Remote has a price: your privacy

"Which reliable tool to organize a remote meeting?” This is the question that many companies have had to answer since the beginning of confinement. This is how Zoom became a must-have. But how many have actually read the Terms of Use before downloading the app? How many have assessed if it really is the most convenient tool? Maybe the UK government?


With the coronavirus pandemic, all private and public organizations have to deal with the problem of remote working. However, the very short period of time they were given to find satisfactory technological solutions led, not surprisingly, to prioritize the criteria for choosing one tool rather than another. In this general panic, it would almost seem that the notion of privacy has been sacrificed in favor of the continuity of the activity of insufficiently prepared actors.


Twitter, @BorisJohnson, March 31st, 2020

Zoom...on cybersecurity issues


Also on the front line, the education sector and its constraints: how to set up dematerialized classrooms that would withstand the sudden increase in connection traffic? In just a few weeks, the Zoom platform has emerged as one of the main solutions. Far beyond the education sector alone, private companies have also made extensive use of this web conferencing solution.


The attention of hackers was inevitably drawn by this massive recourse to Zoom. This is precisely where the security measures implemented by the company allegedly proved to be insufficient. A side-effect of the soaring use of the platform is the phenomenon of “Zoombombing”, i.e. the unannounced intervention of third parties in a Zoomchat for the sole purpose of sharing graphic explicit, sometimes violent, content.


Furthermore, while Zoom claims end-to-end encryption of communications, several media and specialists have alerted to a slightly different reality, as explained in a recent article from TheIntercept.


Zoom uses its own definition of “end-to-end” encryption - which, it is true, is not easy to implement for video communications - which ultimately consists of a simple “transport encryption” technology.

Indeed, Zoom uses its own definition of “end-to-end” encryption - which, it is true, is not easy to implement for video communications - which ultimately consists of a simple “transport encryption” technology. The use of this encryption process necessarily entails consequences for the privacy of users, the most important of which being the technical possibility for Zoom to access the content of videoconferences, content that the company may be obliged to transmit to authorities, for example.


To counterbalance this possibility, which potentially infringes on the rights and freedoms of data subjects, the major players in the electronic communications sector, such as Google, Facebook and Microsoft, publish transparency reports, in which they communicate on the number and nature of requests received from government authorities. Zoom does not seem inclined to do so.


Remote vs Privacy tradeoff


Beyond cybersecurity issues, Zoom's privacy practices also seem questionable. Upon reading their Privacy Policy, many people have noticed that Zoom claims not to sell users' personal data. In practice, Zoom shares the data collected with third parties, often via SDKs, and this is how your meeting data can end up being processed by Facebook or Google. It should be noted, however, that following these disclosures, Zoom updated its Privacy Policy and indicated that it had deactivated the SDK that sends user data directly to Facebook.


Nonetheless, many questions remain regarding the protection of users' personal data, and in particular the question of the power given to the meeting host. Indeed, the meeting host has the possibility to record and reuse many of the data exchanged during the video call, in addition to the “Attention Tracker” function that will inform him if the user is no longer on the Zoom screen for more than thirty seconds.


In this context, the question then arises of the risk run by companies using the platform with regard to the sometimes sensitive information that may be exchanged during Zoom meetings and which may be protected by business secrecy.

These findings have not failed to attract the attention of the authorities, and it is in this context that the New York Attorney General sent Zoom a letter asking the company to explain the reasons for a number of breaches, including security breaches and the use of trackers that result in the transfer of users' personal data directly to Facebook. The Attorney General also inquired about the security measures adopted by Zoom in order to remedy the flaws exposed and to protect users' privacy, as reported by the New York Times:


The New York attorney general’s office is notably “concerned that Zoom’s existing security practices might not be sufficient to adapt to the recent and sudden surge in both the volume and sensitivity of data being passed through its network,” the letter said. “While Zoom has remediated specific reported security vulnerabilities, we would like to understand whether Zoom has undertaken a broader review of its security practices”.


Zoom welcomed these questions from the Attorney General, and the company assured that it would provide the authorities with all the information requested. The company has already updated its privacy policy to address some of the concerns of users.


However, these elements still prove insufficient for some of its critics, who believe that the privacy policy for Zoom users is still too opaque. In this context, the question then arises of the risk run by companies using the platform with regard to the sometimes sensitive information that may be exchanged during Zoom meetings and which may be protected by business secrecy.


Too big to fail, not yet


In this context, a class-action has been unsurprisingly filed in California against Zoom for violation of the CCPA, on March 30th. The action alleges that Zoom failed to implement adequate security measures, transferred data without authorization, processed data for certain purposes without a legal ground, and failed to adequately inform users. Finally, Zoom is charged with illegal and unfair commercial practices.


This subject will have repercussions well beyond the period of confinement and raises the following question: in times of crisis, to what extent are private and public players prepared to sacrifice the right to privacy to ensure business continuity?

Even if it seems obvious that users, both individuals and companies, do not yet have sufficient hindsight to appreciate the consequences they risk, the fact remains that this subject will have repercussions well beyond the period of confinement and raises the following question: in times of crisis, to what extent are private and public players prepared to sacrifice the right to privacy to ensure business continuity?


It should be highlighted in this specific case that Zoom does not benefit from a “network effect”. For now, at least. Indeed, contrary to dominant social network like Facebook, or other platform such as Google or Windows that are widely used and that thus make the use of these tools almost unavoidable, Zoom has not yet become the major stakeholder of videocalls and meetings. However, this could change due to the rise in its share price, which necessarily generates new interest from potential users. As a result, it will certainly become increasingly difficult not to use it.


Then, are you still so convinced that Zoom is the most suitable tool for your next videocall, or would you rather take some time to compare with some of its competitors?