As soon as we began to shelter-in-place during the COVID-19 crisis, most of us also started to hold virtual meetings, both professional and personal, as a better, more satisfying way to connect. For this, we turned en masse to a handful of video conferencing platforms. However, while we can all agree that these services help us do our jobs and stay in touch with loved ones, these services raise many novel privacy and security concerns.

For example, Zoom provides an overwhelmingly popular online video conferencing platform, including remote conferencing services, online meetings, chat, and mobile collaboration. Zoom's steady growth leading up to their IPO last year, accelerated exponentially when the recent shelter-in-place orders went into effect. As more businesses turned to remote workforces, Zoom's daily active users jumped from 10 million to over 200 million in just three months—drawing attention to its privacy and security practices.

Against the backdrop of Zoom's story, this alert will discuss some best practices for video conferencing. In fact, very recently, the Federal Trade Commission released its consumer guidance for safer video conferencing.

Privacy Concerns and Legal Challenges

There have been many privacy concerns with Zoom since COVID-19 started. For example, over 500,000 user accounts registered with Zoom have been offered for sale on the dark web. In addition, thousands of Zoom video call recordings were discovered in open access on the Internet. These leaked videos included sensitive conversations ranging from company business meetings to online classes. These and similar incidents have prompted several organizations to stop using Zoom, including Google, Space X, NASA, and New York Schools.

These privacy concerns also prompted lawsuits against Zoom. A user of Zoom filed a class action lawsuit against the company for sending data to Facebook. The lawsuit argues that Zoom, among others, violated California's new data protection law, the California Consumer Privacy Act, by not obtaining proper consent from users for the transfer of the personal data. Upon installing or upon each opening of the Zoom App, Zoom collects the personal information of its users and discloses this personal information to third parties, including Facebook, without adequate notice or authorization. In response, Zoom has released a new version of the App that no longer sends unauthorized personal information to Facebook. In addition, Zoom added new security and privacy measures to address some of the concerns by turning on the "Waiting Room" feature and enabling passwords on meetings by default.

Another lawsuit filed earlier this week accuses Facebook and LinkedIn of recording Zoom users’ calls to obtain personal information. The lawsuit alleges that LinkedIn and Facebook eavesdropped on Zoom users and tried to read and decipher their server data to harvest their personal information.

Best Practices

While we are not promoting any one video conferencing product over another, we make the following suggestions of ways to protect your privacy and reduce your security risks:

• Do not post your meeting IDs publicly.
• Require participants use a password to access meetings so only invited participants can access the meeting.
• Restrict access to meeting. For example, enable Zoom’s Waiting Room feature, which lets meeting hosts keep would-be participants in a digital queue until they approve them to join the session.
• Before you enter a meeting, take a look around to be sure your video background does not reveal any private information.
• Confirm whether your video session is being recorded. If so, pay extra attention that you don’t share sensitive personal information during the meeting.
• Review the service's privacy policy to understand how your data is shared before your call.
• Be careful not to inadvertently reveal confidential information when sharing your screen.
• Keep your service up to date, so that any updates your service makes to security vulnerabilities are added to your device.
• Implement best practices across your organization through training and communication.
• If confidentiality is crucial, seek alternative, more restricted means of communication.