Not long ago it would have been unheard of for a judge to publicly chastise attorneys for attending virtual hearings partially clothed, poolside or while still in bed. Now these are just some of the anecdotes born of widespread remote videoconferencing in the time of a global pandemic.

Another unforeseen consequence has been the meteoric rise of a videoconferencing company called Zoom Video Communications, known simply as Zoom.

Founded in 2011, Zoom initially marketed its easy-to-use cross-platform videoconferencing capabilities—or "Zoom meetings"—to large enterprises. It found a user-base, became profitable, and went public last April. Yet it was far from a household name. That changed earlier this year, however, as stay-at-home orders forced millions to find ways to connect virtually.

By February, Zoom acquired more users in two months than the preceding year. By March, Zoom usage was so commonplace the New York Times published a "Lesson of the Day" titled: "We Live In Zoom Now." In April, Zoom reported its single-day use had reached 300 million. Seemingly overnight, Zoom not only replaced places of work and study, but become the go-to "host" for virtual graduations, family dinners, school reunions, exercise classes, birthday parties, and happy hours with friends. Even weddings and funerals were held on the platform.

The upsides to using the platform, with its easy-to-use interface and ability to connect multiple people who may be using different types of devices, including mobile phones, are clear; however, cracks have also begun to emerge.

News broke recently that Zoom reached an agreement to with the New York Attorney General to resolve certain privacy concerns after her office launched an investigation into Zoom's practices. Meanwhile, cyberattacks began to be investigated by state/federal law enforcement agencies. And more than a dozen class action lawsuits have been filed on behalf of consumers and investors who, among other things, allege they were injured by Zoom's failure to adequately secure its platform or be transparent about its system and its limitations.

At the same time, users—including companies that permitted (or actively encouraged) employees to utilize Zoom meetings—have been forced to evaluate whether the virtual connection is worth the attendant risks. Accordingly, companies should be attuned to the risks of outsiders gaining access to employee webcams, files or info shared verbally during meetings—and consider implementing the below steps to ensure employees are engaging in best practices.

|

'Zoombombing' and Other Alleged Security Flaws

Due to its inherent shock factor, "Zoombombing" is perhaps the most highly publicized security threat associated with the platform. The term describes a cyberattack involving the sudden appearance of uninvited individuals into Zoom meetings. Zoombombing has frequently made headlines as public and private Zoom meetings, including online classes and worship services, have been disrupted by hate speech or pornographic/obscene images. Security experts have also revealed hackers constructed an automated tool to assist in guessing Zoom meeting IDs; concerns about vulnerable webcams being hacked also abound.

Another well-publicized security flaw involved sending user analytics data to Facebook, even if the user did not have a Facebook account. This flaw in Zoom's iOS version was first reported by Motherboard (who also revealed Zoom's privacy policy failed to disclose such data collection was occurring). The news garnered even more attention when, a few days later, Zoom's CEO admitted in a blog post that Zoom had only recently learned "the Facebook SDK was collecting device information unnecessary for us to provide our services." Zoom ended the collection and promised to do better. But the incident suggested Zoom was not independently prioritizing users' privacy and raised questions about internal controls.

Zoom has also been widely criticized for advertising "end-to-end encryption" (i.e., only the parties communicating can see/hear the communications) when, in fact, Zoom itself can still access video and audio content shared over the platform. In other words, Zoom meetings were not completely encrypted—and could potentially be accessed by third parties via Zoom's server.

Word also began to spread that Zoom meeting hosts were able to track participant activity without their knowledge. Specifically, hosts could enable "attention tracking" to monitor who was clicking away from the Zoom window during a meeting—without the participant knowing he was monitored. Relatedly, thousands of recordings and transcripts of meetings were discovered to have been insecurely stored by hosts, leaving the data easily discoverable by third parties.

|

Steps Companies and Users Should Take

In an April 1 blog post Zoom announced a 90-day effort to increase user security and privacy in the face of these and other concerns. Its CEO sought to take ownership of the platform's failings, conceding that in the midst of overwhelming and unanticipated user demand Zoom had "fallen short of [its users'] … privacy and security expectations" and claiming the lawsuits had "helped Zoom uncover unforeseen issues with the platform." To combat its such weaknesses, Zoom recently added a series of features, including requiring passwords for all meetings and turning on its Waiting Rooms feature and host-only screen sharing privileges by default.

