The agreement comes one day after the New York City Department of Education lifted its ban on Zoom after working with the company to ensure the proper safety features were in place. Taken together, the deals put momentum behind Zoom's 90-day plan announced April 1 to fix its security flaws and could help it regain consumer confidence in its product after a shaky couple of months.
James' office had been looking into Zoom's security measures for more than a month, according to a press release. The inquiry came as more and more people, including New York City students and teachers, were logging onto the platform to work remotely during the pandemic. As new users flocked to Zoom, the enterprise tool began to see the type of abuse common on consumer platforms.
Zoom users began experiencing "zoombombing," where their conversations were infiltrated by unwanted guests, sometimes sharing profanities and explicit remarks. This even happened to the Connecticut attorney general, who opened his own probe into the company, working with attorneys general in New York and Florida.
A representative for Connecticut Attorney General William Tong said the office's probe into Zoom is still ongoing. In addition to the probe led by Tong, Zoom still faces an investor lawsuit that claims the company failed to tell shareholders about privacy and security issues with its platform.
Some of the abuse resulted from open features that Zoom had in place to aid its rapid growth. Users were able to join conversations with the click of a link, for example, which worked fine when they were shared mainly with coworkers, but less so when they were used to invite large groups of strangers to chats. The NYC DOE is requiring students and teachers to use a DOE-licensed version of the program, which includes certain protections, such as only allowing teachers to share screens or invite students to sessions.
The attorney general's agreement also includes protections for students. All free kindergarten through 12th grade education accounts will have to allow hosts to control access to conferences with a password or digital waiting room. They also must be able to control access to private messages, email domains and whether participants can share screens, according to the agreement.
Many of the measures Zoom agreed to implement have already been completed or planned for. Zoom agreed, for example, to stop sharing user data with Facebook and disable a feature with LinkedIn that shares profiles of users with other users even if they chose to be anonymous. The company already removed code from its iOS app that sent data to Facebook, Motherboard reported in March.
The agreement requires Zoom to maintain various security protocols, like its bug bounty program, use "reasonable encryption" and maintain a security chief that regularly reports to the CEO and board of directors. Zoom has agreed to submit a copy of its annual data security assessment to James' office for the three years in which the agreement is in place.
"We are pleased to have reached a resolution with the New York Attorney General, which recognizes the substantial work that Zoom has completed as part of our 90-day security and privacy plan, including making a number of our pre-existing security features on by default and also introducing new security enhancements," a Zoom spokesperson said in a statement. "We are grateful for the New York Attorney General's engagement on these important issues and are glad to have reached this resolution so quickly."