While the attorney general’s office was quick to praise Zoom, it raised repeated questions about the app’s security measures.
New York Attorney General Letitia James is investigating Zoom, a videoconferencing app that’s skyrocketed to popularity among educators, students and remote workers during the coronavirus pandemic.
On Monday, James’s office sent Zoom a letter demand to know what new security measures—if any—the company had taken to handle high network traffic. The same letter also requested information on what Zoom is doing to combat trolls and hackers, who’ve taken to disturbing meetings in a variety of ways.
But the letter, says The New York Times, did refer to Zoom as “an essential and valuable communications platform.” Nevertheless, it highlighted several security concerns and criticized Zoom for sluggishly responded to them.
The attorney general’s office said that, if Zoom doesn’t act quickly, its vulnerabilities “could enable malicious third parties to, among other things, gain surreptitious access to consumer webcams.” The A.G. is also worried that “Zoom’s existing security practices might not be sufficient to adapt to the recent and sudden surge in both the volume and sensitivity of data being passed through its network.”
“While Zoom has remediated specific reported security vulnerabilities, we would like to understand whether Zoom has undertaken a broader review of its security practices,” the letter says.
Zoom, however, has received more scrutiny from more people and places than Letitia James’s office. As SFIST.com and Vice News have reported, Zoom has purportedly been selling users’ information to Facebook without permission (particularly for people using the app on Apple devices).
Despite Zoom’s denials—the company’s chief executive claimed they’d never sold user data to Facebook or any other entity—Zoom eventually did concede that it “shared” data.
And now that practice, stopped or not, is being challenged by a lawsuit.
Filed in California on Monday, the suit claims that Zoom funneled information to Facebook including what device a user was accessing Zoom from as well as that device’s “unique advertising identifier.”
“The unique advertising identifier allows companies to target the user with advertisements,” the lawsuit states. “This information is sent to Facebook by Zoom regardless of whether the user has an account with Facebook.”
James’s office has expressed similar concerns, especially in relation to children’s privacy. In the A.G.’s letter, officials questioned whether Zoom might be circumventing state-level requirements intended to protect students’ data.
While James’s office again praised Zoom’s efforts to provide a platform to educators who can no longer meet their students in-person, they implied that Zoom may be trying to offload questions of data-sharing consent onto schools themselves.
Zoom, adds CBS News, has promised to comply with James’s investigation.