Date: 9 April 2020
Response to media enquiry on the security issues in Zoom
Thank you very much for your enquiry. The response from the office of the Privacy Commissioner for Personal Data (PCPD) from personal data privacy perspective is as follows:
-
The online video conferencing software Zoom has recently been said to have a number of vulnerabilities in security, such as ‘Zoombombing’ reportedly in schools (local and overseas), attention tracking, sharing of users’ data with a social media company and lack of end-to-end encryption.
-
It is important to note that Zoom is not originally designed to hold meetings with confidential or highly sensitive content. One has to be mindful of the level of security measures that come with the design. Security risks may involve hacking and in the case of using it as online learning platform, students’ data may be at risk.
-
Before the privacy issues are clarified and rectified, and should the users not be sure about the related data security, they should consider using other apps or software.
-
From 1 January 2020 till 5pm 9 April, 2020, the PCPD has not received any complaint about the use of Zoom.
-
In light of the privacy concerns arising from the use of Zoom, the PCPD now provides the following practical guidelines if users choose to use Zoom:
Data security of using video conferencing software:
-
All meeting participants should undergo “mandatory quarantine” (identity verification) in the “Waiting Room”;
-
Get a meeting ID specifically for a meeting. Different IDs should be used for different meetings;
-
Use password for joining a meeting and the password to be sent out separately and be given to only meeting participants;
-
When the expected participants have arrived, select the “Lock Meeting” function to prevent anyone else from joining;
-
Allow only the host of the meetings to share screen. Only allow sharing screen on a need basis during meeting;
-
Disable file transfer function to avoid anyone sending files with virus or malware;
-
Disable telephone dial-in function as it is more difficult to authenticate telephone participants;
-
Disable video recording function;
-
Ensure all devices are installed with the latest security patches and anti-virus software, and properly protected by firewalls; and
-
Ensure the network connections are safe and secure (e.g. do not use public Wi-Fi, and set encryption for Wi-Fi network).
Staff using video conferencing software should:
-
Monitor any inappropriate content shared by participants and remove inappropriate information and unidentified persons;
-
Store all tracking data and records with encryption, and the personal data collected should be destroyed as soon as possible after the data has fulfilled the original purpose of collection;
-
Check if any personal data could be accidentally captured on screen when the screen or video sharing function is activated;
-
Establish guidelines for handling data breaches; and
-
Understand the privacy policies and security measures of these software and platforms to minimise collection of data by service providers.
Participants should:
-
Avoid using misleading names or online nicknames to make it easier for the host to identify;
-
Keep a close watch of any unusual activity on the account; and
-
Document any damage incurred to facilitate any necessary follow-up action.
Since Zoom’s security issues were reported, the PCPD has attached great importance to giving timely guidance to users of Zoom and video-conferencing in general, as well as schools and parents. Such guidance has been disseminated through the following channels: