Note: In late May, Zoom released version 5.0 of its videoconferencing platform, which addresses a number of security and privacy concerns. A list of these updates can be found here: https://zoom.us/docs/en-us/zoom-v5-0.html.
The Covid-19 pandemic has restricted the movement of millions of people, and many companies have transitioned to remote workforces, schools have moved to virtual learning, and restaurants and stores have switched to delivery. These events are driving the demand for video conferencing, online collaboration, and chat systems to carry out business.
One web conferencing platform that has recently exploded in popularity is Zoom, which provides a free video calling experience. In just a few short months, Zoom grew by 2000%, supporting over 200 million users. Unprepared for the surge and catapulted into the limelight, Zoom has been highly criticized over its inadequate privacy and security practices, particularly on its free version, which have revealed unprotected user account data, in-app surveillance measures, the selling of user data, video hijacking, incomplete end-to-end encryption, and a misleading privacy policy.
While Zoom has taken responsibility for its flaws and is trying to retroactively correct these issues, there are additional steps that you should take to protect your privacy and ensure your meetings are safe from intruders, regardless of whether you’re using Zoom or another video conferencing tool.
Disable Browser Cookies Before and After a Call.
Recent allegations (and at least one class-action lawsuit) against Zoom claim that the video-conferencing company shared data with third parties like Facebook without properly notifying users or gaining permissions. The claim states that Zoom allowed users to log in using their Facebook credentials, but once logged in Zoom would share with Facebook the user’s information, including the device being used, the model, and the device’s unique advertising identifier. Similarly, Zoom would take the user's LinkedIn profile data and connect it to their Zoom account, allowing other people in the meeting to view the user’s name, job title, employer, and location, without ever notifying the user or asking for permission. This LinkedIn feature has since been disabled.
The personal information Zoom collected was shared with third parties who then used it to work with Google and other advertising networks to turn personal information into targeted advertisements. Although Zoom’s privacy policies states that they won’t give “access to personal data in exchange for payment,” there is not much clarity around what constitutes as the sale of personal data.
The best way to help protect against this type of data sharing is to clear all your browser cookies before and after each call, whether you’re using Zoom or another tool. Third parties can leverage cookies to gather information about you across multiple websites and can even provide malicious attackers access to your accounts, even without a password. Deleting cookies limits the amount of information the conferencing platform is able to gain about you and gives you more control over your personal data.
Here are some simple guides to clearing your cookies in popular browsers:
- Chrome: https://support.google.com/accounts/answer/32050
- Safari: https://support.apple.com/guide/safari/manage-cookies-and-website-data-sfri11471/mac
- Firefox: https://support.mozilla.org/en-US/kb/clear-cookies-and-site-data-firefox
If You Use Zoom, Enable These New Features.
While this tip is Zoom specific, many other platforms offer similar features. In an attempt to resolve some of their existing privacy flaws, Zoom launched two new, free security features that were previously only available in the paid versions of the platform.
1. Password Protect Your Meetings
Originally, Zoom’s free tier didn’t allow users to password-protect meetings, leaving virtual happy hours, classrooms, and corporate meetings susceptible to uninvited guests. Malicious actors used tools that would allow them to run through thousands of meeting IDs in a matter of minutes, letting them take over private meetings. Now, the default meeting settings include a password, requiring everyone who joins a meeting to enter a password, in addition to the meeting ID, increasing the security and privacy of conversations.
2. Using a Waiting Room for Your Meetings
The “Waiting Room” feature on Zoom allows a host to view who is attempting to join the meeting and deny or allow access to that meeting. It’s a virtual staging area that prevents people from joining a meeting until the host is ready. Hosts are able to customize the Waiting Room settings, chats, and even send personalized messages to those in the Waiting Room. This feature helps eliminate the risk of “Zoombombing,” where uninvited attendees break into and disrupt meetings through malicious actions.
Keep in Mind What the Host Can Access.
Depending on the tier of service purchased, Zoom meeting hosts are allotted certain privileges during meetings, like viewing private chats that occurred in the meeting and seeing when users are actively engaged or disengaged with the meeting. At the end of a meeting, the host can receive a transcript of all conversations during the meeting, including private messages. Similar features are available in other virtual meeting tools.
While the “attendee attention tracking” feature didn't allow the host to monitor participants’ activities, it did share when participants hadn't engaged with the app for 30 seconds. This feature was recently removed by Zoom for privacy reasons.
