[Ed. note: Today’s newsletter and column was written and distributed before Zoom CEO Eric S. Yuan published his 1,300-word plan to address the security and privacy issues related to the company’s unprecedented consumer growth. What follows is unedited because email is forever.]
Just in time for one backlash against the technology industry to end — or at least pause — a fresh set of concerns has arrived to occupy our attention. Zoom, the once-obscure enterprise video chat app company, rocketed to prominence as COVID-19 forced tens of millions of Americans — and most of Silicon Valley — to begin working, schooling, and socializing at home. Like lots of people, I’m now on Zoom for multiple hours a day. But with all that new usage comes heightened scrutiny — and in the first weeks of the Great Social Distancing, Zoom has repeatedly come up short.
The first problem was the Zoombombings. I don’t know if I was the first victim of this, but I was certainly one of them. My friend Hunter and I started a virtual happy hour a few weeks ago, and after we tweeted the links, some trolls kept stopping by to take over our screens and share porn. We quickly learned how to fix the problem, but Zoombombings continue every day. The FBI is looking into it, and so is the New York attorney general’s office. The problem is that Zoom allows people who have joined your call to share their own screens by default, and the controls for changing this setting are difficult to find.
The second problem was that Zoom began to generate directories of every email address that signed into a call and then let strangers start placing video calls to one another. As with screen sharing disabled by default, this was arguably a feature that made sense for intra-company chats but not for broadcast. Joseph Cox had the story at Vice:
The issue lies in Zoom’s “Company Directory” setting, which automatically adds other people to a user’s lists of contacts if they signed up with an email address that shares the same domain. This can make it easier to find a specific colleague to call when the domain belongs to an individual company. But multiple Zoom users say they signed up with personal email addresses, and Zoom pooled them together with thousands of other people as if they all worked for the same company, exposing their personal information to one another.
”I was shocked by this! I subscribed (with an alias, fortunately) and I saw 995 people unknown to me with their names, images and mail addresses.” Barend Gehrels, a Zoom user impacted by the issue and who flagged it to Motherboard, wrote in an email.
The third problem was that Zoom ran around telling everyone that its platform is “end-to-end encrypted,” when in fact it had redefined “end-to-end encryption” without telling anyone. Micah Lee and Yael Grauer had the story in The Intercept:
As long as you make sure everyone in a Zoom meeting connects using “computer audio” instead of calling in on a phone, the meeting is secured with end-to-end encryption, at least according to Zoom’s website, its security white paper, and the user interface within the app. But despite this misleading marketing, the service actually does not support end-to-end encryption for video and audio content, at least as the term is commonly understood. Instead it offers what is usually called transport encryption, explained further below. [...]
The encryption that Zoom uses to protect meetings is TLS, the same technology that web servers use to secure HTTPS websites. This means that the connection between the Zoom app running on a user’s computer or phone and Zoom’s server is encrypted in the same way the connection between your web browser and this article (on https://theintercept.com) is encrypted. This is known as transport encryption, which is different from end-to-end encryption because the Zoom service itself can access the unencrypted video and audio content of Zoom meetings. So when you have a Zoom meeting, the video and audio content will stay private from anyone spying on your Wi-Fi, but it won’t stay private from the company. (In a statement, Zoom said it does not directly access, mine, or sell user data.)
There are other problems. Like, it turns out Zoom evades MacOS administrator controls to install itself without you having to ask your boss for permission. And there is a way to steal someone’s Windows credentials over Zoom by sharing hyperlinks, although arguably that is more of a Windows problem than a Zoom problem. To round out the list, a security researcher on Wednesday found two additional ways to exploit Zoom and wrote about them on his blog.
At this point, you may be wondering what Zoom has to say about all this. Over at Protocol, David Pierce talks to Zoom’s chief marketing officer, Janine Pelosi, about the past few weeks. He writes:
“The product wasn’t designed for consumers,” Zoom CMO Janine Pelosi told me, “but a whole lot of consumers are using it.” That’s forced Zoom to evaluate a lot about the platform, but especially its default privacy settings.
On the surface, this sounds reasonable. Zoom is a business tool, but it’s now being used outside of businesses, and so new vulnerabilities have emerged. And yet that argument is challenged by all of the problems above, which basically resolve to this: in order to make a popular video chat app, you have to make it extremely easy to use.
In other words, you have to make it a consumer app.
In the old days — the 1990s, basically — the tools you used for work were decided by your workplace. They bought you your computer, and your license for Microsoft Office, and whatever other arcane and generally awful-to-use programs you needed to get your job done.
