19 US Lawmakers Seek Information From Zoom Amid Scrutiny of Privacy Practices

April 4, 2020 Updated: April 7, 2020

A group of 19 House lawmakers is requesting information from video conferencing platform Zoom amid scrutiny of the company’s privacy practices, as more Americans turn to the platform to facilitate the need to work from home.

In a letter addressed to Zoom CEO Eric Yuan on April 3, the Democratic lawmakers from the House Committee on Energy and Commerce asked him to “shed light” on the company’s data collection practices, including information on attendee attention tracking, cloud recording, and automatic transcriptions of conferences.

Reps. Jerry McNerney (D-Calif.) and Jan Schakowsky (D-Ill.), who is the chair of the panel’s subcommittee on consumer protection and commerce, are among those who signed the letter.

“Our new dependency on such solutions raises important questions about the privacy practices of the companies many of us are interacting with for the first time,” the letter states.

Zoom has gained intense popularity in recent weeks as millions of Americans are required to work from home, as part of measures to control the spread of the CCP virus pandemic. The company said it reached more than 200 million daily users worldwide in March, an increase from 10 million daily participants at the end of December last year.

The company has come under scrutiny for a range of privacy and security concerns in recent weeks. Most recently, Zoom’s privacy and security features are being carefully examined after hackers exploited a screen-sharing feature by hijacking meetings and online classrooms with messages in an emerging phenomenon called “zoom-bombing.”

The FBI Boston’s division issued a warning about zoom-bombing on March 30 after it received multiple reports about conferences being interrupted by pornographic or hate images and threatening language. In one example, an online class being conducted on the platform was interrupted when an unidentified individual dialed into the call and yelled profanity to the participants. The individual then shouted the teacher’s home address in the call.

Officials using the platform for meetings have also fallen victim to the phenomenon. Connecticut’s Attorney General William Tong said April 3 that he was “zoom-bombed” by hundreds of “profane and racist comments” during a Zoom call earlier this week. Tong said his office is working with other attorneys general offices across the country to probe the company for potential privacy violations, he told reporters in a call the same day, CNBC reported. He added that at least two other offices—New York and Florida—are part of the effort.

New York Attorney General Letitia James has sent a letter to the company, asking executives what new security measures have been put in place to handle the increased traffic as the platform become more popular during the CCP virus pandemic, The New York Times reported earlier this week.

The company is also the subject of a class-action lawsuit filed in California, which accuses Zoom of allegedly collecting and sharing personal user data to third parties, including Facebook, without the user’s knowledge or permission. The suit also claims that the company has failed to “adequately safeguard the personal information of the increasing millions of users of its software application (“Zoom App”) and video conferencing platform.”

Yuan released multiple statements on blog posts addressing concerns about the firm’s data-sharing practices. He attributed the sharing of data to Facebook to a feature that allows users to “login with Facebook” for Apple devices, and that the company was only made aware that the Facebook software package was collecting device information on March 25.

In a separate recent statement on April 1, he acknowledged that his company had fallen short of the community’s privacy and security expectations, adding that the application was originally built for enterprise customers and Zoom didn’t factor in that it would become popular with the public.

“[W]e did not design the product with the foresight that, in a matter of weeks, every person in the world would suddenly be working, studying, and socializing from home,” he wrote. “We now have a much broader set of users who are utilizing our product in a myriad of unexpected ways, presenting us with challenges we did not anticipate when the platform was conceived.”

He said that the company has updated its privacy policy to “to be more clear and transparent around what data we collect and how it is used” and that the software package that sent information to Facebook has been removed. He also said that for the next 90 days, his company would dedicate resources to identify and address issues of the program.

The lawmakers’ letter seeks further information about what data the company retains, what information is being shared to third parties, and which third parties are receiving the information.

“Despite Zoom’s recent clarifications to its privacy policy, a review of Zoom’s privacy policy shows that Zoom may still collect a significant amount of information about both registered and non-registered users from their use of the platform as well as from third parties,” the lawmakers said in the letter.

Meanwhile, there have also been concerns about Zoom’s infrastructure being located in China. Research conducted by The Citizen Lab, a research laboratory based at the University of Toronto, found during a test call between the United States and Canada that meeting encryption keys were being sent to a Zoom server located in China.

The Citizen Lab also found that Zoom, which is headquartered in the United States and listed on the NASDAQ, appears to have had its app developed by three companies in China, two of which are owned by Zoom. The company’s most recent Securities and Exchange Commission filings show that the company operates research and development centers in China and hired at least 700 employees (pdf).

The lawmakers have requested a response from the company by April 10.

The article was updated to include concerns about Zoom’s infrastructure.

Follow Janita on Twitter: @janitakan