GUEST BLOG / By Mathew
Ingram writing for Columbia (Univ.) Journalism Review’s online “Media Today”
column.
NOTE: Zoom Video Communications is an American remote conferencing
services company headquartered in San Jose, California. It provides a remote
conferencing service that combines video conferencing, online meetings, chat,
and mobile collaboration.
It's
the kind of problem many companies would love to have: suddenly people are
using your product by the millions, to the point that it has become
mission-critical for many, including journalists.
Unfortunately
for Zoom, what caused the demand (the company says 20 times more people are
using the software now than used it in December of 2019) was a global pandemic,
one that has exposed some of Zoom’s troubling weaknesses. A few are funny:
Boris Johnson, prime minister of the United Kingdom, inadvertently shared the
ID number for a cabinet meeting he held via Zoom, opening the door to anyone
seeking to log on; a manager at a progressive advocacy group accidentally ran a
meeting as a potato.
Somewhat
more serious (although still on the nuisance end of the spectrum), attendees on
some Zoom calls have been interrupted by pornography, thanks to a phenomenon
that some are calling “Zoom-bombing” (borrowed from “photo-bombing”). Trolls
appear to be dialing in to random Zoom calls and displaying porn videos or
blasting other annoying audio and video.
In
a statement, Zoom said that hosts can prevent this by requiring a password, or
by making use of various features such as the Waiting Room, which keeps new
visitors at bay until the host allows them to enter. “We are deeply upset to
hear about the incidents involving this kind of attack,” the company said.
Some
flaws, however, can be extreme, such as a Windows vulnerability through which
hackers were able to steal someone’s credentials. All a user had to do,
according to a report from a software security blog, was click on a link in the
Zoom chat window; if a hacker had configured the link properly, it would
connect to the user registry within Windows and provide the user’s login and
password. That scenario poses a significant problem for journalists who need to
keep their conversations anonymous (in a blog post published Thursday, the
company said it has fixed this problem). It’s not the first back-door style
vulnerability Zoom has seen: until late last year, Zoom secretly installed a
hidden web server on Mac computers that could be used by hackers to take
control of the video camera. (Zoom has since removed this feature.)
There
are other security risks, too. For some time, Zoom has claimed on its website
and in white papers that its video calls are end-to-end encrypted. But a report
from The Intercept says that’s not the case—calls are encrypted for data traveling
between a user and Zoom’s servers, but the company has access to information
once it arrives. (Text chats are end-to-end encrypted, however.)
With
true end-to-end encrypted apps like WhatsApp or Signal, all information sent in
either direction and from any location is locked up, and the companies in
question don’t have keys. Zoom offers less privacy, since the company could
mine data for its own purposes or be compelled to do so by law enforcement. In
a statement to The Intercept, Zoom said that it “only collects data as needed
to provide the service,” and that it does not “mine user data or sell user data
of any kind to anyone”; it does comply with legal requests from governments and
law enforcement officials. And in a blog post published Thursday, the company
apologized for using the term “end-to-end encryption” improperly, but promised
that it does not decrypt any of the data that is transmitted.
New
security risks seem to be popping up every day, however: a researcher said he
found a way for hackers to easily take control of a user’s microphone and video
camera (Zoom said in its Thursday blog post that it has fixed this problem as
well).
Nilay
Patel, the editor of the Verge, said on Twitter: “The biggest question facing
Zoom is whether these gaffes are move-fast-break-things mistakes, or reflective
of a deeper culture of disrespect for user privacy. Or both.” Will Zoom take
advantage of the historic opportunity with which it’s been presented, or sink
under the weight of problems? Until we have more answers, journalists would be
wise to use Zoom with caution.
Here’s
more on Zoom and its flaws:
• Data leakage: Zoom is being sued by a
user who claims it’s illegally disclosing personal information. Zoom collects
data when users install or open the application; then, according to the
lawsuit, the company shares it, without proper notice, to third parties,
including Facebook. The suit, filed Monday in federal court in San Jose,
California, contends that Zoom’s privacy policy doesn’t explain to users how it’s
feeding Facebook. Zoom told Motherboard, which first reported on the data
sharing, that it has removed the relevant code.
• Privacy flaws: After receiving a damning
review in Consumer Reports, Zoom rewrote parts of its privacy policy. Zoom’s
original policy allowed the company to collect information from users’
meetings—from videos to transcripts to the notes that users might share through
Zoom’s chat feature—and use that information for ad targeting.
• AG letter: Zoom is now under the
scrutiny of the office of New York’s attorney general for its data privacy and
security practices. On Monday, the office sent Zoom a letter asking what new
security measures the company has put in place to handle increased traffic on
its network and to detect hackers, according to a copy reviewed by the New York
Times. The letter referred to Zoom as “an essential and valuable communications
platform,” but it noted that the company had been slow to address security
flaws, including those “that could enable malicious third parties to, among
other things, gain surreptitious access to consumer webcams.”
• Use a VPN: Security experts say if
you’re concerned about data leakage from Zoom, or about hackers making use of
information in your calls, the best protection is to use VPN or virtual private
networking software. VPN providers reroute all of your internet traffic through
their own secure servers. They keep you anonymous, allow you to disguise your
IP address, and provide end-to-end encryption of your data.
MORE ON ZOOM
“FBI
Warning for Zoom Users.” From NPR. Click here.
No comments:
Post a Comment