Amid COVID-19 Telehealth Use, Sen. Probes Zoom on Privacy Practices

April 01, 2020 - Sen. Richard Blumenthal, D-Connecticut, sent a letter to Zoom CEO Eric Yuan, asking for insights into the video conferencing platform’s privacy and security practices, given the drastic increase in its popularity during the during the COVID-19 pandemic, including for telehealth purposes.

“The millions of Americans now unexpectedly attending school, celebrating birthdays, seeking medical help, and sharing evening drinks with friends over Zoom during the Coronavirus pandemic should not have to add privacy and cybersecurity fears to their ever-growing list of worries,” Blumenthal wrote.

“Zoom is increasingly being used by schools and healthcare providers that have shut down or limited their operations to stop the spread of Coronavirus, raising questions about how its services comply with federal and state privacy laws protecting students, patients, and consumers,” he added.

Blumenthal writes in response to the increased use of the platform and concerns raised about how Zoom handles personal user data against both security threats and abuses of Zoom services.

For one, researchers recently found vulnerabilities in the Zoom platform that would allow an attacker to potentially identify and join active meetings. The issues were quickly addressed by Zoom, and several mitigations were put into place.

READ MORE: Zoom Domains Targeted by Hackers, as Use Surges with COVID-19

But as the crisis expanded use of the platform, hackers have been targeting the Zoom domain for malicious activities. More than 1,700 new domains tied to Zoom have been registered in the last two weeks: 25 percent of those were logged during the last week alone, and 4 percent contained suspicious characteristics, according to Check Point.

What’s more, the app has recently come under fire for privacy protections, as it was discovered Zoom was sharing user data with Facebook – even if the user didn’t have a Facebook account. The issue was tied to the social media app’s Software Development Kit, and once discovered, Zoom removed the SDK from the platform.

As noted by Blumenthal, this “troubling history of software design practices and security lapses” poses significant privacy and safety risks to users.

The Senator also blasted Zoom for failing to be timely and diligent with shoring up vulnerabilities in its Mac client. Zoom did provide an initial fix, but it did not completely resolve the vulnerability, and Apple stepped in to completely secure the platform to protect users.

Despite commendable steps, Zoom's “privacy policy still grants it broad discretion to use personal data for other purposes than providing video conferences.”

READ MORE: COVID-19 Cyber Threats: Hackers Target DNS Routers, Remote Work

“For example, Zoom states that it ‘does use certain standard advertising tools on our marketing sites which, provided you have allowed it in your cookie preferences, sends personal data to the tool providers, such as Google,’” Blumenthal wrote.

“Parents, patients, and families should not have to worry that their children’s information, their health condition, or their private discussions are being used for advertising and other unintended purposes,” he added.

The Senator also takes issues with Zoom’s failures to address pressing questions on its abuse and intrusion protections, as users have increasingly reported harassment campaigns from uninvited users. Dubbed “Zoombombing,” uninvited users have been hijacking and disrupting online meetings.

Further, it’s been reported that Zoom does not use end-to-end encryption for its meeting privacy, despite claims to the contrary.

In response, Zoom is being asked to detail its privacy and security practices “given the sensitivity of its services and the role of Zoom in our lives during the Coronavirus pandemic.”

READ MORE: Must-Have Telehealth, Remote Work Privacy and Security for COVID-19

Blumenthal asks for the types of personal user data and session information collected and retained by Zoom, as well as what it shares with third parties, such as its marketing partners. Zoom must also share a list of its marketing partners that receive this personal data and specific type of information.

Zoom is also asked whether it’s made privacy rights guaranteed under the California Consumer Privacy Act and the EU General Data Protection Regulation to all US users, along with its parental consent requirements, data collection limitations, data access features, and safeguards for its Zoom for Education service.

The Senator also asks whether the platform indeed leverages end-to-end encryption, “as the term is commonly understood by cybersecurity experts, for video conferences,” and to provide when the method is available for users and how their personal data is encrypted.

Zoom is asked to address how it is detecting and preventing “Zoombombing,” and other intrusions and abuse targeting Zoom meetings, in addition to how users are able to report abusive intrusions and how long it takes Zoom to respond to those reports.

Lastly, they’re asked to provide details on the contact information, bug bounties, and other procedures maintained by Zoom to receive reports on security vulnerabilities.

“Zoom users deserve clear and correct answers about how it protects the safety of its users and meetings,” Blumenthal wrote.

Zoom has until April 24 to provide Blumenthal with a response.