Privacy & Security

Zoom Unveils New Privacy and Security Features to Address Hacking Issues

By Mark Lieberman — May 07, 2020 3 min read
  • Save to favorites
  • Print

Officials in New York state this week announced agreements with the videoconference platform Zoom designed to address privacy and security vulnerabilities that had affected schools in New York City and nationwide.

First, on Wednesday, New York City’s Department of Education publicized an agreement with Zoom that will allow educators there to resume using Zoom as a virtual classroom tool, one month after the department had imposed a Zoom ban. School employees and students will have access to a version of Zoom that complies with an agreement specific to New York City’s education department.

A day later, the office of New York state attorney general Letitia James announced the outcome of its negotiations with Zoom since opening an investigation into the technology provider:The company has agreed to a host of new security features for all nationwide users, not just schools and not just in New York.

“Today’s agreement will protect New Yorkers and users nationwide by ensuring Zoom’s compliance with New York State and federal laws; and will ensure Zoom provides services that are more secure, that provide users with enhanced privacy controls, and that protect users from abuse,” states a press release from James’ office.

The videoconference platform, originally designed for workplace meetings, exploded in popularity earlier this year as the COVID-19 pandemic forced millions of Americans to work from home and communicate with colleagues, friends, and relatives via videoconferencing. The rapid increase of users led to increased scrutiny from privacy experts and to the phenomenon of Zoombombing, in which online trolls visit chat rooms including classrooms and school board meetings uninvited to share obscene content.

Several state attorneys general last month pressed the company to make changes, and Zoom CEO Eric Yuan even said in interviews that he had regrets about the tool’s newfound global ubiquity.

School districts have taken a range of approaches to using the tool. Some, like the Lumberton Schools in New Jersey, temporarily banned it after individual teachers signed up and reported issues, others have adopted it for use among teachers but not between teachers and students, and many have come around to using it to host virtual class sessions.

Here’s a summary of the changes that will affect all Zoom users:

  • The company’s head of security will lead a “comprehensive data security program,” as well as regular reviews of software code and risk assessment, and an annual software vulnerability management program.
  • Users with free accounts, or accounts associated with K-12 education, will have new privacy features, including:

    • By default, hosts will be able to require a password or host a digital waiting room to prevent unwanted guests from infiltrating private conversations.
    • Hosts can now control access to private chat messages and email directories.
    • Zoom will no longer share user data with Facebook and LinkedIn.
  • Hosts can now report meeting attendees for abuse, and the company’s acceptable use policy now explicitly mentions “abusive conduct based on race, religion, ethnicity, national origin, gender, or sexual orientation.” The company says it will ban users who violate the policy.

Below is a summary of the protections now afforded to users from New York City public schools under a new contract that will last a year. These protections could serve as a model for other school districts negotiating contracts with Zoom.

  • Zoom and the New York City education department have reached a confidentiality agreement with “terms that meet and in certain respects exceed the requirements of N.Y. Education Law 2-d and FERPA, and which Zoom had not included previously for individual schools or individuals who signed up for Zoom on their own,” according to the department.
  • New York City schools’ Zoom users now have access to a central, secure domain they can access from their logins sanctioned by the city Department of Education.
  • Participants who aren’t hosting a meeting cannot take control of the screen, share their screens, or rename themselves.
  • Only the host can invite participants to a meeting; recipients of a forwarded invitation won’t have access. Users without New York City school logins can join meetings if a host provides them with a passcode.
  • By default, when a host removes a participant from the meeting, that person cannot rejoin.
  • By default, participants cannot join a meeting unless the host ushers them in from a virtual waiting room.

Image: Paula Merritt/The Meridian Star via AP

Related Tags:

A version of this news article first appeared in the Digital Education blog.