Another feature available on Zoom and most video conferencing tools is the ability for hosts to record meetings. Most platforms notify all participants when a meeting is recording, and you should be able to opt-out of being recorded. However, in some cases, opting out may require you leaving the meeting. On Zoom, recorded meetings are stored in the Zoom cloud and can be downloaded by the host. It is also unclear how long these recordings remain there or who within Zoom has access to them.
So when participating in a meeting, it is important to be aware of the access a host may potentially have and the features they can activate without your knowledge or consent.
Don't Share Private Information on Non-Private Tools.
From personal chats with family and friends to healthcare visits to business meetings, web conferencing tools are helping everyone get through daily life during this pandemic. While some conversations would simply be embarrassing if shared publicly, the sharing of business-confidential communications (i.e., IP, trade secrets, business data) and personal conversations with doctors and lawyers can have serious repercussions.
While many video conferencing apps are taking steps to increase privacy and security measures, they still aren’t secure methods of sharing highly confidential information.
If you require a certain level of privacy for therapy sessions or legal discussions and don’t want to risk that information being leaked, choose another communication method (i.e., phone) or a virtual tool designed with privacy and security in mind. For example, Signal is a one-on-one video conferencing app that uses end-to-end encryption to protect its messages, meaning all information shared is encrypted and requires an encryption key to decode in order to access the content. For health visits, ask your healthcare provider for more information about the tool they use for video calls and do your research before using them.
A good rule of thumb to follow is, “If you wouldn’t want it to come up when you run for office, then don’t share it on Zoom.” While most of us won’t be taking the podium any time soon, exercising this level of caution can help guarantee your private information remains private.
Be Mindful of Your Surroundings.
To increase privacy during meetings, many platforms offer the ability to customize or blur your background. But even using one of these options doesn’t ensure video conferencing tools aren’t collecting data on your surroundings.
If a baby cries in the background, you might see ads for pacifiers soon. If your pet pops up on screen, ads for pet supplies might show up in your sidebar. While you might not be too concerned about these small advertisements, you should be concerned with how that information was captured in the first place. Being cognizant of this data-gathering method, implementing good cyber hygiene practices (like disabling cookies), and choosing a quiet place for meetings can help limit the data being collected about you.
Research Your Conferencing Tools.
Before choosing a video conferencing app (free or purchased), you should investigate its privacy and security features. Take a deeper look at the privacy features of the software and the implications of using it, beyond just reading the privacy policy. Even a look at the company’s corporate site can provide a plethora of information regarding where data is shared. For instance, Match Group owns Match.com, OKCupid, Plenty of Fish, and Tinder, and unknowingly to users, data flows freely between this portfolio. If you’re looking to select a tool for your organization, set up a meeting with the platforms you’re interested in to discuss privacy features. Privacy may end up costing more initially, but it will reduce the future costs of breaches, penalties, and non-compliance.
Get Comfortable Reading the Privacy Policies of Websites and Apps.
Now is the time to be an active participant in privacy and get in the habit of reading the privacy policies for the websites and tools you use. Many have recommended learning a new language during the Covid-19 stay-at-home orders; heed their advice and learn the language of privacy policies. Due to requirements found in the CCPA and GDPR, businesses are now writing them in a more straightforward and organized manner so the average consumer can easily digest the information.
If you don’t have time to read an entire privacy policy, use Control (Command) + F to search for “sharing” or “data sharing.” Read these sections to learn what data is being collected about you and who it is being shared with. If you have concerns or questions, there should always be an email listed in the privacy policy that you can send questions to and get a quick response.
Taking a few minutes to read the privacy policy will keep you more informed and help you make educated decisions on what happens to your personal or corporate information.
Tools like Zoom, Skype, Hangouts, and Teams allow us to connect with family members and friends, hold critical business meetings, host work happy hours, and maintain a semblance of normalcy during this time. While they are valuable tools, they are being trusted with an enormous amount of personal and confidential information and must implement measures that protect the privacy and security of that data. Fortunately, many users have voiced their concerns around the privacy of these tools, and these companies are taking action, demonstrating how privacy has become a powerful part of how consumers and businesses work together. So, whether you’re a user looking to take privacy into your own hands or you’re creating a corporate policy for secure video conferencing, we hope these tips help you reduce privacy risk and keep your personal information private.
Want more insights into the latest privacy news?
Subscribe to Focal Point's Privacy Pulse below - a once-a-month newsletter with guides, webinars, interesting white papers, and news all focused on data privacy. Thousands of your colleagues and competitors have signed up! You can unsubscribe at any time.
