Skip to main content

Zoom Boom Security Bomb – The Cost of Virtual Convenience?

Posted by on Wednesday, September 22, 2021 in Blog Posts.

By Claire Bonvillain

When the Covid-19 pandemic forced us to adapt to remote work and education, Zoom Video Communications quickly rose above other teleconferencing platforms. Today, Zoom dominates the virtual office, and the word “zoom” is a verb almost as ubiquitous as “google”. Its success is largely due to its user-friendly nature and convenience, but is security the price we pay to zoom? And how well is the federal government protecting the privacy of our virtual offices and its own?

In July 2021, Zoom agreed to an $85 million settlement in a class action suit, in which Zoom users alleged that the videoconferencing company misled consumers and compromised privacy and security. In particular, Zoom allegedly misrepresented its encryption as “end-to-end”, sold user data to Facebook and Google without user permission or disclosure, and failed to take adequate security measures, leading to unauthorized intrusions onto users’ meetings, or “Zoom bombing.”

Users of free and paid Zoom services are eligible to receive small amounts of compensation from the settlement, and Zoom agreed to take specific measures improving privacy and meeting security. These include educating users about security features and taking action against disrupters. Zoom denied wrongdoing, but acknowledged “a discrepancy” between the “end-to-end encryption” it claimed to provide and the industry definition of the phrase. The complaint against the company, however, maintained that Zoom did not have the right to change the meaning of an accepted industry term and was intentionally misleading users. End-to-end encryption would mean that users, not Zoom’s servers, would have the encryption keys to access meeting content.

The plaintiffs’ suit was narrowed considerably by Judge Lucy H. Koh’s March 2021 order partially granting Zoom’s motion to dismiss. The order ruled that Zoom could not be liable for the sometimes obscene and hateful content displayed by “Zoombombers” under section 230 of the Federal Communications Decency Act, as Zoom’s failure to filter harmful content provided by users was “the very activity Congress sought to immunize” in enacting this law. However, Zoom could be liable for future security flaws and resulting disruptions, although not for their content.

Zoom’s alleged security and privacy lapses are especially concerning in light of government officials’ use of Zoom for telework during the past 18 months. The company did develop a platform for use by U.S. government officials, Zoom for Government, which was “designed to meet [U.S. federal] security requirements.” The platform claims to be more secure than its free and commercial platforms, although it is vague about how, presumably to assure its free and commercial users that all Zoom platforms are as secure as they can be. Zoom for Government is advertised as having “entirely U.S.-based” operations. This emphasis is likely a response to the backlash of the news that Zoom servers located in China control encryption keys, since its encryption is not in fact end-to-end. The Federal Risk and Authorization Management Program (FedRAMP) approved Zoom for Government in February 2019. FedRAMP, under the authority of the General Services Administration (GSA), assesses and authorizes cloud technology for government use, eliminating the need for duplicative research by individual agencies.

However, some question the effectiveness of FedRAMP’s screening process due to the numerous security and privacy issues reported since Zoom’s FedRAMP approval, including a bug enabling hacking of users’ webcams. The GSA recently denied for a second time Senate Finance Committee Chair Ron Wyden’s request to review the documents submitted by Zoom for FedRAMP approval. Wyden’s request voiced concerns that Zoom’s FedRAMP approval and subsequent security issues reveal the inadequacy of FedRAMP’s process for detecting security problems. The GSA cited the need to protect Zoom’s security and trade secret information from cybercriminals and competitors alike as its reason for denying Wyden’s request. Reasonable though it may be, this justification does little to inspire confidence in the GSA’s FedRAMP approval process, although Zoom for Government was recently approved for conditional use at Impact Level 4 by the Department of the Air Force.

Even government personnel who are strictly authorized to use only government-provided networks often use unauthorized platforms such as Zoom in practice. The Investigator General for the Department of Defense’s evaluation of technology and communications in 2020 indicated that DoD officials used unauthorized teleconferencing platforms such as Zoom when facing problems with DoD networks, such as connectivity issues and inconvenient collaboration tools.

Meanwhile, Zoom’s security bulletin reports a bug as recently as August 2021 that allowed malicious users to execute code on a user’s computer, under some circumstances. Will the next few years see litigation over bugs in Zoom security and in government virtual communications oversight, as Covid-19 and remote work become permanent fixtures in our lives and legal system?

Claire Bonvillain is a 2L from Mississippi. She hopes to practice environmental law after graduation and enjoys reading horror fiction, watching horror movies, and baking in her free time.

You can download a copy of Claire’s post here.