COVID-19 and Zoom: the importance of GDPR Privacy by Design and Cyber Hygiene

COVID-19 forces us to communicate with friends and colleagues remotely. Instead of Webex, Skype, or Microsoft Teams, Zoom suddenly becomes the video conferencing software of choice.

This was until it emerged that there are privacy concerns with Zoom. Then, the U.S Senate, Germany government, Taiwan government, Singapore government, Google, … started to ban it! Oops!

What had happened? Let’s take a look.

Frankly, there are plenty of reasons to be wary of Zoom. The video calls are not end-to-end encrypted. Then there is “ZoomBombing” (a new word which I bet will make it to the dictionary someday) in which uninvited individuals can enter meetings to harass participants and post obscene photos.

Worse, its privacy policy was dubious. Until last month, its privacy policy contained this statement: Does Zoom sell Personal Data? Depends what you mean by “sell”. Needless to say, it was a master piece crafted by some brilliant lawyer which pretty much permits Zoom to do whatever they want with your data.

 

Is Zoom a rouge software out to do harm?

I don’t think so. More likely than not, it is what its CEO Eric Yuan has admitted: they ‘messed up’ on security and privacy.

Zoom is hurriedly addressing the myriad security flaws that were found in recent weeks. Password is now mandatory to join a conference. People joining meetings have to wait in virtual waiting rooms for the host to grant access. And so forth.

It goes to show that Zoom has not embedded Privacy by Design in the development of its software.

More likely than not, its developers were working their butts off focusing on delivering new functionality on-time and have not spared a thought about privacy requirements in the design.

This saga reminds us of the importance of Privacy by Design (PbD) and Privacy by Default, much emphasized by EU GDPR. It is a textbook case of the perils of ignoring PbD in one’s product design.

The 7 Principles of Privacy by Design (PbD)

Here are the 7 principles of Privacy by Design:

  1. Proactive not Reactive; Preventative not Remedial  

You should think about data privacy at the beginning, not as an afterthought or add-on.

As Zoom is hurriedly patching up its security loopholes, they must have learnt that reactive remedies are a lot more costly than proactive and preventative actions.

  1. Privacy as the Default Setting

Examples are mandatory password, explicit opt-in, restricted sharing, masking of information, minimized data collection.

What Zoom could have done was to make password mandatory and waiting room a default setting.

  1. Privacy Embedded into Design

Privacy is embedded into app design as a “core” feature by embedding security techniques such as encryption, authentication, anti-script injections, so on.

Obviously, Zoom was focused on functionality and had not paid enough attention to privacy.

  1. Full Functionality – Positive-Sum, Not Zero-Sum

Privacy does not mean you need to sacrifice on functionality.

  1. End-to-End Security – Full Lifecycle Protection

Follow the data, wherever it goes. Implement encryption and authentication from creation to deletion of data. Zoom did not have true end-to-end encryption.

  1. Visibility and Transparency – Keep it Open

Build trust. Be open about your privacy practice with a clear redress mechanism and lines of responsibility. Do not write a privacy statement that obfuscates. Write the privacy statement in plain, simple, straight forward language. (If that makes your lawyers squirm, chances are that is right for your customers).

Zoom’s privacy statement was obviously not up to scratch. It will take years to re-build trust.

  1. Respect for User Privacy – Keep it User-Centric

The individual owns the data. Respect that they have the power to access and correct their data and the right to withdraw consent.

Will Zoom survive this crisis? I think it. I hope it will emerge a much more robust and secure system, balanced among user friendliness, functionality, and privacy and security.

The importance of Cyber Hygiene

Are users totally without blame? Probably not.

Zoom has issued advice to users on things they could do to protect themselves. Many of these vulnerabilities were directly related to people’s failure to practice cyber-hygiene.

Just last week, I saw (and probably you did too) a hilarious short clip on social media that during a company web conference call, one of the participants was naked without knowing his webcam was on. He has obviously forgotten to protect his most “private part” of data!

Amid the banning of Zoom by the Ministry of Education, I particularly like a well balanced article written by Straits Time tech editor, Irene Tham, titled “Zoom hacking saga shows why cyber hygiene is so important” (The Straits Time, April 10, 2020). (https://www.straitstimes.com/tech/zoom-saga-shows-why-cyber-hygiene-is-so-important)

The poster by PDPC ‘Zoom with Peace of Mind’ is a timely reminder of how one’s can (and should) protect oneself on the internet.

As a parting shot, don’t emulate Boris Johnson, UK Prime Minister, who tweeted a picture of the zoom meeting that included the meeting ID. That surely is an open invitation to ‘Zoom-bombers’.