Zoom hit by investor lawsuit as security, privacy concerns mount

Zoom hit by investor lawsuit as security, privacy concerns mount

Video software vendor has hired Facebook’s former CSO to consult as it looks to improve security practices amid rapid growth caused by the pandemic

Credit: Dreamstime

The challenges facing Zoom continue to mount, as the vendor now faces an investor lawsuit and more organisations ban the use of the video meeting app due to privacy and security concerns.

The company also upped efforts to improve its security and privacy practices by hiring Facebook’s former CSO as a consultant.

Zoom has seen a surge in use in recent weeks as self isolation in response to the pandemic ramps up the demand for video software. As its popularity has boomed – both for business and personal use – and the company’s stock price rocketed, Zoom has come under pressure on a number of fronts.

Last week, shareholder Michael Drieu filed suit in a California federal court, alleging that Zoom “significantly overstated” the degree to which its platform is encrypted, failing to disclose these “deficiencies” to shareholders.

Zoom admitted on April 1 to a “discrepancy” in its definition of end-to-end encryption from the commonly accepted definition. Drieu claims he and other shareholders have suffered “significant losses and damages” due to a drop in Zoom’s share price after the admission.

It is the second recent lawsuit Zoom faces; the company is also being sued in California for allegedly sharing user data with Facebook.

Zoom said in a March 29 blog post that it “has never sold user data in the past and has no intention of selling users’ data going forward,” and would remove the Facebook SDK (software development kit) from its iOS client. That SDK, it said, was responsible for collecting device data.

More organisations ban Zoom

The list of organisations that have banned use of Zoom on security and privacy grounds has also grown.

The U.S. Senate has reportedly directed members not to use the app, according to the Financial Times, while the German Foreign Ministry has banned its use on mobile devices to protect confidential conversations, according to an internal memo seen by Reuters. And Taiwan’s government warned against using Zoom, instead highlighting rival options from Microsoft and Google.

Google, which has its own video app – Hangouts Meet – has also reportedly banned Zoom due to security vulnerabilities, according to an internal email cited by Buzzfeed, as has Elon Musk’s Space X.

The FBI has warned of unauthorised access to virtual classrooms and recommended that users change security settings to protect meetings; the app has been blacklisted by schools in New York.

Zoom had previously drawn criticism over its security practices – even before the Covid-19 crisis – because of a flaw in its Mac desktop app, discovered last year, that let hackers take control of a user’s webcam.

In response, Zoom has recently upped efforts to improve security and privacy, with CEO Eric Yuan promising last week to put Zoom feature development on hold for 90 days while the company directs resources to “better identify, address, and fix issues proactively.”

Yuan acknowledged in an interview with CNN on Monday that the company “moved too fast” as the Covid-19 crisis unfolded and should have enforced tighter security to protect users. The company also acknowledged in response to research from the University of Toronto’s Citizen Lab that its encryption efforts need more work.

Zoom hires Alex Stamos

On Wednesday, Zoom announced that former Facebook CSO Alex Stamos has joined as an “outside advisor” to improve security controls and practices. In a post on his personal blog, Stamos said he was hired to advise and help the company “build up its security, privacy and safety capabilities as an outside consultant.”

Zoom has also formed a chief information security officer (CISO) Council to discuss security and privacy best practices; CISOs from HSBC, NTT Data and Procore are among those involved.

One measure to improve security and privacy, put in place by Zoom on Wednesday, is to hide Meeting ID numbers from the onscreen title bar. This will prevent users from leaking meeting details if they share a screenshot on social media and is likely to reduce occurrences of Zoom-bombing, where uninvited users disrupt video meetings.

Despite its challenges, Zoom is making the right moves to improve security and its reputation among enterprise customers, said Raul Castanon, senior analyst for workforce collaboration at 451 Research / S&P Global Market Intelligence.

“Zoom has been in the spotlight given its meteoric growth, even more since it stepped up to the challenge scaling its platform to help millions of users during the current crisis,” he said. “Given its success, it makes sense that the company will be under intense scrutiny and become the target of malicious actions.”

Castanon said Yuan is “skillfully navigating challenges that in many ways are unprecedented,” and that these efforts “should be acknowledged.

“Despite the lawsuit, the actions outlined in Yuan’s recent blog post, plus bringing in Alex Stamos as a consultant, should help Zoom improve its security and privacy practices and restore confidence to enterprise users and investors,” he said.

Tags privacycyberzoom

Show Comments