Posts

Zoom Privacy Policy is a Risk

Updated 4/01/20

Updates:

  • 4/01/20: MIT Tech Review summarizes the security issues with Zoom, including information about a Class Action Lawsuit.
  • 3/31/20: Vice.com reports that Zoom is leaking personal emails and photos to strangers.
  • 3/31/20: The Intercept reports that Zoom is not using End to End Encryption as claimed in their marketing materials and user interface. 
  • 3/31/20: New York Times reports that Zoom, the videoconferencing app whose traffic has surged, is under scrutiny by the New York attorney general’s office for its data privacy and security practices.
  • 3/30/20: FBI Warns of Teleconferencing and Online Classroom Hijacking During COVID-19 Pandemic

On March 18, 2020, the Zoom.us posted changes to its privacy policy that impact all users, even those without accounts attending meetings as guests.  This change follows a dramatic increase in Zoom users (and stock price), as Zoom has been offering its services for free to many businesses and schools.

Under this version of the Zoom’s privacy policy, Zoom is collecting more information, in our assessment, than is necessary to provide users with the service. Zoom also acknowledges providing this information to third parties. The information Zoom is collecting includes, but is not limited to:

  • Name, physical address, and other similar personally identifying information
  • Information about your job, such as your title and employer
  • Your Facebook profile information (when you use Facebook to log-in to Zoom or to create a Zoom)
  • General information about your product and service preferences (including software installed and/or in use on your computer)
  • Information about your device

Per Zoom’s policy, downloading and using the Zoom app provides Zoom with consent to share any personal information they collect with third parties.

In reference to the use of third party services, the policy states

“We use these tools to help us improve your advertising experience (such as serving advertisements on our behalf across the Internet, serving personalized ads on our website, and providing analytics services).”

In other words, Zoom may use the personal information of any person using their services to market to that person across their use of the Internet.

Additionally, we do not see any effort by Zoom to determine the age of individuals using the service, so they are likely collecting and using the personal information of children.

Vice.com is reporting that Zoom’s iOS app sends data to Facebook even if you do not have a Facebook account.

Impact

Our current assessment of the impact is as follows:

  • Data collection is based on the way each meeting participant enters the meeting.  Even if the organizer is on a paid and secure business or education edition, meeting attendees using the free client or entering as a guest are subject to dating mining and sharing.
  • For businesses and schools, some of the data Zoom collects and shares is prohibited under the Children’s Online Privacy Protection Act (COPPA).
  • For schools and libraries, not using the K12 version of Zoom for faculty and students may result in violations of the Children’s Internet Protection Act (CIPA)
  • Zoom does provide a means for users to instruct Zoom to “Do not Sell” their personal information. This help with California Consumer Privacy Act (“CCPA”) and  EU’s General Data Protection Regulation (“GDPR”) compliance.  It may not be practical to advise all meeting attendees of this option.

In short, Zoom’s privacy policy may conflict with your business’ privacy policy and how you manage and respect your customers and their data. The policy may also create regulatory and legal issues.

Recommendations

If you organization uses G Suite or Microsoft Office 365, you already have the ability to securely conduct audio and video conferencing with services that do not mine and share attendee data.

  • G Suite
    • Hangouts Meet (the new service) is secure and HIPAA compliant.  Individuals outside your organization can join via shared URL, without providing personal information. Through June 2020, Google has enabled all G Suite users to conduct meetings with up to 250 participants and provided organizers with the ability to record meetings. Participants can mute their own audio/video and can present to the meeting. Meeting include dial-in numbers and pins to allow access from phones.
    • Participants can join via web browser or use the free iOS and Adroid Apps.
    • Traditional Hangouts and Chat, while not HIPAA compliant, are still secure and work within organizations and with guests.
  • Office 365
    • Teams (and formerly Skype for Business) is a secure video/audio conferencing service with screen sharing, waiting rooms, and other helpful features.  As with all of Office 365, Teams can be deployed to meet HIPAA compliance. Teams does not collect and share personal information.
    • Teams, by default is device-to-device conferencing.  You can add the ability for individuals to connect by phone for a small monthly fee for each meeting organizer that needs this function.
    • Participants can join via web browser, or use the free apps for Windows, Mac, iOS, and Android.

Before adding another service or tool for audio/video conferencing, take full advantage of the services you have. Contact us if you need help with user training and support.

If you are not using G Suite or Office 365, several communications and conferencing services are offering secure, free access for up to 90 days.  These include, but are not limited to, Dialpad, UberConference, Ring Central, and Cisco WebEx. Please contact us for help selecting and deploying the right service for you and your teams.

 

Google Apps, PRISM, and the NSA

With media attention and hype, leaked documents, Congressional hearings, and a great deal of explanation and back-peddling, the world now knows that the United States government spies on people.

Okay, we already knew that.

So, we learned that about a secret “FISA” court that can issue secret subpoenas letting the government look at information about us.

Okay, we already knew that, too (many of us just did not pay attention or really seem to care very much).

So, we learned that the Government had issued subpoenas for huge amounts of data about phone calls from Verizon as part of secret program called PRISM.

Now must be the time to panic?

As our 24-hour, instant, news machine struggled to find alleged experts on this top-secret program, we began hearing reports that the National Security Agency has direct, unfettered, complete access to all of the data on all of the servers of all of the major public cloud providers, and that they were capturing, recording, and saving all of this information.

Unfortunately, the cloud service providers are prohibited by law from disclosing the the number of FISA subpoenas and/or the number of users subject to those subpoenas.  We do know, however, that all of the service providers deny any direct connection between their systems and the NSA.

Without accurate information, myths become ‘facts’.

For those of us that promote and rely on the cloud, including those of us running Google Apps for Business, Education, or Government, we want assurances that our data remains private.

Google Apps and Your Privacy

On June 7th, Google posted this statement on the Official Google Blog regarding the matter.  In short:

  1. The NSA and other agencies do not have unfettered access to customer data
  2. Google was not participating in, nor aware of the PRISM program
  3. Google actively works to limit the number and scope of FISA requests

Coincidentally, CIO Magazine reported on June 4th (before the FISA/PRISM revelations in the media) about Google’s efforts to modify or restrict FISA subpoenas.  You can see the article here.

Media reports have been largely inaccurate about the scope of the PRISM program and FISA warrants and its use on American citizens on US soil.

Google is not allowed to release the numbers and scope of the requests by law.  On June 11th, Google made public an official request to release that information so that Google customers will have a more accurate picture and will understand that their data remains secure.

Conclusion

The Terms of Service and Privacy Policy for Google Apps for Business, Education, and Government have very specific rules for how private Google keeps your data and how Google responds (and lets you respond) to subpoenas Google receives for customer data.

There is no evidence, or any indication, that Google has acted outside the bounds of these terms and conditions, even as Google vigorously defends the privacy of customer data in court.

 

Moving to the Cloud: Privacy

 

Green_GaugeThis post is the fourth in a series addressing concerns organizations may have that prevent them from moving the cloud-based solutions.

Few topics related to cloud computing create more passion than privacy.  Knowing how well your organization’s information will be safe-guarded is key to trusting a service provider and the decision to go to the cloud in the first place.

Privacy, while closely related to security, differs in that security addresses access and protection of information, privacy addresses who can access data and how it may be used.

When considering privacy, organizations should start with three documents from the service provider:

  1. Terms of Service / Contract:  Most cloud providers provide clear terms and conditions related to privacy in their terms of service.  These include statements about content ownership and access rights; clauses covering confidential information; statements regarding the provider’s access to customer data and content; and terms related to how the service provider will respond to subpoenas and other third-party demands for data.
  2. Service Level Agreement:  Many cloud providers include terms related to privacy in their service level agreement.   In some cases, the SLA stipulates time frames for addressing privacy issues.
  3. Privacy Policy:  Most cloud providers now have one or more privacy policies.  These policies may be universal to the provider’s service, or may cover specific aspects of the services (such as use of the web site/portal).

