New York State’s Attorney General has dropped her suit against Zoom after securing an agreement to implement security and privacy controls that address concerns that became apparent after the increased use of Zoom for distance learning and working from home. For all their flaws or vulnerabilities, you have to be somewhat impressed how quickly the company responded. And yes, being banned is a motivator, but let’s give credit where it is due. Here’s New York Attorney General Letitia James’ press release from yesterday: New York Attorney General Letitia James today announced an agreement with Zoom Video Communications that will provide security protections for more than 300 million meeting participants on the platform. New security measures are being put in place to support and protect consumers, students, schools, governments, religious institutions, and private companies using the application for work, education, prayer, and socializing. After the outbreak of the coronavirus disease 2019 (COVID-19), cities and states across the nation began quarantine and social distancing procedures that forced businesses and schools, as well as many social interactions to be moved online. Zoom had a sudden surge in both the volume and sensitivity of data being passed through its network, but the exponential increase in users also exposed security flaws and vulnerabilities in Zoom’s platform and software, and a lack of privacy protections. Additionally, a number of people reported that their Zoom conferences had been “Zoombombed,” or interrupted by uninvited participants seeking to disrupt the conference. Attorney General James opened up an investigation into Zoom’s privacy and security practices in March culminating in today’s agreement. “Our lives have inexorably changed over the past two months, and while Zoom has provided an invaluable service, it unacceptably did so without critical security protections,” said Attorney General James. “This agreement puts protections in place so that Zoom users have control over their privacy and security, and so that workplaces, schools, religious institutions, and consumers don’t have to worry while participating in a video call. As the coronavirus continues to spread across New York State and this nation and we come more accustomed to our new normal, my office will continue to do everything in its power to help our state’s residents and give them every tool to continue living their lives.” In March, after the widespread increase of COVID-19 infections across the country, cities and states began to shutter and institute social distancing policies to limit contagion. With schools, businesses, religious institutions, and so many other industries forced to shut down, Americans had no choice but to move their day-to-day activities online. As a result, Zoom experienced a massive surge in demand for its free services, as teachers began using the platform to conduct classes remotely with students, workplaces used Zoom to conduct business online, and consumers began using it to socialize remotely with loved ones. By late April, Zoom was hosting approximately 300 million meeting participants per day on its platform, compared to the approximately 10 million meeting participants per day in January 2020 — an increase of nearly 3,000 percent in less than four months. As consumers, businesses, and students were increasingly using Zoom’s platform to communicate and share information, a number of newly reported issues emerged. Numerous users reported that their Zoom conferences had been interrupted by uninvited participants seeking to disrupt the conference — dubbed “Zoombombing.” Additionally, a number of privacy and data security issues were also reported, including Zoom’s lack of end-to-end encryption — as it had previously publicly represented — and the leakage of users’ personal information to other users without consent. Finally, Zoom was sharing users’ personal information with Facebook, including for those users who were not using the Facebook login feature and even those without Facebook accounts. Attorney General James immediately opened an investigation into Zoom’s administrative, technical, and physical safeguards to protect consumers’ personal data and to handle the increased traffic on the platform, as well as to investigate whether Zoom was complying with numerous New York State and federal laws. In the subsequent five weeks, the Office of the Attorney General and Zoom have worked cooperatively and quickly to implement more stringent and robust protections for consumers, schools, and businesses. Today’s agreement will protect New Yorkers and users nationwide by ensuring Zoom’s compliance with New York State and federal laws; and will ensure Zoom provides services that are more secure, that provide users with enhanced privacy controls, and that protect users from abuse. Zoom Agrees to Be More Secure Zoom has agreed to implement and maintain a comprehensive data security program to protect all users that will be designed and run by the company’s Head of Security. Zoom will also conduct risk assessment and software code reviews to ensure that the company’s software does not have vulnerabilities that would allow hackers to exploit users’ information. The company has agreed to take steps to protect consumers from attacks where hackers attempt to access accounts using old credentials. Additionally, Zoom has agreed to enhance its encryption protocols by encrypting users’ information, both in transit and as stored online on their cloud servers. Finally, Zoom will operate a software vulnerability management program and will perform the most thorough form of penetration testing each year. Zoom Agrees to Enhanced Privacy Controls Zoom has agreed to enhanced privacy controls for free accounts, as well as kindergarten through 12th grade education accounts. Hosts — even those with free accounts — will, by default, be able to control access to their video conferences by requiring a password or the placement of users in a digital waiting room before a meeting can be accessed. Hosts will also be able to control access to private messages in a Zoom chat, control access to email domains in a Zoom directory, control which — if any — participants can share screens, limit participants of a meeting to specific email domains, and place other limits on participants with accounts, to the extent applicable. Additionally, Zoom has taken steps to stop sharing user data with Facebook and has disabled its LinkedIn Navigator feature, which […]
↧