June 5, 2020

June 04, 2020

Subscribe to Latest Legal News and Analysis

June 03, 2020

Subscribe to Latest Legal News and Analysis

June 02, 2020

Subscribe to Latest Legal News and Analysis

Zooming In: "Zoom's Significant Privacy and Data Security Risks Brought to Light Again (and Again)

It hasn’t even been 10 days since our previous Blog on Zoom, which highlighted a number of privacy and data security issues prevalent in the use of the popular telecommunications software, and already further privacy issues have been alleged. Let’s put these allegations under the magnifying glass:

Disclosure to Facebook: Even If You don’t have an Account

Firstly, Vice reports that the iOS version of the Zoom app transfers analytics data to Facebook, even if Zoom users don’t have a Facebook account, without disclosing as such in its Privacy Policy.

According to the article, upon downloading and opening the App, Zoom connects to Facebook’s graph application programming interface, disclosing information such as the model of the users’ device, time zone and city they are connecting from, which phone carrier they are using and a unique advertiser identifier created by the device from which entities can use to target advertisements.

Nothing in Zoom’s Privacy Policy mentions anything about sending data of Zoom users who don’t have a Facebook account to Facebook, merely mentioning that Zoom may collect Facebook profile information when an individual uses Facebook to log in to Zoom or to create a Zoom account. 

Windows flaw enables Credentials to be Leaked

Additionally, Zoom’s Windows desktop client is vulnerable to injection flaws in how the app handles identifier paths, which can enable hackers to run commands and install malware on their target’s computers, according to an article from IT News.

The article states that an attacker can input a malicious or fraudulent link into the Zoom chat on Windows, and should an individual click on the relevant link, it will expose their Windows username, domain name or computer name and a hashed version of their windows password. Following this, an attacker can replay those hashed password values and access services such as Outlook and SharePoint. Furthermore, these links can be tailored to trigger Windows remote code execution to leak credentials without providing any warning to the User.

Weak encryptions and key handling

Technical analysis of Zoom’s encryption practices has also discovered serious weaknesses and questionable practices, according to a further article from IT News.

According to the article, Zoom uses a single Advanced Encryption Standard (“AES”) encryption key that is shared amongst all meeting participants and defaults to a simple Electronic Codebook which preserves patterns in the input and therefore enables capturers of the AES to decrypt video and audio from meetings.

This is compounded as Zoom intermittently discloses encryption keys through servers which appear to be located in China, where it owns three companies with at least 700 developers in the country. The article suggests that this could make Zoom susceptible to pressure from Chinese authorities. These issues combined have led cybersecurity experts to advise that governments and businesses worried about espionage and cybercrime, healthcare providers, activists, lawyers and journalists should steer away from using Zoom in professional circumstances.

We will keep you updated of any further details, but as noted previously, advise that businesses should monitor closely how their employees are communicating with each other in remote work situations and exercise the above caution in the use of services such as Zoom.

Copyright 2020 K & L Gates

TRENDING LEGAL ANALYSIS


About this Author

Cameron Abbott, Technology, Attorney, Australia, corporate, KL Gates Law Firm
Partner

Mr. Abbott is a corporate lawyer who focuses on technology, telecommunications and broadcasting transactions. He assists corporations and vendors in managing their technology requirements and contracts, particularly large outsourcing and technology procurements issues including licensing terms for SAP and Oracle and major system integration transactions.

Mr. Abbott partners with his clients to ensure market leading solutions are implemented in to their businesses. He concentrates on managing and negotiating complex technology solutions, which...

+61.3.9640.4261
Warwick Andersen Technology Lawyer KL Gates
Attorney

Mr. Andersen is a senior corporate lawyer with a focus on commercial, technology and sourcing projects. He has advised on large scale outsourcing projects, technology agreements for both vendors and customers, corporate support, privacy and telecommunications regulatory work. He has acted for government departments, large listed companies, telecommunications companies and technology suppliers.

+61-2-9513-2508
Rob Pulham Corporate Attorney K&L Gates
Special Counsel

Rob Pulham is an experienced corporate advisory and transactional lawyer with an active technology and privacy practice representing companies in the energy, manufacturing, mining, retail, health and financial services sectors, as well as government and not for profit organisations. He has extensive experience advising customers and vendors in the technology industry, with particular focus on software licensing, data privacy and protection, and systems integration projects. In his role as a senior corporate lawyer, Mr. Pulham reviews organisational policies and practices...

61-3-9640-4414
Allison Wallace, KL Gates, Commercial Technology and Sourcing lawyer, Australia

Allison Wallace is a lawyer in the Melbourne, Australia office of K&L Gates, working in the Commercial Technology and Sourcing Practice. 

61-3-9205-2095
Max Evans Lawyer technology matters, Software as a Service Agreements SaaS Sydney
Lawyer

Mr. Evans is a corporate and transactional lawyer with a focus on information technology and outsourcing. He provides assistance on a broad range of technology matters, including Software as a Service Agreements (SaaS), terms and conditions for software products and platforms as well as software procurement and outsourcing projects. Mr. Evans also provides assistance with technology and privacy aspects of mergers and acquisitions transactions.

Professional Background

Prior to joining K&L Gates, Mr. Evans worked in the insolvency and bankruptcy practice of...

61-2-9513-2318