Agreement Will Enhance Data Security and User Controls
Students and Schools Will Have Access to Additional Security Measures
New York Attorney General Letitia James today announced an agreement with Zoom Video Communications that will provide security protections for more than 300 million meeting participants on the platform. New security measures are being put in place to support and protect consumers, students, schools, governments, religious institutions, and private companies using the application for work, education, prayer, and socializing. After the outbreak of the coronavirus disease 2019 (COVID-19), cities and states across the nation began quarantine and social distancing procedures that forced businesses and schools, as well as many social interactions to be moved online. Zoom had a sudden surge in both the volume and sensitivity of data being passed through its network, but the exponential increase in users also exposed security flaws and vulnerabilities in Zoom’s platform and software, and a lack of privacy protections. Additionally, a number of people reported that their Zoom conferences had been “Zoombombed,” or interrupted by uninvited participants seeking to disrupt the conference. Attorney General James opened up an investigation into Zoom’s privacy and security practices in March culminating in today’s agreement.
“Our lives have inexorably changed over the past two months, and while Zoom has provided an invaluable service, it unacceptably did so without critical security protections,” said Attorney General James. “This agreement puts protections in place so that Zoom users have control over their privacy and security, and so that workplaces, schools, religious institutions, and consumers don’t have to worry while participating in a video call. As the coronavirus continues to spread across New York State and this nation and we come more accustomed to our new normal, my office will continue to do everything in its power to help our state’s residents and give them every tool to continue living their lives.”
In March, after the widespread increase of COVID-19 infections across the country, cities and states began to shutter and institute social distancing policies to limit contagion. With schools, businesses, religious institutions, and so many other industries forced to shut down, Americans had no choice but to move their day-to-day activities online. As a result, Zoom experienced a massive surge in demand for its free services, as teachers began using the platform to conduct classes remotely with students, workplaces used Zoom to conduct business online, and consumers began using it to socialize remotely with loved ones. By late April, Zoom was hosting approximately 300 million meeting participants per day on its platform, compared to the approximately 10 million meeting participants per day in January 2020 — an increase of nearly 3,000 percent in less than four months.
As consumers, businesses, and students were increasingly using Zoom’s platform to communicate and share information, a number of newly reported issues emerged. Numerous users reported that their Zoom conferences had been interrupted by uninvited participants seeking to disrupt the conference — dubbed “Zoombombing.” Additionally, a number of privacy and data security issues were also reported, including Zoom’s lack of end-to-end encryption — as it had previously publicly represented — and the leakage of users’ personal information to other users without consent. Finally, Zoom was sharing users’ personal information with Facebook, including for those users who were not using the Facebook login feature and even those without Facebook accounts.
Attorney General James immediately opened an investigation into Zoom’s administrative, technical, and physical safeguards to protect consumers’ personal data and to handle the increased traffic on the platform, as well as to investigate whether Zoom was complying with numerous New York State and federal laws. In the subsequent five weeks, the Office of the Attorney General and Zoom have worked cooperatively and quickly to implement more stringent and robust protections for consumers, schools, and businesses.
Today’s agreement will protect New Yorkers and users nationwide by ensuring Zoom’s compliance with New York State and federal laws; and will ensure Zoom provides services that are more secure, that provide users with enhanced privacy controls, and that protect users from abuse.
Zoom Agrees to Be More Secure
Zoom has agreed to implement and maintain a comprehensive data security program to protect all users that will be designed and run by the company’s Head of Security. Zoom will also conduct risk assessment and software code reviews to ensure that the company’s software does not have vulnerabilities that would allow hackers to exploit users’ information. The company has agreed to take steps to protect consumers from attacks where hackers attempt to access accounts using old credentials. Additionally, Zoom has agreed to enhance its encryption protocols by encrypting users’ information, both in transit and as stored online on their cloud servers. Finally, Zoom will operate a software vulnerability management program and will perform the most thorough form of penetration testing each year.
Zoom Agrees to Enhanced Privacy Controls
Zoom has agreed to enhanced privacy controls for free accounts, as well as kindergarten through 12th grade education accounts. Hosts — even those with free accounts — will, by default, be able to control access to their video conferences by requiring a password or the placement of users in a digital waiting room before a meeting can be accessed. Hosts will also be able to control access to private messages in a Zoom chat, control access to email domains in a Zoom directory, control which — if any — participants can share screens, limit participants of a meeting to specific email domains, and place other limits on participants with accounts, to the extent applicable.
Additionally, Zoom has taken steps to stop sharing user data with Facebook and has disabled its LinkedIn Navigator feature, which shared profiles with users even where the user wanted to stay anonymous. Finally, Zoom has agreed to provide a copy of its annual data security assessment report to the Office of the Attorney General for the term of the agreement.
Zoom Will Protect Users from Abuse
Zoom has further agreed to continue to maintain reasonable procedures to enable users to report violations of Zoom’s Acceptable Use Policy, including allowing meeting hosts to report a user for engaging in abusive conduct. Zoom will also update its Acceptable Use Policy to include abusive conduct based on race, religion, ethnicity, national origin, gender, or sexual orientation. Finally, Zoom has agreed to investigate reported misconduct in a timely fashion and to take appropriate corrective action based on its investigations, including banning users who violate the policy.
Today’s agreement will protect New Yorkers and users nationwide by ensuring Zoom’s compliance with a number of New York State and federal laws, including New York Executive Law § 63(12) and GBL §§ 349 and 350, New York Education Law 2-d, and the Children’s Online Privacy Protection Act.
Yesterday, the New York City Department of Education (NYC DOE) reached its own agreement with Zoom, which will enhance protections for city schools, students, and educators after the NYC DOE halted the use of Zoom across the city’s digital classrooms in April. The Office of the Attorney General worked with the NYC DOE and Zoom over the last month to address gaps in data security and privacy practices. Attorney General James wishes to thank the NYC DOE and Chancellor Richard Carranza for their cooperation. Today’s agreement with the Office of the Attorney General follows up on that announcement by offering Zoom users a more comprehensive resolution that will protect all New Yorkers and users nationwide.