When looking to choose a cloud solutions provider, look at all three documents.  Verify that they are comprehensive and clear.  Understand how they address any particular regulatory requirements for your organization.  Validate that they are consistent — that no conflicts or gaps exist that could lead to confusion or misunderstandings down the road.

Make sure the review of privacy policies and looks at the specific customer agreements and policies.  Many cloud providers offer “free” or “consumer” services with different terms and conditions than their paid (or free) solutions for business, government, education, and non-profits.   Many organizations spin their wheels and raise unwarranted concerns by not focusing on the specific, applicable agreements, and policies.

Finally, review the privacy performance of the service provider.  If they have had any sort of breach, or a privacy dispute, understand the nature, scope, and response.  Understand if the breach was provider-related or due to the actions or inaction of the customer.  Assess the appropriateness of the provider’s response given the nature of the issue.

Again, due diligence is key.  A small amount of research, a few questions, and an accurate understanding of how a service provider plans and manages privacy will help organizations determine if the provider meets the organization’s privacy needs and priorities.

Next Post in the Series:  Lock-In

 

Previous Post in the Series:  Provider Reliabilty

Google Apps and Google’s New Privacy Policy

The cloud world is buzzing as Google announced that effective March 1, 2012, it would consolidate more than 60 privacy policies for different services into a single, simplified policy covering all Google services.  Not surprisingly, we are already fielding calls from our Google Apps for Business / Education / Government customers with questions about the impact of the change.

Rest easy.  Here are the answers.

Not Much is Changing

The consolidated privacy policy is not changing how Google collects or uses information with individual services or across services.  The policy is providing a simpler, easier to understand document that is consistent across all services.  Google has also removed components of its existing privacy policies that are redundant with content in the Terms of Service policy for each service, which are also being updated and consolidated into a single, consistent policy.

Note that the Privacy Policy address how Google collects and uses information about individual users, but that the Terms of Service dictate how Google treats content you place or store using Google services.  To understand how your information is protected, you must review both documents.

Public and Free Services versus Business / Education / Government Services

The new Terms of Service and Privacy Policy provide a baseline for all services.  The Terms of Service clearly states that

“Also, in some of our Services, there are terms or settings that narrow the scope of our use of the content submitted in those Services.”

Google Apps for Business, for Education, and for Government all have these additional terms and settings.

Confidentiality in Google Apps for Business / Education / Government

The Terms of Service for Google Apps for Business, for Education, and for Government each define Confidential Information as follows:

Confidential Information means information disclosed by a party to the other party under this Agreement that is marked as confidential or would normally be considered confidential under the circumstances. Customer Data is Customer’s Confidential Information.

Very simply, the agreement defines all user/customer content in these services as confidential.

The Terms of Service prevent Google from accessing or disclosing customer information without permission and guarantee a standard of care related the security, availability, and privacy of customer information.

Exceptions

There are exceptions when Google may disclose or publicly display Google Apps for Business / Education / Government customers.

  1. A User Marks Content as Public:  If a user marks content as “public” or as “publish on the web”, the user is giving permission to Google and instructing Google to index the content in Google search engine and to make the content available to everyone publicly.   Google Apps administrators can limit user permissions to prevent them from marking content as public.
  2. Required Disclosure:  Per the Terms of Service, Google may “… disclose the other party’s Confidential Information when required by law but only after it, if legally permissible: (a) uses commercially reasonable efforts to notify the other party; and (b) gives the other party the chance to challenge the disclosure.”

Summary

While Google’s consolidation of privacy policies makes for great, sensational headlines, the reality is that their is no material change in how Google addresses information privacy.  For Google Apps for Business, for Education, and for Government customers, there is no change what so ever.