chevron-down Created with Sketch Beta.
December 10, 2020 Techno Ethics

Things Your Mother Never Told You about Zoom

James Ellis Arden
As the COVID-19 pandemic has raised technical needs, so, too, has it heightened the risk of violations of our ethical duties to preserve confidences.

As the COVID-19 pandemic has raised technical needs, so, too, has it heightened the risk of violations of our ethical duties to preserve confidences.

FG Trade/E+ via Getty Images

Everyone’s work has changed in some way because of the coronavirus. Many of us bought new computers and cameras now that we work at home. But moneys spent to install and upgrade new technology because of the pandemic are more than offset by savings on gasoline, other transportation costs, and pants.

A lot of effort is being made to facilitate the work we now do from home. But as the COVID-19 pandemic has raised technical needs, so, too, has it heightened risks to privacy and violations of our ethical duties to preserve confidences:

[W]orking from home has become the new normal, forcing law offices to transform themselves into a remote workforce overnight. As a result, attorneys must be particularly cognizant of how they and their staff work remotely, how they access data, and how they prevent computer viruses and other cybersecurity risks.

PA Form. Op. 2020-300.

Lawyers have experience working through devastating floods, hurricanes, and earthquakes, and the ABA recognizes that lawyers might need to relocate because of a disaster: “Some lawyers may either permanently or temporarily relocate to another jurisdiction following a disaster. . . . Displaced lawyers who wish to practice law in another jurisdiction may do so only as authorized by that other jurisdiction.” ABA Form. Op. 482.

What if you relocated to your home in one state, but you are licensed to practice in another? Some jurisdictions are issuing opinions on those arrangements, too:

[A]n attorney who is not a member of the District of Columbia bar may practice law from the attorney’s residence in the District of Columbia . . . if the attorney . . . is practicing from home due to the COVID-19 pandemic; . . . avoids using a District of Columbia address in any business document[;] . . . and . . . does not regularly conduct in-person meetings with clients or third parties in the District of Columbia.

D.C. CUPL-Op. 24-20.

A New Jersey attorney “who simply establishes a residence in Florida and continues to provide legal work to out-of-state clients from his private Florida residence . . . does not establish a regular presence in Florida for the practice of law.” FL opinion FAO #2019-4.

Who’s Zooming Who?

Much has been written about the risks to lawyers of relying on Internet communications. We do the best we can to protect client communications by maintaining robust, secure, and private Internet connections.

Because we can’t go to court or meet with clients as we used to, we use Zoom now to make most of our court appearances and client meetings. Raise your hands if you heard of Zoom a year ago.

Confidentiality concerns about Zoom’s security measures arose when Zoom usage zoomed in March 2020, and we began hearing about “Zoombombing”—using Zoom’s screen-sharing feature to display violent or pornographic imagery in a meeting (https://tinyurl.com/yyd3lzyv).

Enterprising trolls figured out that Zoom does not require a meeting host to grant screen-sharing access to another participant. All they needed was a meeting link to enter a videoconference. If blocked, they just re-entered under a new name. Zoombombing became such a nuisance that some school districts and New York City banned its use for online learning during the coronavirus school closures. Zoom responded by adding more password protocols and enabling its Waiting Room feature, which allows the host to control when a participant joins the meeting for all free accounts (https://tinyurl.com/y438pu99). Zoom also added new security features and modified its privacy policy (https://tinyurl.com/yyd3lzyv).

Still, I suspect most lawyers would be surprised to learn of the tracking risks Zoom use carries.

Starting with Zoom version 4.0, the host of a call had the capacity to monitor the activities of attendees while screen-sharing. After 30 seconds, if attendees of a meeting did not have the Zoom video window in focus during a call where the host was screen-sharing, the host could see indicators next to each participant’s name indicating that the Zoom window was not active (https://tinyurl.com/yxu7z63o).

Notably, Zoom’s CEO, Eric Yuan, announced that as of April 2, 2020, Zoom removed this attendee attention–tracker feature (https://tinyurl.com/yyjxdyac). But Zoom call administrators can still access

detailed views on how, when, and where users are using Zoom, with detailed dashboards in real-time of user activity. Zoom also provides a ranking system of users based on total number of meeting minutes. If a user records any calls via Zoom, administrators can access the contents of that recorded call, including video, audio, transcript, and chat files, as well as access to sharing, analytics, and cloud management privileges. For any meeting that has occurred or is in-process, Zoom allows administrators to see the operating system, IP address, location data, and device information of each participant. This device information includes the type of machine (PC/Mac/Linux/mobile/etc.), specs on the make/model of your peripheral audiovisual devices like cameras or speakers, and names for those devices (for example, the user-configurable names given to AirPods).

That is a lot of detail.

End-to-End Encryption

Basically, end-to-end encryption prevents others from eavesdropping on data while it is in transit between users. It scrambles the data so that only the sender and receiver can decipher it, and it makes mass hacking or surveillance much more difficult. Actual end-to-end encryption hides the contents of a message from everyone except the sender and receiver—including the company providing the platform (https://tinyurl.com/y3msj628).

Zoom’s end-to-end encryption only worked when all participants connected using computer audio instead of calling in. Nor was it true end-to-end encryption because Zoom had access to the data going back and forth (https://tinyurl.com/y3msj628).

To be fair, Zoom was caught off guard by the pandemic; it wasn’t intended to be used by so many people so quickly. Yuan has expressed his commitment to fixing all of Zoom’s security issues (https://tinyurl.com/y3alrhbv).

Ring . . . Ring . . .

Those of you who rely on your Ring WiFi-enabled video doorbell for additional security when working from home should know that Ring doesn’t only allow users to surveil their neighbors; the company also uses it to surveil its customers. The Ring doorbell app for Android was found to be packed with third-party trackers sending out a plethora of customers’ personally identifiable information to analytics and marketing companies, information such as the names, private IP addresses, mobile network carriers, persistent identifiers, and sensor data on the devices of paying customers (https://tinyurl.com/y5u8xbdl).

Ring gives one company, MixPanel, the most information by far. Users’ full names, e-mail addresses, device information such as OS version and model, whether Bluetooth is enabled, and app settings such as the number of locations where a user has Ring devices installed, all are collected and reported to MixPanel.

The analytics and tracking companies are able to combine such data to form a unique picture of users’ devices, representing a fingerprint that follows users as they interact with other apps, in essence enabling trackers to spy on what users are doing digitally and when they are doing it.

It is unfortunate that, as we’re having to make compromises to protect confidential information, we are being compromised by the technology we need.

Download the PDF of this article

Entity:
Topic:
The material in all ABA publications is copyrighted and may be reprinted by permission only. Request reprint permission here.

James Ellis Arden works on legal malpractice, ethics, and appellate matters for other lawyers. Rated AV-Preeminent by Martindale-Hubbell, he is a member of the Association of Professional Responsibility Lawyers and the Los Angeles County Bar Association’s Professional Responsibility and Ethics Committee (former vice-chair), and he serves as a volunteer special master for Los Angeles County.