No company has become a household name faster than Zoom, the videoconferencing service that became the platform of choice at the onset of the COVID-19 pandemic. But the company was caught unprepared for such explosive growth, and the sudden scrutiny of the tech industry uncovered a litany of security problems. And this was even after its practices crossed the line for Apple computers last year.
Zoom’s efforts to batten down the hatches are now well known, from buying a security company for end-to-end encryption to setting up dedicated privacy and security resources to help users verify and strengthen their security settings.
But the company’s sharp turnaround in its security practices isn’t solely the result of bad press. Over the summer, the New York Attorney General’s office opened an inquiry into Zoom’s security practices. And it was a settlement between them that cemented much of what Zoom does today.
The piercing light of massive mainstream adoption, reaching over 200 million daily users as the pandemic was declared in March, revealed a whole host of security vulnerabilities in Zoom’s software and operations.
In April, a cache of half a million Zoom account credentials was found online, and the company was forced to allow users to choose where their information was routed after security researchers noted Zoom data sometimes traveled through China. That same month, Congress opened inquiries into Zoom, and even some of its own Zoom events were targeted by “Zoom bombers.” The company rushed to release Version 5.0 of its software in April to put a number of security measures in place.
In the months that followed, a familiar “cat and mouse” series of security vulnerability announcements, bug fixes, and enhancements unfolded, including universal end-to-end encryption.
One of the many government agencies investigating Zoom was the office of the New York Attorney General.
While Zoom’s troubles played out publicly across news headlines, the company was negotiating behind the scenes with New York State for over a month.
In May, the state’s Attorney General Letitia James announced the end of its inquiry into Zoom via a settlement with the company, and the New York Department of Education ended its ban on Zoom use by schools.
“Our lives have inexorably changed over the past two months, and while Zoom has provided an invaluable service, it unacceptably did so without critical security protections,” James said. “This agreement puts protections in place so that Zoom users have control over their privacy and security, and so that workplaces, schools, religious institutions, and consumers don’t have to worry while participating in a video call.”
The New York Attorney General’s Office acknowledged that Zoom “has provided valuable services to schools, local governments and health care institutions to help address the unique circumstances of the global pandemic,” as well as “allowed a large number of New York residents and school children to use its service for free.”
The signed settlement agreement outlines more than twenty commitments Zoom made to the New York Attorney General, including:
- Designating a head of security who reports to the CEO and Board of Directors and maintains a comprehensive information security program.
- Offering educational materials on privacy controls.
- Maintaining a “bug bounty” program that provides financial incentives to researchers and the public to find and report security vulnerabilities.
Zoom and healthcare
There has been a historic expansion of telehealth during the ongoing global health crisis as healthcare providers attempt to maintain a continuity of care for their patients. Medicare and Medicaid coverage for telehealth has increased, and the OCR has waived potential penalties for good faith use of telemedicine, among other compliance changes.
Luckily, it is possible to use Zoom in a HIPAA compliant manner, although there are many other telemedicine platforms available as well.
“Today’s agreement will protect New Yorkers and users nationwide by ensuring Zoom’s compliance with New York State and federal laws, and will ensure Zoom provides services that are more secure, that provide users with enhanced privacy controls, and that protect users from abuse,” the office wrote.
Cybersecurity journalist Kim Zetter predicted that “Zoom will soon be the most secure conferencing tool out there.”
“Too bad they didn’t save themselves some grief and engage in some security assessments of their own to avoid this trial by fire,” she added.