Monday, April 6, 2020
AMERICANA / ZOOM UNDER PRESSURE
GUEST BLOG / By Mathew Ingram writing for Columbia (Univ.) Journalism Review’s online “Media Today” column.
NOTE: Zoom Video Communications is an American remote conferencing services company headquartered in San Jose, California. It provides a remote conferencing service that combines video conferencing, online meetings, chat, and mobile collaboration.
It's the kind of problem many companies would love to have: suddenly people are using your product by the millions, to the point that it has become mission-critical for many, including journalists.
Unfortunately for Zoom, what caused the demand (the company says 20 times more people are using the software now than used it in December of 2019) was a global pandemic, one that has exposed some of Zoom’s troubling weaknesses. A few are funny: Boris Johnson, prime minister of the United Kingdom, inadvertently shared the ID number for a cabinet meeting he held via Zoom, opening the door to anyone seeking to log on; a manager at a progressive advocacy group accidentally ran a meeting as a potato.
Somewhat more serious (although still on the nuisance end of the spectrum), attendees on some Zoom calls have been interrupted by pornography, thanks to a phenomenon that some are calling “Zoom-bombing” (borrowed from “photo-bombing”). Trolls appear to be dialing in to random Zoom calls and displaying porn videos or blasting other annoying audio and video.
In a statement, Zoom said that hosts can prevent this by requiring a password, or by making use of various features such as the Waiting Room, which keeps new visitors at bay until the host allows them to enter. “We are deeply upset to hear about the incidents involving this kind of attack,” the company said.
Some flaws, however, can be extreme, such as a Windows vulnerability through which hackers were able to steal someone’s credentials. All a user had to do, according to a report from a software security blog, was click on a link in the Zoom chat window; if a hacker had configured the link properly, it would connect to the user registry within Windows and provide the user’s login and password. That scenario poses a significant problem for journalists who need to keep their conversations anonymous (in a blog post published Thursday, the company said it has fixed this problem). It’s not the first back-door style vulnerability Zoom has seen: until late last year, Zoom secretly installed a hidden web server on Mac computers that could be used by hackers to take control of the video camera. (Zoom has since removed this feature.)
There are other security risks, too. For some time, Zoom has claimed on its website and in white papers that its video calls are end-to-end encrypted. But a report from The Intercept says that’s not the case—calls are encrypted for data traveling between a user and Zoom’s servers, but the company has access to information once it arrives. (Text chats are end-to-end encrypted, however.)
With true end-to-end encrypted apps like WhatsApp or Signal, all information sent in either direction and from any location is locked up, and the companies in question don’t have keys. Zoom offers less privacy, since the company could mine data for its own purposes or be compelled to do so by law enforcement. In a statement to The Intercept, Zoom said that it “only collects data as needed to provide the service,” and that it does not “mine user data or sell user data of any kind to anyone”; it does comply with legal requests from governments and law enforcement officials. And in a blog post published Thursday, the company apologized for using the term “end-to-end encryption” improperly, but promised that it does not decrypt any of the data that is transmitted.
New security risks seem to be popping up every day, however: a researcher said he found a way for hackers to easily take control of a user’s microphone and video camera (Zoom said in its Thursday blog post that it has fixed this problem as well).
Nilay Patel, the editor of the Verge, said on Twitter: “The biggest question facing Zoom is whether these gaffes are move-fast-break-things mistakes, or reflective of a deeper culture of disrespect for user privacy. Or both.” Will Zoom take advantage of the historic opportunity with which it’s been presented, or sink under the weight of problems? Until we have more answers, journalists would be wise to use Zoom with caution.
Here’s more on Zoom and its flaws:
• AG letter: Zoom is now under the scrutiny of the office of New York’s attorney general for its data privacy and security practices. On Monday, the office sent Zoom a letter asking what new security measures the company has put in place to handle increased traffic on its network and to detect hackers, according to a copy reviewed by the New York Times. The letter referred to Zoom as “an essential and valuable communications platform,” but it noted that the company had been slow to address security flaws, including those “that could enable malicious third parties to, among other things, gain surreptitious access to consumer webcams.”
• Use a VPN: Security experts say if you’re concerned about data leakage from Zoom, or about hackers making use of information in your calls, the best protection is to use VPN or virtual private networking software. VPN providers reroute all of your internet traffic through their own secure servers. They keep you anonymous, allow you to disguise your IP address, and provide end-to-end encryption of your data.
MORE ON ZOOM
“FBI Warning for Zoom Users.” From NPR. Click here.