Privacy Commissioner warns security issues in Zoom

The COVID-19 pandemic has resulted in many employees working from home, and brought about a need for a more collaborate meeting culture in place of physical meeting and travelling. Online meetings using video conferencing systems empower businesses to stay connected with their clients, and interact and collaborate with their employees working remotely via the Internet. Zoom, a teleconferencing application, has become more popular than ever under these circumstances and quickly became the new way for businesses to connect during the COVID-19 pandemic. Recently however, there have been reports of security issues with the software – video-teleconferencing and online classroom hijacking, otherwise known as ‘Zoombombing’. Furthermore, it has been said that Zoom meetings are not end-to-end encrypted, involving a further vulnerability in its features.

On 1 April 2020, in response to the public concern for the use of Zoom, the Privacy Commissioner for Personal Data, Hong Kong (PCPD) released a media statement on the security and personal data privacy issues concerning the use of the software. PCPD recommends that those who choose to use Zoom should:

  • update it to the latest version;
  • avoid signing in with other existing accounts,
  • set password for the meeting and only provide password and link to the intended participants;
  • keep a close watch on any unusual activity; and
  • record any damage incurred for future follow-up action.

On 9 April 2020, in response to the Zoombombing issue, PCPD released two responses to media enquiry to remind the public that Zoom was not originally designed for communication or dissemination of confidential or highly sensitive content and that there may be security risks involved including hacking when using Zoom as an online learning platform.

In light of the increasing concerns with Zoom, PCPD has provided practical guidelines for those who choose to use video conferencing software including undergoing a ‘mandatory quarantine’ in the Waiting Room (a feature where only the host can control when a participant can join the meeting). PCPD also reminded users to get meeting ID, and that different IDs should be used for different meetings. Password for joining should only be sent out to desired participants. Other security features should be turned on such as ‘Locking meeting’ to lock a meeting once it starts. Only the host should use the ‘share screen’ function during the meeting or on an ‘as-needed basis’. File transfer, telephone dial-in, and video recording function should be disabled and all devices should be updated with the latest security patches. Firewall should be turned on, and anti-virus software installed. Network connections should be safe and secure. Use of public Wi-Fi by employees should be disallowed.

For employees using video conferencing software, PCPD advised that all contents must be carefully monitored with inappropriate information and unidentified participants removed. All tracking data and records should be stored and encrypted and personal data destroyed after the original purpose of their collection has been fulfilled. Employees should ensure no personal data would be captured on screen. In addition, companies using Zoom should require their employees to use only their real names instead of nicknames in order for the host to identify who the participants are.

With social distancing still in place, it is inevitable for companies to turn to video conferencing software to maintain business contact with their clients and continue business operations via the Internet. In light of the data security issues, employers should seek professional advice on the choice of audio and video communication platforms and how data breaches should be handled, and establish their own guidelines for handling the use of video conferencing software. Employers should provide training to their staff in order for them to understand the personal data privacy policies and security measures in place prior to their using the software to minimise any potential risk, and to ensure that the relevant laws on personal data privacy are complied with.