March 31, 2020; New York Times
One would be hard pressed to find someone in the nonprofit sector who has not participated in at least one or more Zoom meetings during the course of a week, or in these times, a day. And yet, few in our sector give much thought to the safety and security of those meetings and their content, much less to the technological vehicle that hosts them. Perhaps a bit more scrutiny is called for.
That would seem to be the position of both Alfredo Lopez, cofounder of May First Movement Technology and recent NPQ contributor, and Letitia James, the attorney general for the state of New York. Both send a message of caution and concern for all who are now using video platforms for work, school, and family connection in these days of social distancing and working from home. And both single out Zoom with questions about security and privacy as its popularity and use soar.
James sent a letter to Zoom asking about what new security measures might be being put into place given their increased traffic and what steps were being taken to stop hackers. While praising Zoom as “an essential and valuable communications platform,” James questioned its efforts to prevent third-parties from taking over webcams and disrupting meetings. This has been happening, often with white supremacist or antisemitic messages, and has become known as zoombombing.
For his part, Lopez questions the overall security of user data on Zoom and urges users to carefully review its privacy policies—as you should any platform your nonprofit might use. Zoom says it updated its policies on March 29, 2020 (most likely in response to the many concerns raised), that it does not sell the personal data of Zoom users, that it collects only the data needed to provide services, and that they do not use that data for advertising.
Issues of privacy and safety were a particular interest of AG James and other state officials, along with school leaders and parents, since more and more children are using internet platforms for “distance learning.” Zoom has responded and updated its policies in this area extensively to comply with state and federal privacy regulations and laws regarding children’s information and privacy.
Sharing data was another concern raised by the attorney general. It was reported that the Zoom iPhone app was sharing data with Facebook. The company has said it has removed the software and no data will be shared, as stated in their policies.
One additional area deserving attention, as Lopez pointed out, is the issue of protecting user data in the face of legal demands—in other words, a warrant issued by a law enforcement agency or jurisdiction demanding information about the participants in your meeting. The newly revised Zoom policies on this topic read as follows:
For Legal Reasons. We may also disclose data when we respond to valid legal process including jurisdiction. Zoom’s policies regarding compliance with valid legal process preclude cooperation where a government does not have jurisdiction. Zoom may also disclose data when reasonably necessary to preserve Zoom’s legal rights.
Lopez suggests that if this may be a problem for some of your participants, they should be told this before they sign up to join a Zoom meeting you are hosting.
What’s a nonprofit to do? In his article, Lopez suggests some alternative software options you might want to try, but many of us are pretty immersed (and comfortable) using Zoom. And Zoom is not the only video communications platform that has these privacy issues. Name another platform like FreeConferenceCall.com (which now has video) or Skype, or GoToMeeting and the same privacy questions will arise. Few people take the time to read the privacy policies of the online services they sign up for and use. They should. But none will be perfect.
Perhaps, just as requests for clarification and reassurance from AG James prompted the company to look further at its policies, so too could a groundswell of questions from the nonprofit sector. After all, no one wants their meeting to be zoombombed, especially Zoom itself. As Jonathan Leitschuh, a security researcher who found webcam hijacking flaws in Zoom last summer, said, “The more criticism of a platform, the more secure it’s hopefully going to be. So hopefully Zoom is taking the information that they’re gaining and actually acting on it. But if you need to be secure and secret, I would not recommend you have those conversations over Zoom. Use a platform that’s built for the level of security you need.”—Carole Levine