Mishcon bans Zoom for client calls unless given express consent

UK law firm Mishcon de Reya has taken the decision not to use video conferencing app Zoom for client communications unless they receive express consent.

The decision comes after an extensive four-week review, and speaking to Legal IT Insider, head of IT operations and security, Ned Stevanovski said: “We use Teams but often get invited to Zoom. So, we’ve done a lot of analysis and come to the conclusion that unless a client understands the risk and consents to that risk it should not be used.”

He adds: “If the client insists on using Zoom, we have a written statement to say that the risk is for them. It’s not our recommendation and they need to understand the risks if we do use it.”

Since the COVID-19 lockdown, Zoom’s daily users have jumped from 10 million to over three hundred million. But the security flaws and criticisms that have emerged over the past weeks range from the fact that Zoom’s encryption is not end to end, as it initially claimed; to the fact that its default settings mean meetings have a generic ID that can easily be discovered and ‘Zoombombed’ by anyone ranging from bad actors to people uploading pornography; to the fact that it allegedly passed on data to third parties such as Facebook without notifying users (leading to a class action); to fears that Zoom calls could be vulnerable to Chinese surveillance.

One of the concerns for law firms is that Zoom has a lot of developers in China, which is a red flag for some UK and US clients.

On 23 April Zoom released Zoom 5.0, which includes better encryption and new privacy controls as part of its 90-day plan to raise security standards. The new version allows hosts to report suspect users and introduces a waiting room, meaning that participants have to be let into the meeting. All meetings now need a password.

Zoom 5.0 will now use the AES 256-bit GCM encryption standard, which while still not end to end, is a significant improvement. Zoom is also giving account managers the ability to control which data regions it avoids.

A spokesperson for Zoom said: “All Zoom source code is stored and versioned in the United States. Zoom’s software developers in China are largely managed by our engineering team in the United States and they carry out their responsibilities in accordance with the design and architecture decisions made by Zoom’s U.S. Engineering group. These developers in China do not have any access to Zoom’s production environment, the power or access to make substantive changes to our platform or the means to access any meeting content. And, importantly, across all of Zoom engineering, regardless of location, our engineers only have access to the source code required for their particular function.”

To read our extensive analysis of Zoom in the context of the legal sector click here:http://legaltechnology.com/?p=48858