WRONGDOING >> PRIVACY ON ZOOM and THE MESA CITY COUNCIL. . .ASK > Who in Mesa City Hall is taking precautions to protect our communities

In April 2020 (last year) there was this cautionary post on this blog

03 April 2020

Public Safety & Security on The Mesa City Council Virtual Platform Zoom?

ZOOM, the virtual platform deployed by the Mesa City Council, has come under scrutiny over issues and concerns over privacy and security for city employees and their "work-from-home" contracts.
From a security perspective, the basics are critical - High on the list are concerns about misinformation, weaponized information and social engineering.
ASK > Who in Mesa City Hall is taking precautions ???
COVID-19 is our new common watering hole, and malicious actors are manufacturing phishing attacks, devilish spear-phishing campaigns, rogue applications and more. Regular, short, routine communications to remind people of the basics, to gain a pulse on the organization and to provide clear policies are essential.

 

 

YESTERDAY THERE WAS THIS

Zoom to pay $85M for lying about encryption and sending data to Facebook and Google

Zoom users to get $15 or $25 each in proposed settlement of class-action lawsuit.

Jon Brodkin - 8/2/2021, 1:51 PM

Zoom has agreed to pay $85 million to settle claims that it lied about offering end-to-end encryption and gave user data to Facebook and Google without the consent of users. The settlement between Zoom and the filers of a class-action lawsuit also covers security problems that led to rampant "Zoombombings."

The proposed settlement would generally give Zoom users $15 or $25 each and was filed Saturday at US District Court for the Northern District of California. It came nine months after Zoom agreed to security improvements and a "prohibition on privacy and security misrepresentations" in a settlement with the Federal Trade Commission, but the FTC settlement didn't include compensation for users.

As we wrote in November, the FTC said that Zoom claimed it offers end-to-end encryption in its June 2016 and July 2017 HIPAA compliance guides, in a January 2019 white paper, in an April 2017 blog post, and in direct responses to inquiries from customers and potential customers. In reality, "Zoom did not provide end-to-end encryption for any Zoom Meeting that was conducted outside of Zoom's 'Connecter' product (which are hosted on a customer's own servers), because Zoom's servers—including some located in China—maintain the cryptographic keys that would allow Zoom to access the content of its customers' Zoom Meetings," the FTC said. In real end-to-end encryption, only the users themselves have access to the keys needed to decrypt content. . .

Technical preview of Zoom's end-to-end encryption, made available months after Zoom was caught lying to users about how it encrypts video calls. . .

With the pandemic boosting its videoconferencing business, Zoom more than quadrupled its annual revenue from $622.7 million to $2.7 billion in the 12 months ending January 31, 2021. Zoom also reported $672 million in net income for the 12-month period, up from $25.3 million the previous year. Zoom is on pace for even better results this year, having reported Q1 (February-April) revenue of $956.2 million and net income of $227.5 million.

> Zoom's failure to provide end-to-end encryption was reported by The Intercept in March 2020. Zoom's response to that article "made it clear that Zoom both knew that it did not use the industry-accepted definition of E2E encryption and had made a conscious decision to use the term 'end-to-end' anyway," the lawsuit said. . .

Settlement requirements

The settlement "requires Zoom to not reintegrate the Facebook SDK for iOS into Zoom meetings for a year" and to ask Facebook to "delete any US user data obtained from the SDK."

The security and transparency changes Zoom agreed to also include the following:

• Develop and maintain, for at least three years, documented protocols and procedures for admitting third-party applications for dissemination to users through Zoom's "Marketplace."
• Develop and maintain a user-support ticket system for internal tracking of, and communication with users about reports of meeting disruptions.
• Develop and maintain a documented process for communication with law enforcement about meeting disruptions involving illegal content, including dedicated personnel to report serial meeting disrupters to law enforcement.
• Develop and maintain security features such as waiting rooms for attendees, the suspend meeting activities button, and blocking of users from specific countries for a minimum of three years.

Zoom would be required "to better educate users about the security features available to protect meeting security and privacy, through dedicated space on the Zoom website and banner-type notifications." Zoom's website will also have to include "centralized information and links for parents whose children are using school-provisioned K-12 accounts."

After the settlement was announced, Zoom gave media outlets a statement that did not admit any wrongdoing. "The privacy and security of our users are top priorities for Zoom, and we take seriously the trust our users place in us," Zoom said. "We are proud of the advancements we have made to our platform, and look forward to continuing to innovate with privacy and security at the forefront."