NEW YORK — New York Attorney General Letitia James has reached an agreement with Zoom Video Communications that will provide security protections for more than 200 million users on the platform.

New security measures are being put in place to support and protect consumers, students, schools, governments, religious institutions, and private companies using the application for work, education, prayer and socializing. After the outbreak of COVID-19, cities and states across the nation began quarantine and social distancing procedures that forced businesses and schools, as well as many social interactions to be moved online. Zoom had a sudden surge in both the volume and sensitivity of data being passed through its network, but the exponential increase in users also exposed security flaws and vulnerabilities in Zoom’s platform and software, and a lack of privacy protections. Additionally, a number of people reported that their Zoom conferences had been “Zoombombed,” or interrupted by uninvited participants seeking to disrupt the conference. Attorney General James opened up an investigation into Zoom’s privacy and security practices in March culminating in today’s agreement.

“Our lives have inexorably changed over the past two months, and while Zoom has provided an invaluable service, it unacceptably did so without critical security protections,” James said. “This agreement puts protections in place so that Zoom users have control over their privacy and security, and so that workplaces, schools, religious institutions, and consumers don’t have to worry while participating in a video call. As the coronavirus continues to spread across New York State and this nation and we come more accustomed to our new normal, my office will continue to do everything in its power to help our state’s residents and give them every tool to continue living their lives.”

In March, after the widespread increase of COVID-19 infections across the country, cities and states began to shutter and institute social distancing policies to limit contagion. With schools, businesses, religious institutions, and so many other industries forced to shut down, Americans had no choice but to move their day-to-day activities online. As a result, Zoom experienced a massive surge in demand for its free services, as teachers began using the platform to conduct classes remotely with students, workplaces used Zoom to conduct business online, and consumers began using it to socialize remotely with loved ones. By late April, Zoom was hosting approximately 300 million conferences per day on its platform, compared to the approximately 10 million conferences per day in January 2020 — an increase of nearly 3,000 percent in less than four months.

As consumers, businesses, and students were increasingly using Zoom’s platform to communicate and share information, a number of newly reported issues emerged. Numerous users reported that their Zoom conferences had been interrupted by uninvited participants seeking to disrupt the conference – dubbed “Zoombombing.” Additionally, a number of privacy and data security issues were also reported, including Zoom’s lack of end-to-end encryption – as it had previously publicly represented – and the leakage of users’ personal information to other users without consent. Finally, Zoom was sharing users’ personal information with Facebook, including for those users who were not using the Facebook login feature and even those without Facebook accounts.

ZOOM AGREES TO BE MORE SECURE

Zoom has agreed to implement and maintain a comprehensive data security program to protect all users that will be designed and run by the company’s Head of Security. Zoom will also conduct risk assessment and software code reviews to ensure that the company’s software does not have vulnerabilities that would allow hackers to exploit users’ information. The company has agreed to take steps to protect consumers from attacks where hackers attempt to access accounts using old credentials. Additionally, Zoom has agreed to enhance its encryption protocols by encrypting users’ information, both in transit and as stored online on their cloud servers. Finally, Zoom will operate a software vulnerability management program and will perform the most thorough form of penetration testing each year.

ZOOM AGREES TO ENHANCED PRIVACY CONTROLS

Zoom has agreed to enhanced privacy controls for free accounts, as well as kindergarten through 12th grade education accounts. Hosts – even those with free accounts – will, by default, be able to control access to their video conferences by requiring a password or the placement of users in a digital waiting room before a meeting can be accessed. Hosts will also be able to control access to private messages in a Zoom chat, control access to email domains in a Zoom directory, control which – if any – participants can share screens, limit participants of a meeting to specific email domains, and place other limits on participants with accounts, to the extent applicable.

Additionally, Zoom has taken steps to stop sharing user data with Facebook and has disabled its LinkedIn Navigator feature, which shared profiles with users even where the user wanted to stay anonymous. Finally, Zoom has agreed to provide a copy of its annual data security assessment report to the Office of the Attorney General for the term of the agreement.

ZOOM WILL PROTECT USERS FROM ABUSE

Zoom has further agreed to continue to maintain reasonable procedures to enable users to report violations of Zoom’s Acceptable Use Policy, including allowing meeting hosts to report a user for engaging in abusive conduct. Zoom will also update its Acceptable Use Policy to include abusive conduct based on race, religion, ethnicity, national origin, gender, or sexual orientation. Finally, Zoom has agreed to investigate reported misconduct in a timely fashion and to take appropriate corrective action based on its investigations, including banning users who violate the policy.