Zoom to step up user privacy, security following state probe

Zoom agreed to step up security protections for all of its users under an agreement with the New York attorney general's office announced today.

The big picture: Zoom is keen to placate lawmakers and regulators as it deals with the increased scrutiny that has accompanied the popularity of its videoconferencing service during the coronavirus pandemic.

What's happening: Zoom has agreed to implement security measures to settle an investigation from New York AG Letitia James. They cover the following topics:

• Data security. Among other measures, the company will establish and maintain a comprehensive data security program; review code for any possible bugs that could be exploited by hackers; and step up encryption of users' information.
• Privacy. The company will add privacy controls for its free and K-12 accounts. Hosts will by default be able to require other users to enter a password or wait in a digital waiting room before joining a meeting, and they'll be able to control who can see email addresses and private messages from conferences, among other limits.
• Abuse mitigation. Zoom will explicitly ban abusive conduct based on race, religion, ethnicity, national origin, gender, or sexual orientation, and it has agreed to swiftly investigate and, if warranted, punish reported misconduct.

What they're saying: "We are pleased to have reached a resolution with the New York Attorney General, which recognizes the substantial work that Zoom has completed as part of our 90-day security and privacy plan," a Zoom spokesperson said in a statement.

• The changes Zoom committed to under the agreement include some the company has already announced under that 90-day plan, begun in early April.
• "Our lives have inexorably changed over the past two months, and while Zoom has provided an invaluable service, it unacceptably did so without critical security protections," James said in her own statement.
• "This agreement puts protections in place so that Zoom users have control over their privacy and security, and so that workplaces, schools, religious institutions, and consumers don’t have to worry while participating in a video call."

Context: Zoom has faced criticism over a range of issues, including security flaws, overstated claims about usage and encryption, and failures to protect users against "Zoombombing," in which strangers join open Zoom meetings to share abusive or obscene material.

• James' office opened its probe into the company in late March. Days later, New York City schools barred teachers and students from using Zoom. The city lifted that ban Wednesday after reaching its own security and privacy agreement with the company.
• Zoom has spent recent weeks building out its policy apparatus, just this week recruiting a longtime tech trade group executive as its Washington point person and naming former Trump national security adviser H.R. McMaster to its board.

Meanwhile: The company also announced Thursday that it's buying identity management firm Keybase to help build out an end-to-end-encrypted mode on meetings.