New York Attorney General Letitia James announced an agreement with Zoom Video Communications that will provide security protections for more than 300 million meeting participants on the platform.

New security measures are being put in place to support and protect consumers, students, schools, governments, religious institutions, and private companies using the application for work, education, prayer, and socializing, says a press release from NY AG James. 

As many social interactions moved online due to COVID-19, Zoom had a sudden surge in both the volume and sensitivity of data being passed through its network, but the exponential increase in users also exposed security flaws and vulnerabilities in Zoom’s platform and software, and a lack of privacy protections, says the release. Zoom experienced a massive surge in demand for its free services - by late April, Zoom was hosting approximately 300 million meeting participants per day on its platform, compared to the approximately 10 million meeting participants per day in January 2020 — an increase of nearly 3,000 percent in less than four months.

Numerous users reported that their Zoom conferences had been interrupted by uninvited participants seeking to disrupt the conference — dubbed “Zoombombing.” Additionally, a number of privacy and data security issues were also reported, including Zoom’s lack of end-to-end encryption — as it had previously publicly represented — and the leakage of users’ personal information to other users without consent, says the release. Finally, Zoom was sharing users’ personal information with Facebook, including for those users who were not using the Facebook login feature and even those without Facebook accounts. 

As part of the agreement, Zoom has agreed to:

  • implement and maintain a comprehensive data security program to protect all users that will be designed and run by the company’s Head of Security.
  • conduct risk assessment and software code reviews to ensure that the company’s software does not have vulnerabilities that would allow hackers to exploit users’ information.
  • take steps to protect consumers from attacks where hackers attempt to access accounts using old credentials. 
  • enhance its encryption protocols by encrypting users’ information, both in transit and as stored online on their cloud servers.
  • operate a software vulnerability management program and will perform the most thorough form of penetration testing each year.
  • enhanced privacy controls for free accounts, as well as kindergarten through 12th grade education accounts. Hosts — even those with free accounts — will, by default, be able to control access to their video conferences by requiring a password or the placement of users in a digital waiting room before a meeting can be accessed. Hosts will also be able to control access to private messages in a Zoom chat, control access to email domains in a Zoom directory, control which — if any — participants can share screens, limit participants of a meeting to specific email domains, and place other limits on participants with accounts, to the extent applicable.
  • take steps to stop sharing user data with Facebook. It has disabled its LinkedIn Navigator feature, which shared profiles with users even where the user wanted to stay anonymous. Finally, Zoom has agreed to provide a copy of its annual data security assessment report to the Office of the Attorney General for the term of the agreement.  
  • continue to maintain reasonable procedures to enable users to report violations of Zoom’s Acceptable Use Policy, including allowing meeting hosts to report a user for engaging in abusive conduct. 
  • update its Acceptable Use Policy to include abusive conduct based on race, religion, ethnicity, national origin, gender, or sexual orientation.
  • investigate reported misconduct in a timely fashion and to take appropriate corrective action based on its investigations, including banning users who violate the policy.