Law360 (April 6, 2020, 10:51 PM EDT) -- New York City has told public schools to "move away" from using the increasingly popular videoconferencing service Zoom, amid growing privacy and security concerns that have prompted members of Congress to question how the company handles and secures users' data and that the Federal Trade Commission has been urged to investigate.
The remote conferencing services offered by Zoom Communications Inc., which was founded in 2011, have exploded in popularity during the past month, as the global coronavirus pandemic has forced states to shutter schools, close non-essential businesses and order people to stay at home to contain the spread of the virus.
But the surge has also brought increased attention to Zoom's privacy and security practices, with lawmakers, consumer advocates, state attorneys general and class action plaintiffs in recent days stepping up pressure on the company to address suspected data misuses and security vulnerabilities. Consumers have filed at least two proposed class actions targeting Zoom's allegedly unauthorized sharing of user data with Facebook, while the FBI and others have raised flags over hackers increasingly breaking into, or "Zoom bombing," virtual meetings with hate speech and other inappropriate conduct.
In response to these concerns, the New York City Department of Education confirmed over the weekend that it would no longer be allowing its more than 1.1 million students and their teachers — whose schools are currently closed until at least April 20 — to use Zoom to conduct remote learning.
"The safety and security of our staff and students is at the forefront of every decision we make around remote learning, and for that reason, we have asked schools to transition away from using Zoom as soon as possible," Danielle Filson, a spokeswoman for the city's Department of Education, said in an emailed statement Monday.
The DOE is advising schools to transition to Microsoft Teams or Google's Meet videoconferencing app. In a Twitter post Sunday clarifying that schools could continue to use the Google tool in addition to Microsoft Teams, Schools Chancellor Richard A. Carranza called Meet a "safe, secure virtual meeting service for schools."
Both Carranza and Filson acknowledged that the DOE isn't expecting the pivot away from Zoom to happen overnight and said that the department will be supporting educators with training and professional development to get them up and running on the Google and Microsoft tools.
NYC schools join a growing list of entities, including Elon Musk's rocket company SpaceX, that have both publicly and privately banned employees from using Zoom due to security concerns. The Clark County School District in Nevada also announced last week that it had disabled access to Zoom and that Google's educational tools should instead be used to support online distance learning.
Zoom has responded by pointing to the steps that it has taken to address concerns in the education space, including enabling waiting rooms by default for users enrolled in its K-12 program and ensuring that teachers are the only ones who can share content in class by default. The company has stressed that its platform was originally designed for enterprise use, and that it is "working around-the-clock" to address unforeseen issues brought to light by the flood of new consumer users and to ensure that these participants understand its policies and how to protect their meetings.
"We are proud of the role we are playing during this challenging time and committed to providing educators and other users with the tools they need," the company added.
Zoom — which has grown from having 10 million daily meeting participants at the end of December to hosting a company record of more than 200 million daily users in March — is also facing backlash over a recent Washington Post report on how thousands of video recordings of Zoom calls, including one showing a virtual classroom of second grade children, were made available online for essentially anyone to view.
Sen. Michael Bennet, D-Colo., zeroed in on this revelation in a letter he sent to Zoom's CEO Eric Yuan on Monday, in which he characterized the issue as "among the most troubling" of the privacy and security accusations that have been brought against the company during the past couple of weeks.
"Although this problem resulted from users uploading video recordings to insecure cloud storage, stronger safeguards for recording and storage could have limited the damage," Bennet wrote, adding that these unanticipated public releases had the potential to expose users to significant financial, personal and psychological harm.
The senator has asked Zoom to respond by April 15 to a series of questions about its privacy and security policies, including whether it's planning on changing the naming convention that allegedly allowed these videos to become easily searchable online, what steps it has taken to notify those featured in the videos that the recordings are now publicly available and what recourse users have if they want these videos removed.
Nearly two dozen members of the U.S. House of Representatives also wrote to Zoom on Friday raising similar concerns and questions regarding the company's privacy practices.
The House Democrats also took issue with several features that they worried "may infringe on consumer privacy if users are not provided adequate notice," including the feature that allows meeting organizers to track whether attendees are paying attention and the tool that lets paid Zoom subscribers have all their meetings along with audio transcriptions uploaded to the cloud automatically.
"As many Americans are now using Zoom for the first time, they may not be aware of these capabilities — who is getting access to their information, including the content of their communications," the lawmakers said.
Amid these concerns, the Electronic Privacy Information Center has asked the Federal Trade Commission to step in as well. In a letter sent to FTC Chairman Joe Simons on Monday, EPIC urged the commission to open an investigation into Zoom's businesses practices and to issue, as soon as practicable, best practices for online conferencing services.
The group, which has raised similar privacy and security concerns about Google and Facebook that has led to significant FTC settlements and business practice changes, noted that it had filed a complaint with the FTC last year detailing how Zoom's practices were exposing users to the risk of remote surveillance, unwanted video calls and denial-of-service attacks.
"But the FTC never acted on the flaws we identified with Zoom, and the problems have only become worse," EPIC said in its new letter, which described several of the reports that have emerged in recent weeks about previously undisclosed problems with Zoom, including the apparent leak of videos and other personal data to the broader internet community.
"We recognize that Zoom has taken some steps in response to public criticism," EPIC added. "But this haphazard approach to consumer privacy does little to assure consumers that Zoom is a reliable service."
--Editing by Emily Kokoll.
For a reprint of this article, please contact firstname.lastname@example.org.