New York’s attorney general wants Zoom to explain its approach to privacy

New York’s attorney general Letitia James has expressed concerns over video-conferencing app Zoom’s privacy policies, according to a report from The New York Times. James’ office sent Zoom a letter yesterday inquiring after any new measures the company has put in place to handle its recent increase in traffic.

Teleconferencing apps like Zoom are seeing an intense surge in new users as many more people work from home to fight the spread of COVID-19. As interest in Zoom skyrockets, so too does scrutiny into the company’s privacy practices.

“While Zoom has remediated specific reported security vulnerabilities, we would like to understand whether Zoom has undertaken a broader review of its security practices,” James’ letter states.

James and others are right to probe Zoom’s privacy policies. Users around the world are trusting the company with a fair amount of data — and some of it is likely sensitive, given how many businesses are using the platform for meetings. Hopefully Zoom answers these pleas with concrete information — and reassurances — about its privacy practices.

Zoom’s obfuscation is a problem — Despite its sudden popularity across the world, consumers are still mostly in the dark about Zoom’s business practices. The small amount of investigative work that’s been completed into the company is not at all encouraging.

For example, Zoom has long claimed its video calls use end-to-end encryption, which would theoretically keep any prying eyes from viewing footage of a meeting. But, as The Intercept reports, Zoom doesn’t even have end-to-end encryption capabilities.

The company admitted as much in a comment to The Intercept: “Currently, it is not possible to enable E2E encryption for Zoom video meetings. Zoom video meetings use a combination of TCP and UDP.” This form of encryption (TLS) is secure for some purposes, but not as secure as end-to-end encryption; TLS still leaves video files somewhat open. Marketing itself as end-to-end encrypted is simply dishonest.

Not the first privacy complaint — Others have similarly called upon Zoom to be more open with its privacy practices. Last week, digital advocacy group Access Now released an open letter asking Zoom to release a full transparency report about how it handles customer data.

We’ve also seen troubling reports about how Zoom shares data without consent. The iOS version of the app shares user data with Facebook even if users don’t have a Facebook account. The app’s attention-tracking feature has been seen to bypass web browser security measures. Previous versions of the app even left conferences open to random hackers — a vulnerability which, according to NYT, has still not been completely fixed.

Zoom, for its part, has always stuck with a simple mantra: user privacy comes first. But what exactly does user privacy look like to Zoom? We have enough to worry about right now. We shouldn’t have to wonder whether or not our video-conferencing software is appropriately handling our data.