Zoom, the videoconferencing app that has exploded in popularity during the coronavirus pandemic, is facing mounting concerns over its data security and privacy practices, including scrutiny from the New York state regulator.
The Silicon Valley group has been thrust into the spotlight during the coronavirus pandemic, as millions confined to their homes under national lockdowns have turned to its video-call technology to host work meetings and socialise.
But the company has suffered a string of cyber security and privacy-related mis-steps recently, drawing attention from the New York state attorney-general. Its business operations in China have also begun to generate wariness among security experts.
On Monday, the office of Letitia James sent a letter to Zoom raising concerns as to whether the company could cope with the sharp rise in traffic on its app and properly protect sensitive user data.
The letter, first reported and seen by the New York Times, asked Zoom whether it had reviewed its security protections since its surge in popularity, and noted that the app had been slow to address security flaws in the past.
“We appreciate the New York attorney-general’s engagement on these issues and are happy to provide her with the requested information,” Zoom said in an emailed statement.
Coronavirus business update
How is coronavirus taking its toll on markets, business, and our everyday lives and workplaces? Stay briefed with our coronavirus newsletter.
Sign up here
“Zoom takes its users’ privacy, security, and trust extremely seriously. During the Covid-19 pandemic, we are working around-the-clock to ensure that hospitals, universities, schools, and other businesses across the world can stay connected and operational,” it added.
A spokesperson for the attorney-general’s office said that it had “sent a letter to Zoom with a number of questions to ensure the company is taking appropriate steps to ensure users’ privacy and security”.
Since the coronavirus pandemic began, users have flocked to Zoom, which is now ranked number one and number two in the US and UK app stores, respectively.
Shares in the company, which floated in April 2019, have more than doubled since the beginning of the year, giving it a market capitalisation of $42.1bn.
However, the app came under fire last week after it emerged that it had been sending data about users’ devices to social media network Facebook, but had failed to reference the practice in its privacy policies, according to a report from news site Motherboard.
Zoom then issued an update to its app to remove the tracking software and added clarifications to its privacy policies.
Users of the platform have also complained recently of a trend — dubbed “Zoombombing” — whereby trolls are exploiting its screen-sharing feature to share disturbing content such as pornography or extreme political views.
Meanwhile children’s privacy advocates last week called on regulators to investigate the data-collection practices of education technology apps including Zoom, which is being increasingly used by teachers and students for home schooling during the self-isolation period.
Separately on Tuesday, The Intercept reported that Zoom’s meetings were not fully end-to-end encrypted, as the group had suggested in its marketing.
Even before its spectacular rise, Silicon Valley security experts have raised concerns about the app.
Last year, security researcher Jonathan Leitschuh discovered a serious bug in the platform that would have allowed hackers to hijack a user’s device webcam.
Others have flagged fears over whether the group’s large research and development presence in China could jeopardise users’ privacy. The company also has 17 data centres, including one in China.
Zoom told the Financial Times that data from cross-border meetings “goes to wherever the host’s enterprise account is headquartered”.
Zoom is not the only newly popular app to attract privacy worries. On Monday, users of another popular video chat app, Houseparty, started complaining on social media that their PayPal, Netflix, and Spotify accounts were hacked, blaming the app.
But the company, which was acquired by Fortnite developer Epic Games last year, said in a dramatic tweet that the claims were “rumours” that it believed to be a “paid smear campaign”, and offered a $1m bounty for evidence that this was the case.
Additional reporting by Kadhim Shubber in Washington DC