Zoom to implement additional security and privacy measures after NYAG investigation

It will create and maintain a 'comprehensive data security program' that aims to protect user personal information.
Written by Campbell Kwan, Contributor

Zoom has reached an agreement with the New York Attorney-General's (NYAG) office to provide new security measures to support and protect users of its video-conferencing application in response to an NYAG investigation into its security and privacy practices. 

"Our lives have inexorably changed over the past two months, and while Zoom has provided an invaluable service, it unacceptably did so without critical security protections," Attorney-General Letitia James said in a press release on Thursday. 

"This agreement puts protections in place so that Zoom users have control over their privacy and security, and so that workplaces, schools, religious institutions, and consumers don't have to worry while participating in a video call."

NYAG had opened up an investigation into Zoom's privacy and security practices in March after revelations that the app had a spate of vulnerabilities

The company had previously claimed that its platform used end-to-end encryption when, in fact, it had been using a substandard AES-128 key. The platform was also hit by a plethora of Zoom-bombing instances, which resulted in a nationwide security alert being sent in the United States by government authorities. 

As part of the security measures, Zoom will create and maintain a "comprehensive data security program" that is designed to protect the security, confidentiality, and integrity of the personal information of users. The program itself will be designed and run by Zoom's head of security, according to the Zoom-NYAG agreement [PDF]. 

Zoom will also conduct risk assessments, review its coding for any bugs that could be exploited by hackers, and encrypt user information -- both in transit and when it is stored online on its cloud servers.

On the privacy front, the company agreed to tighten privacy controls for free accounts and K-12 education accounts. With this update, hosts will, by default, be able to control access to their video conferences by requiring a password or the placement of users in a digital waiting room before a meeting can be accessed. 

Users will also be able to control access to private messages in a Zoom chat, control access to email domains in a Zoom directory, control which participants can share screens, limit participants of a meeting to specific email domains, and place other limits on participants with accounts.

Zoom's acceptable use policy has also been updated to include abusive conduct based on race, religion, ethnicity, national origin, gender, or sexual orientation as reportable types of misconduct.

Along with these new security and privacy measures, Zoom will provide a copy of its annual data security assessment report to the NYAG for the next three years.  

The agreement comes a day after the New York City Department of Education lifted its Zoom ban which had prevented the city's schools from using the video-conference tool in April.

Earlier on the same day, Zoom also announced it had acquired Keybase, the creator of an end-to-end encrypted messaging and cloud storage system. With Keybase, Zoom users will have the ability to add end-to-end encryption to video calls, the company said.

Related Coverage

Coronavirus home work: Zoom sued over security lapses as stock slides

Zoom faces class action, as security criticisms hit its share price, which has skyrocketed in the coronavirus pandemic.

Cyber criminals are trying to exploit Zoom's popularity to promote their phishing scams

Crooks are trying to add some credibility to their phishing attacks by referencing the popular video-conferencing tool.

Microsoft subtly sticks the knife into Zoom

A new ad for Microsoft Teams presents a perfectly sly attempt to differentiate it from privacy-challenged Zoom.

Zoom concedes custom encryption is substandard as Citizen Lab pokes holes in it

Company also claims it mistakenly ran calls from outside China through the Middle Kingdom.

Paying Zoom customers to choose which data centre regions route their traffic

From this weekend, users that pay for Zoom will be able to select the data centres their meeting traffic is routed through.

Zoom is introducing this new feature in its bid to banish Zoom bombing (TechRepublic)

A new button allowing meeting participants to report users is Zoom's latest attempt to bring its security features up to scratch.

Editorial standards