• by Thom Forbes  @tforbes, April 3, 2020

As Zoom has boomed as a go-to platform for videoconferencing everything from marketing pitches to trade shows to (too many) mundane meetings -- not to mention online classes, family gatherings and who knows what else -- its security and privacy protocols have been called into question. 

Late Wednesday, Zoom founder and CEO Eric S. Yuan addressed some of  the concerns in a blog post that apologized for the lapses, described the steps it intends to take over the next 90 days to address and fix the problems, and averred “transparency has always been a core part of our culture.”

Meanwhile, “multiple state attorneys general are banding together to scrutinize virtual conferencing company Zoom’s privacy and security practices, one top enforcer told Politico late Thursday, the biggest sign to date that its regulatory woes are ballooning as its popularity surges during the coronavirus outbreak,” writes  Politico’s Cristiano Lima.

“We are alarmed by the Zoombombing incidents and are seeking more information from the company about its privacy and security measures in coordination with other state attorneys general,” Connecticut Attorney General William Tong told Politico in a statement. 

“Tong did not say which offices he is working with, and a spokesperson declined to elaborate,” Lima adds.

Zoombombing “refers to a form of cyber harassment reported by some app users, who have reported that some of their calls have been hijacked by unidentified individuals and trolls who spew hateful language or share graphic images. ‘Zoombombing’ has become so prevalent that this week the FBI issued a news release to warn people of the threat,” writes  CNN’s Dakin Andone.

On Monday, the office of New York State Attorney General Letitia James “sent Zoom a letter asking what, if any, new security measures the company has put in place to handle increased traffic on its network,” Danny Hakim and Natasha Singer revealed  in The New York Times earlier this week.

“While the letter referred to Zoom as ‘an essential and valuable communications platform,’ it outlined several concerns, noting that the company had been slow to address security flaws such as vulnerabilities ‘that could enable malicious third parties to, among other things, gain surreptitious access to consumer webcams.’ 

“Over the last few weeks, internet trolls have exploited a Zoom screen-sharing feature to hijack meetings and do things like interrupt educational sessions or post white supremacist messages to a webinar on anti-Semitism,” Hakim and Singer add. 

"Security researchers have called Zoom ‘a privacy disaster’ and ‘fundamentally corrupt' as allegations of the company mishandling user data snowball,” writes  Kari Paul for The Guardian.

“Privacy advocates have also raised issues over an attendee tracking feature that lets meeting hosts track whether participants have their Zoom app in view on a PC or whether it’s simply in the background. A digital rights advocacy group also called on Zoom to release a transparency report last month, to share the number of requests from law enforcement and governments for user data. Zoom has only said the company is considering the request, and has not yet published a transparency report,” Tom Warren wrote  for The Verge Wednesday.

Ars Technica’s Dan Goodin describes a couple of other vulnerabilities researcher Patrick Wardle found in Zoom that have been fixed this week. 

Another issue facing Zoom is “allowing Facebook to collect unnecessary data; and the company itself incorrectly suggesting to users that the service was end-to-end encrypted (it’s not),” writes  NPR’s Andrew Limbong.

“It was never meant to get this big, this fast,” as CEO Yuan says in his blog post.  Yuan revealed that “in December Zoom had approximately 10 million daily users. By March that number grew to 200 million. The platform, Yuan writes, was built for large businesses and institutions with their own IT departments,” Limbong adds.  

He “announced a commitment to freeze any work not directed towards safety and privacy for the next 90 days. This includes conducting a review with third-party experts, running a series of security penetration tests and -- in the name of transparency -- hosting a weekly webinar to provide updates to users.”

They are on Wednesdays at 1 p.m. EDT. You need to register if you want to attend.