Statement on Zoom's Privacy and Security Issues

A message from the Chief Information Security Officer:

I have been monitoring Zoom's privacy and security issues, as well as their responses and remedies.  

Update from April 22

On April 1, Zoom started their 90 day plan to focus on and address privacy and security issues. In this time period, there will be no new feature or development releases as Zoom's engineering resources will be dedicated to remedying privacy and security issues. Zoom will also be hosting weekly webinars to provide updates on their privacy and security initiatives and progress. See the following Zoom blog post for more information on their 90 day feature/development freeze: A Message to Our Users.

On April 8, Zoom revealed more of their 90 day privacy and security plan. They have assembled a group of Chief Information Security Officers (CISO) to act as their Zoom CISO Council. This group includes the CISOs from Netflix, VMWare, and Uber, among others. They have also commissioned former Yahoo, Facebook, and Instagram CISO, Alex Stamos, to conduct a comprehensive security review of the Zoom platform.

Other highlights from April 8 include the commitment to upgrade their encryption of data transmissions from Zoom sessions. One of the security initiatives Zoom will focus on over the next 45 days is enhancing encryption from AES-256 ECB to AES-256 GCM.

Starting on April 18, Zoom's paid customers can opt into and/or out-of, data center and traffic regions. Their current regions consist of the United States, Canada, Europe, India, Australia, China, Latin America, and Japan/Hong Kong.

Update from April 1

On March 20, Zoom released recommendations on how to prevent Zoombombing (unauthorized and/or disruptive participants); these were later shared through University communications and materials. In this case, preventative measures have been recommended including managing functionality and configurations such as screen sharing and presentations, invitation management, and participant management.   

On March 27, Zoom implemented additional controls to address the data leakage to Facebook from iOS clients. A Windows credential vulnerability made public on April 1, was fixed the following day. There have been other timely fixes, updates, and remedies such as the April 2 release to address installer issues and exposures on Mac OS X.  

Privacy and security issues surrounding Zoom are not 100 per cent remedied, however, Zoom has made strides and is continuing to mitigate and improve in this regard. Their CEO addresses these privacy and security issues in an April 1 blog post: A Message to Our Users.

Zoom appears to be responsive and timely in addressing issues. We will continue to monitor and update the University community as Zoom addresses and resolves these issues.

Gordie Mah
Chief Information Security Officer (CISO)
University of Alberta | Office of the Associate Vice-President & Chief Information Officer