Kena Betancur/Getty Images
show image

Laurie Clarke

Reporter

Zoom urged to be transparent about government data requests

Digital rights advocacy group Access Now has called on video conferencing company Zoom to produce a transparency report on security and privacy.

These type of reports, routinely published by bigger companies such as Google and Microsoft, publicise the number of requests for user data the organisation has received from law enforcement and government, and whether the company acquiesced in these cases.

Zoom is one of the few companies that is thriving in the midst of a global coronavirus shut-down. The share price of Zoom (and even the totally unrelated yet easily confused ‘Zoom Technologies Inc’) is ascendant, and the company is growing its user base faster than ever.

Even before the coronavirus outbreak, Zoom was reportedly used by over 60 per cent of Fortune 500 companies and over 96 per cent of the top 200 universities in the US. But Access Now rightly points out that with the increased usage, and number of potentially sensitive meetings and exchanges, that Zoom should start being more transparent about how it handles user data.

“The growing demand for your services makes Zoom a target for third parties, from law enforcement to malicious hackers, seeking personal data and sensitive information,” wrote Isedua Oribhabor, Access Now’s US policy analyst, and Peter Micek, Access Now’s general counsel, in the letter to Zoom.

“Meanwhile, as people gather online, these assemblies will ​draw scrutiny from authorities​ looking to control the flow of information. This is why disclosing only privacy policies is not enough — it is necessary for Zoom to also disclose its policies and procedures protecting the data and accounts of everyone interacting with its services through a regular transparency report.”

The letter stipulates that Zoom should share information with its users about the following points:

  • The number of government requests for user data you receive by country, with compliance rates, and your procedures for responding to these requests;
  • The circumstances when you provide user information to government authorities;
  • Policies on notice to potentially affected users when their information has been requested or provided to government authorities, or exposed by breach, misuse, or abuse;
  • Policies and practices affecting the security of data in transit and at rest, including on multi-factor authentication, encryption, and retention; and
  • Policies and practices affecting freedom of expression, including terms of use and content guidelines for account holders and call participants, as well as statistics on enforcement

Zoom’s record on security is mixed too. In July 2019, researchers at cybersecurity company Check Point found it was possible to exploit the way Zoom generated URLs for virtual conference rooms and use this to snoop on meetings.

In January 2020, the same company found security flaws that would have allowed a potential hacker to join a video meeting uninvited and eavesdrop.

Zoom didn’t respond to a request for comment.