Not So Zoomy: Use of Videoconferencing Technology “Zoom” on the Rise, but Privacy and Data Security Inadequacies suggest Users should Tread Carefully
By Cameron Abbott, Warwick Andersen, Rob Pulham and Max Evans
As the world grinds to a halt following the perpetuation of COVID-19, more and more businesses have turned to remote work arrangements. This has led to a sharp rise in the use of videoconferencing technology Zoom. However, as the Australian Financial Review notes, flawed data security and privacy practices mean that the use of Zoom could be disastrous for corporate and personal privacy.
Concerns surrounding the use of Zoom arose earlier this year, with critical security vulnerabilities enabling hackers to predict Meeting ID’s and therefore join active meetings, and also allowing any website to forcibly join a user to a Zoom call with their video camera activated and without the user’s permission. Whilst a number of these errors were patched up, as the article notes, Zoom refused to disable the ability for hackers to forcibly join to a call anyone visiting a malicious site, raising security red flags and undermining public confidence in Zoom’s attitude towards data security. A strange response given that part of its attraction had been a perceived stronger approach to security.
The article further exposes shortcomings in Zoom’s privacy practices, noting as an example that calling into a Zoom meeting via telephone only reveals a simple message that the meeting is being recorded, without indicating by whom, to where, or whether the recording is audio, textual or both, further failing to share any terms and conditions or end user agreement with the relevant caller. Additionally, Zoom’s privacy policy indicates that, if a Zoom meeting host decides to record a meeting and store it on Zoom’s system, that person is responsible for obtaining any necessary consent from the individuals prior to recording a meeting, therefore placing no responsibility on Zoom to obtain consent prior to collecting the relevant information.
From a compliance perspective organisations need to consider if they are failing in their own privacy obligations if they are not addressing how their employees utilise platforms like this.