Don’t abandon standard protective measures when signing up for any online account, says Kevin Cheung
With COVID-19 forcing many lawyers to work from home, many of us have resorted to video conferencing for client and team meetings. Videoconferencing technologies have been critical for a lot of businesses to continue operating; but the last few weeks are the first time that many people have used videoconferencing for anything more than chats with friends and family.
As we have now heard, privacy concerns abound with one of the more popular videoconferencing apps, Zoom. As lawyers, of course, we must be especially mindful of potential security and privacy concerns when we use a digital tool in our practice.
Problems with Zoom that are of most concern to lawyers include:
- Lack of end-to-end encryption, contrary to claims by the company. End-to-end encryption ensures that all communication between you and others on the call are encrypted so that only parties to the call can decrypt the communication. Zoom is not alone in lacking this encryption; many other video conferencing services also do not have this feature.
- “Zoombombing,” or hackers joining Zoom meetings and disrupting them by posting offensive content; also, hackers taking control of webcam and microphone
- Zoom accounts, email addresses, passwords, meeting IDs, host keys and names being found on the dark web
- Personal accounts and corporate accounts being found on forums used by criminals
- Zoom accounts can be easily hijacked if the email address associated with the account is known
- Zoom had been sending data of registered and non-registered users to third parties such as Facebook, where options were offered on the Zoom site to log in via those platforms
- Surreptitious access to LinkedIn profile data of both registered and non-registered users had been allowed
- Risks of malware
- Zoom videos left unprotected and viewable online
- Calls routed through Chinese servers
- Zoom meeting organizers having the ability to monitor whether participants are paying attention on calls
Many people have not been aware of the extent of the data collection by Zoom, and how significant the waiver of privacy has been when one uses the service. Not only has it placed our information and our clients' information at risk, but the contents of our Zoom meetings also. Many users have been woefully unaware of who has access to their personal information, and major companies and governments have now banned Zoom use due to the privacy and security concerns, and the company is facing class action lawsuits arising from these issues.
Zoom appears not to have been designed for secure business use. The CEO himself has acknowledged that Zoom has prioritized usability over security, but that that would be changing in light of the concerns recently brought to light, and the company has been making efforts to address the security and privacy concerns. It may even be that the harsh scrutiny on the company will lead it to becoming a formidably secure video conferencing service.
The privacy problems that have arisen with Zoom serve as an important reminder to lawyers that all digital tools need to be vetted to ensure that, if we use them, we are complying with our confidentiality and privacy obligations to our clients. During a pandemic such as that caused by COVID-19, we may have more pressing things on our minds; yet this underscores the importance of regularly maintaining and updating contingency plans so that we are not caught by surprise and suddenly faced with finding a videoconferencing provider, for example.
Some tips for protecting privacy and security while using Zoom include:
- Do not forget that a Zoom account is like any other online account. Don’t abandon standard protective measures when signing up for accounts, such as using strong passwords and two-factor authentication.
- Registered users get a personal meeting ID for scheduled Zoom meetings. Avoid making this ID public, as anyone who has it will likely be able to join a meeting.
- Hosts of calls should enable Waiting Room (this should be a default setting now), which allows the host to approve each person who tries to join a call.
- Protect videoconferencing calls with passwords.
- Only download Zoom (and other video conferencing apps, for that matter) directly from the company's website, or, for mobile devices, from Apple’s App Store or Google Play. The number of fake video conferencing apps has spiked dramatically recently, and with that comes the increased risk of malicious software infecting computers and networks.
If the privacy concerns around using Zoom remain too unsettling and the company's efforts to address them are still unsatisfactory to you, some alternatives to consider include:
- Skype for Business
- Microsoft Teams
- Google Hangouts
Finally, embrace videoconferencing. It is a wonderful way to stay connected and continue business as best as possible. Just do it safely, stay informed, and do not forget that the usual measures you take to protect yourself online apply to this technology as well.