Zoom Seders May Bring Unwanted Guests to Your Passover Dinner Table

During the coronavirus global lockdown, hundreds of millions of online meetings—including private and familial gatherings—happen on Zoom’s platform every day. With them, come great privacy and legal concerns

Dov Greenbaum 11:4108.04.20

TAGS:

With literally hundreds of millions of Zoom meetings now taking place every day, for business meetings, social gatherings, and potentially even Seders—

the ceremonial dinner marking the beginning of the week-long Jewish holiday of Passover that takes place Wednesday evening, we must remain cognizant of our privacy, even in these uncertain times. Keep in mind, for example, that there are already compilations of embarrassing Zoom moments where people, letting down their guard, have done embarrassing things on tape.

But, perhaps more embarrassing than literally being caught with your pants down, our rapid transition from face to face meetings to Zoom Video Communications Inc.’s platform has exposed numerous privacy weaknesses, both in the app itself and, more generally, in our increasing online activities.

Seder dinner table (illustration). Photo: Shutterstock

Such privacy concerns, as well other abuses of the system, recently drove the city of New York and other large districts to ban Zoom from its schools, even switching its recently Zoom-trained teachers to Microsoft Teams.

In response to similar concerns, including the routing of customer data through China, Zoom— acknowledging its system, designed primarily for large and tech-savvy institutions, was caught off-guard with its rapid rise in popularity amongst the general less IT-acute population of teachers, parents, and students, due to the spread of the coronavirus (Covid-19)—acted quickly and decisively.

Last week, Zoom announced that it will be focusing on improving its security and privacy issues, at the expense of adding new features, as well as enabling more security features, and giving the host greater control over who enters the conference call, by default. Zoom also admitted that, counter to what was typically understood by users and claimed by the company, it does not, in fact, provide end-to-end encryption.

These efforts by Zoom have not helped keep multiple attorneys general from looking into the company’s privacy practices. White hat hackers have also focused their attention on Zoom, looking to tease out the many possible security holes within the system, before their less ethical peers do. They have found a lot of vulnerabilities, including shortcomings that allow malicious actors to steal passwords or obtain access to users’ webcams and microphones.

One of the biggest growing concerns with the rapid switch to Zoom has been the rise of Zoombombing, a phenomenon where uninvited, often rude, racist, inappropriate or abusive guests crash Zoom chats to harass and upset the other attendees. There are even readily available online tools to facilitate this practice. But those who are intent on Zoombombing should think twice, as even good-natured virtual meeting crashing could be a federal offense in the U.S. under the beleaguered Computer Fraud and Abuse Act (CFAA).

The CFAA itself is, however, also coming under fire. The decades-old law is seen as lacking relevancy in today’s world. Late last year, a writ of certiorari was filed with the U.S. Supreme Court, petitioning the justices to hear the case of Nathan Van Buren v. the U.S. Succinctly, The case deals with a police officer, Van Buren, who looked up a license plate in an official police database, for unofficial business and was charged under the CFAA. The Supreme Court was also petitioned more recently to overrule a Ninth Circuit decision ruling that hiQ Labs Inc., a San Francisco-based data scraping company, did not violate the CFAA when it automatically scraped LinkedIn pages, even after a cease and desist request. It is unlikely that the Supreme Court will further expand the reach of the CFAA in light of all the rulings by the lower courts seeking to narrow it, particularly as web scraping is standard practice by many industries.

There is a lot of criticism of prosecutors’ expansive characterization of the necessary access without authorization under the CFAA. In the Van Buren case, for example, the police officer clearly had authorization to use the system, he, arguably, simply exceeded the limits of that authorization. Van Buren did not hack into the system, nor did he cause any damage or loss to it and, as such, a narrow reading of the law would suggest that he did not violate the CFAA. Highlighting the problems with the CFAA, there is a circuit court split among the federal appellate courts as to the meets and bounds of the law. Some circuits, like the First, Fifth, Seventh, and Eleventh Circuits interpret the law broadly, while others, like the Fourth, Sixth, and Ninth, read the law narrowly.

Those who want to promote the narrow reading of the law, if not a total revision, point to the obvious problem that most if not all of us violate the terms of service of many of the online platforms that we use on a regular basis, making us all potential criminals under a broad reading. It is under these conditions that the Supreme Court was asked to review a number of CFAA cases, and the law itself by amici stakeholders.

The CFAA was enacted in 1986 as a way to expand the prosecution of computer hacking cases beyond the then-current limitations of wire fraud laws. Under the CFAA it became a crime to access a computer without authorization or to access a computer by exceeding authorization. Notably, the U.S. Congress was reportedly incentivized by the relatively unrealistic Matthew Broderick thriller film, Wargames, wherein a teenager is able to hack into a military computer and nearly start a nuclear war. The intent of Congress was clear at the time—motivated by a fear of malicious hackers—and yet the law has grown substantially and unwieldy under over-broad judicial interpretations. Fortunately, not all of Hollywood thrillers become a reality.

While the law was initially limited to cases involving the U.S. government, it has subsequently been interpreted to be broad enough to bring charges against individuals who simply violate the private contractual terms of service—those long contracts of adhesion that you barely gloss over before clicking “I Agree.” The terms of service of Amazon Web Services (AWS), which includes the now not-so far-fetched possibility of a viral zombie apocalypse, are also included in such broad interpretations.

California Congresswoman Zoe Lofgren has tried repeatedly to amend the CFAA with Aaron’s Law, which is named after Aaron Swartz, a 26-year-old hacktivist who was hounded by federal agents for making academic articles freely available and who eventually committed suicide in 2013 as a result of the incessant federal prosecution against him. Thus far, Lofgren’s efforts have not succeeded in amending the law.

Many, however, still look to the CFAA to prosecute computer crimes. For example, in light of the Clearview AI Inc. incident wherein faces were scraped from websites to use for algorithm-based facial recognition, some have called for criminal indictments under the CFAA.

Famously, in 2019, NASA astronaut Lt. Col Anne McClain may have committed the first known crime in outer space, under the CFAA, when she accessed, without authorization, the accounts of her estranged spouse, Summer Worden. Worden claims that McClain was aiming to take custody of her step-son, while McClain claims that her access was a legitimate effort to assess their joint finances. Worden herself now faces charges that she lied to investigators, and McClain’s internet activities in space could, marking a precedent, be subpoenaed in Worden’s defense. While it is unlikely that McClain will face criminal prosecution, we will likely see a growing appreciation of how easy it is to violate this overly broad law.