Note: This is something I originally wrote for the daily newsletter at the Columbia Journalism Review, where I’m the chief digital writer
It’s the kind of problem many companies would love to have: Something happens that makes the world suddenly adopt your app or service by the millions, to the point where it becomes mission-critical for many, including journalists. Unfortunately for Zoom, the thing that happened is a global pandemic, and what it has done more than anything is expose some of the flaws and weaknesses in the service, which has become the de facto method of communication for everyone from politicians and teachers to doctors. Some of those flaws or weaknesses are mundane and even humorous, such as UK Prime Minister Boris Johnson inadvertently sharing the meeting ID number for a cabinet meeting he held via Zoom (which could allow someone to connect to the call without permission), or the manager who enabled filters for a conversation with friends, and then couldn’t turn them off and did an entire meeting as a potato.
Somewhat more serious than that (although still on the nuisance end of the spectrum), attendees on some Zoom calls have been interrupted by pornography and other misbehavior, thanks to a phenomenon that some are calling “Zoom-bombing” (from the term “photo-bombing,” which is when someone jumps into a picture without permission). Trolls appear to be dialing in to random Zoom calls and displaying porn videos or blasting other annoying forms of audio and video, since many Zoom calls can be joined with a simple nine-digit number. The company said in a statement that hosts can prevent this by requiring a password, or by making use of various features such as the Waiting Room, which hides a new visitor until the host allows them to enter. “We are deeply upset to hear about the incidents involving this kind of attack,” the company said.
Some flaws in the software, however, could be extremely serious, such as a Windows vulnerability that could allow hackers to steal someone’s credentials. All a user has to do, according to one report from a software security blog, is to click on a link in the Zoom chat window, and if a hacker has configured the link properly, it will connect to the user registry within Windows and provide the user’s login and password (although Windows sends this in encrypted form, a researcher was able to decrypt the user info in less than 30 seconds with a standard PC). This kind of vulnerability could be a significant problem for journalists or aid workers and other agencies who need to keep their conversations anonymous for various reasons. It’s not the first back-door style vulnerability Zoom has seen: Until late last year, the app secretly installed a hidden web server on Mac computers that could potentially be used by hackers to take control of a computer’s video camera (Zoom has removed this feature).
Potentially just as serious in a different way, Zoom has been saying for some time on its website and in security white papers that video calls hosted by the app are end-to-end encrypted. But a report from The Intercept says that’s not the case — calls are encrypted for data traveling between the user and Zoom’s servers, it says, but the company has access to the information once it gets there (text chats are end-to-end encrypted, however). With a true end-to-end encrypted app like WhatsApp or Signal, all of the information sent in either direction and from any location is encrypted, and the company in question doesn’t have the keys with which to decrypt it (Apple’s FaceTime video chat is also end-to-end-encrypted). Zoom is under no such restrictions, which some say raises questions about the privacy of Zoom calls, since the company could mine the data for its own purposes or be compelled to do so by law enforcement.
In a statement to The Intercept, Zoom said that it “only collects data as needed to provide the service,” and that it does not “mine user data or sell user data of any kind to anyone” for any purpose. But the company did admit that it complies with legal requests from governments or law enforcement when necessary. Meanwhile, new security risks seem to be popping up every day: A security researcher said he found a way that hackers can easily take control of a user’s microphone and/or video camera. As Verge editor-in-chief Nilay Patel said on Twitter: “The biggest question facing Zoom is whether these gaffes are move-fast-break-things mistakes, or reflective of a deeper culture of disrespect for user privacy. Or both.” The answers could determine whether the company manages to take advantage of the historic opportunity it has been presented with, or whether it sinks under the weight of its flaws and weaknesses.
Here’s more on Zoom and its flaws:
Data leakage: Zoom is being sued by a user who claims the popular video-conferencing service is illegally disclosing personal information. The company collects information when users install or open the Zoom application and shares it, without proper notice, to third parties including Facebook Inc., according to the lawsuit, filed Monday in federal court in San Jose, California. According to the suit, Zoom’s privacy policy doesn’t explain to users that its app contains code that discloses information to Facebook and potentially other third parties. Zoom told Motherboard, which first reported the data sharing, that it has removed the code that allowed this.
Privacy flaws: Zoom has rewritten parts of its privacy policy after Consumer Reports highlighted concerns by users and privacy experts about the service. The consumer magazine pointed out last week that Zoom’s original privacy policy allowed the company to collect information from users’ meetings—from videos to transcripts to the notes that users might share through Zoom’s chat feature. The privacy policy also allowed Zoom to use that personal information for targeting of advertising either on or off the platform, or for other business purposes.
