concerned about how children’s personal details might be used. Some districts have prohibited educators from using Zoom as a distance-learning platform.
“There is so much we simply don’t know about Zoom’s privacy practices,” said Josh Golin, executive director of the Campaign for a Commercial-Free Childhood, a nonprofit group in Boston.
In the letter, James’ office cited reports that Zoom had shared data with Facebook and asked for further information on “the categories of data that Zoom collects, as well as the purposes and entities to whom Zoom provides consumer data.”
The office expressed concern that the app may be circumventing state requirements protecting student data. To help educators, the company recently expanded meeting limits on free accounts. The attorney general’s office called such efforts “laudable” but also said the company appeared to be trying to offload consent requirements to schools.
The office requested a description of Zoom’s policy for obtaining and verifying consent in primary and secondary schools as well as a description of third parties who received data related to children.
Zoom has said its service for schools complies with federal laws on educational privacy and student privacy.
The letter also asked for details about any changes the company put in place after a security researcher, Jonathan Leitschuh, exposed a flaw allowing hackers to take over Zoom webcams. The letter noted that the company did not address the problem until after the Electronic Privacy Information Center, a public interest research center, filed a complaint about Zoom with the Federal Trade Commission last year.