Although the company appears to be moving in the right direction, it remains to be seen if Zoom can convince security experts and researchers (much less litigants) it has adequately addressed these "unforeseen issues." In the meantime, as workers continue to work remotely, companies using the platform should be focused on minimizing the risks to not only their own data but that of their employees, clients, customers or patients by taking the following steps.

First, as Zoom continues to fix various security and privacy flaws over the next 90 days, it is expected Zoom will issue software updates. Companies without an internal IT department tasked with monitoring such things should consider designating someone to regularly check for updates. Employees should always be aware of and use the latest version of the software.

Second, to minimize the risk of "Zoombombing," companies should mandate use of Zoom's "Waiting Room" feature—which enables hosts to control who has access to a meeting. As of April 5, this feature is now enabled by default; employees should be instructed not to disable it.  And once a meeting begins and all participants have joined, hosts should be instructed to lock the meeting to outsiders and assign multiple co-hosts, which will increase the ability to regain control following an unexpected disruption.

Third, employees should be reminded to adhere to secure password practices. In the context of Zoom, this means requiring meeting passwords; never posting meeting passwords on the Internet; and disabling the "Embed Password in Meeting Link for One-Click Join" feature (which allows anyone to join by clicking the link). At the same time, companies should ensure default login credentials for all routers and other devices employees use during Zoom meetings (and other remote work-related activities) are reset and replaced with strong passwords.

Fourth, employees should be educated about the threat of Zoom phishing scams—which occur when third parties share links that, if clicked, result in the downloading of malware onto a device or lead to malicious websites where credentials or other personal information can be stolen. Employees should be instructed not to click on Zoom meeting invitations or other links unless confident of their legitimacy. And if they have not already, they should install and run security software on their work/personal devices, including anti-malware software with phishing detection.

Finally, even with all these precautions, users should be advised to operate under the assumption anything disclosed in a Zoom meeting will be recorded and could be disseminated. There is simply no way to eliminate the risk of a meeting being noticeably disrupted or surreptitiously accessed by third parties. These risks are amplified when employees are working from multiple locations and using personal devices via personal or public Wi-Fi connections. As a result, employees should be instructed to avoid sharing any type of sensitive personal or business information over Zoom or any other video-conferencing platform.

|

Conclusion: Not all Doom and Gloom for Zoom

As employees continue to work from home in record numbers, Zoom and other videoconferencing platforms will remain an essential tool for enabling employees to remain productive and connected to their coworkers. Increased use of videoconferencing platforms is likely to be one of the lasting effects of this current crisis as companies look for ways to decrease unnecessary travel, lower operating costs, and accommodate employee need for flexible working conditions.

Used wisely, videoconferencing has the capability to increase productivity and expand customer/client bases. As a result, to remain competitive, while minimizing the risk of a devastating or embarrassing security breach, companies should take appropriate measures now—rather than waiting until things "get back to normal." Videoconferencing is the new "normal" for millions of people; companies should embrace this trend with due care.

Jeffrey N. Rosenthal is a partner in the Philadelphia office of Blank Rome and a member of the firm's cybersecurity and data privacy and privacy class action defense groups. He concentrates his complex corporate litigation practice on consumer and privacy class action defense, and regularly publishes and presents on class action trends, attorney ethics and social media law. He can be reached at [email protected].

David J. Oberly is an attorney in the Cincinnati office of the firm and is a member of the firm's ybersecurity and data privacy and privacy class action defense groups. His practice encompasses both counseling and advising sophisticated clients on a wide range of cybersecurity, data privacy, and biometric privacy matters, as well as representing clients in the defense of privacy and biometric privacy class action litigation. He can be reached at [email protected].  

Heidi G. Crikelair is an attorney in the Philadelphia office of the firm and member of the firm's commercial litigation practice group. She advises sophisticated businesses and individuals on a wide range of litigation matters and has significant trial experience. She can be reached at [email protected].