AG letter: Zoom is now under the scrutiny of the office of New York’s attorney general for its data privacy and security practices. On Monday, the office sent Zoom a letter asking what new security measures the company has put in place to handle increased traffic on its network and to detect hackers, according to a copy reviewed by the New York Times. While the letter referred to Zoom as “an essential and valuable communications platform,” it noted that the company had been slow to address security flaws such as vulnerabilities “that could enable malicious third parties to, among other things, gain surreptitious access to consumer webcams.”
Use a VPN: Security experts say if you’re concerned about data leakage from Zoom, or that hackers (or the company itself) might make use of information in your video or audio calls, the best protection is to use VPN or virtual private networking software. VPN providers reroute all of your internet traffic through their own secure servers. As well as keeping you anonymous and giving you the ability to change your IP address to a location pretty much anywhere in the world, VPN services also end-to-end encrypt all all of the data sent via that traffic.
Other notable stories:
JPI Media, owner of the Yorkshire Post and Scotsman titles, is putting 350 employees on furlough (paid leave) and cutting the salaries of those who continue working by up to 15 per cent. JPI chief executive David King said 250 sales staff and some 100 other employees will be put on leave “in light of the significant reduction in advertising volumes”. The London Evening Standard has furloughed a number of full-time employees, and all other employees have had their pay reduced by 20 per cent for two months, down to a floor of $65,700. And City AM staff will be put on furlough and the digital edition suspended. Staff who continue to work will be paid 80 per cent of their salary. City AM stopped printing its daily edition last week.
Time CEO Edward Felsenthal, on the other hand, not only pledged to his staff of 275 that the company wouldn’t have any layoffs for 90 days but promised the company would continue growing through new hires and investing in its consumer products and long-form video division. “We’re fortunate,” Felsenthal said of the company’s owners Salesforce CEO Marc Benioff and Lynne Benioff, who also pledged to not have significant layoffs at Salesforce for 90 days.
The Reporters Committee for Freedom of the Press has released its US Press Freedom Tracker report for 2019, which notes that journalists in the U.S. continued to find themselves the targets of physical attacks and threats across the country last year. According to the tracker, there were 34 physical attacks, affecting 39 journalists, and data suggested that female journalists faced special risks while reporting in the field; at least three women were attacked in a sexual way while doing live shots. President Trump’s statements criticizing the press also increased in 2019, setting new records for the number of times he called the news media “fake news” (273 times).
As part of our ongoing Year of Fear series, CJR and the Delacorte Review have been bringing you coverage of how the upcoming election is impacting a number of towns. In the latest chapter, Sandra Sanchez writes about how Nayda Alvarez and her Texas ranch family are watching the border with Mexico, including the fact that they are afraid Donald Trump might close the border, and might also blame Mexicans and those trying to migrate to the US for the coronavirus crisis, and thereby advance his political agenda and his attempt to justify a border wall.
A number of news organizations are boycotting presidential briefings not just because they seem increasingly hard to justify as news events, but also because they are concerned about the health risks. The decision by such outlets as the New York Times and CNBC to stay away may be fundamentally changing the character of the briefings, the Washington Post reports. The Post, Times and CNBC stopped sending reporters to the briefings after two White House correspondents were suspected of having contracted COVID-19. Times executive editor Dean Baquet said the paper has stopped going both because of health considerations and the uncertain newsworthiness.
Both MSNBC and CNN cut away from Trump’s press briefing on the virus before it was finished. MSNBC carried most of the proceedings live, though host Chuck Todd warned his audience in advance that “we know these briefings have a tendency to veer in a lot of directions. Not all of them are informative or relevant in the midst of this crisis.” The network cut away after about 100 minutes. CNN skipped Trump’s opening remarks and joined the briefing only when he ceded the lectern to his COVID-19 task force experts, Deborah Birx and Anthony S. Fauci.
The website of the Boston Globe has launched a feature called Boston Helps that readers can use to connect with people who might need assistance during the COVID-19 quarantine. Matt Karolian, the general manager of Boston.com, tells the Nieman Lab that Boston Helps gives helpers five ways to support a community member: Paying for someone’s groceries; paying for someone’s essential toiletries; paying for meal delivery to someone’s home; paying for a rideshare service locally; or by giving money to help a Bostonian. CJR spoke with Karolian in a Galley discussion recently.
The Philadelphia Inquirer writes about Alice Stockton-Rossini, a radio reporter for the conservative New York station 710 WOR who spent days reporting from a coronavirus containment zone in New Rochelle, New York and then went to a 90th birthday party that she had planned for her mother on Long Beach Island. Not long afterwards, both she and her mother got sick and her mother was hospitalized and tested positive for COVID-19. Two of the people who attended the party have since died, including her mother’s next-door neighbor and long-time friend. “I can hardly bear it,” Stockton-Rossini said. “I had to tell my mother her best friend died.”