That all changed once people got mobile phones and could begin using whichever programs they wanted to. A new class of productivity tools arose emphasizing design and ease of use: Google Docs, Box, Dropbox, and Evernote led the way, with Trello, Asana, and Slack following a few years afterward. These were tools built for work, but they were designed for consumers. It’s why they succeeded.
Zoom learned that lesson, and has applied it consistently since its founding in 2011. Designing for consumers is why, for example, Zoom goes to such great lengths to install itself on your Mac without you having to get permission from an admin. Designing for consumers is why Zoom tries to generate a company director on your behalf. Designing for consumers is why Zoom allows you to log in with Facebook. (Something else it got in trouble for — perhaps wrongly — this week.)
And to be clear, designing for consumers has been a good choice for Zoom. It helped the company grow much faster than the competition — most notably Skype, which seems to have been caught flat-footed by the moment. Zoom has so much momentum at this moment that creating virtual backgrounds for your calls — a fun and distinctive and extremely consumer-y feature of the product — has suddenly become a key marketing platform for Hollywood.
Consumer-grade ease of use is essential for a tool like Zoom — but so is enterprise-grade security. That’s what its business customers are paying for, after all, and it’s why Zoom is going to have to start shoring up its platform in a hurry. Ben Thompson has a good idea for stopping the Zoomlash in its tracks:
Freeze feature development and spend the next 30 days on a top-to-bottom review of Zoom’s approach to security and privacy, followed by an update of how the company is re-allocating resources based on that review.
That won’t stop the occasional zero-day exploit from popping up. But it would go a long way toward demonstrating that the company understands the stakes of our new world and is prepared to act accordingly. Zoom’s problem has never been that, as its chief marketing officer says, “it wasn’t designed for consumers.” The problem is that it was.
Today in news that could affect public perception of the big tech platforms.
🔼Trending up: Google is partnering with California lawmakers to give out 4,000 Chromebooks to students in need in California. It’s also providing free wifi to 100,000 rural households during the coronavirus pandemic to make remote learning more accessible.
🔃Trending sideways: Facebook, Twitter, and YouTube are adopting stricter policies to limit coronavirus scams and stop misinformation on the platforms. But people keep posting things that clearly violate the rules. The situation underscores how the companies are engaged in an infinite game of whack-a-mole that’s tough to win.
Amazon workers at a fulfillment center near Detroit, Michigan, plan to walk out over the company’s handling of COVID-19. Workers say management was slow to notify them about new coronavirus cases and didn’t provide adequate cleaning supplies. (Josh Dzieza / The Verge)
Amazon ignored social distancing guidelines at recruiting events as it races to hire 100,000 new workers. The company has since begun making the events virtual. (Spencer Soper and Matt Day / Bloomberg)
Palantir is in talks with France, Germany, Austria and Switzerland about using its software to help them respond to COVID-19. The data-analytics firm says its technology can do everything from helping to trace the spread of the virus to allowing hospitals to predict staff and supply shortages. (Helene Fouquet and Albertina Torsoli / Bloomberg)
Palantir is also behind a new tool being used by the Centers for Disease Control (CDC) to monitor how the coronavirus is spreading. The tool will also help the CDC understand how well equipped hospitals are to deal with a spike in cases. (Thomas Brewster / Forbes)
A group of European experts are preparing to launch an initiative to trace peoples’ smartphones to see who has come into contact with those who have COVID-19. The goal is to help health authorities act swiftly to stop the spread of the virus in a way that is compliant with the General Data Protection Regulation. (Douglas Busvine / Reuters)
School closures are leading to a new wave of student surveillance. Colleges are racing to sign deals with online proctor companies that watch students through their webcams while they take exams. (Drew Harwell / The Washington Post)
Facebook is expanding its Community Help feature as part of the company’s COVID-19 efforts. The new COVID-19 Community Help hub will allow people to request or offer help to those impacted by the coronavirus outbreak. (Sarah Perez / TechCrunch)
Here’s how Sheryl Sandberg is dealing with the coronavirus pandemic. She’s quarantining at home with her fiance and kids and raising millions for her local food bank. (Alyson Shontell / Business Insider)
Coronavirus is forcing couples to cancel their weddings, but some people are getting creative and live-streaming their nuptials on Zoom. (Zoe Schiffer / The Verge)
Doctors are turning to Twitter and TikTok to share coronavirus news. They’re trying to combat the bad medical advice that’s circulating around the big platforms. (Kaya Yurieff / CNN)
A Chinese diplomat has been helping to spread a conspiracy theory that the United States and its military could be behind the coronavirus outbreak. Here’s how that hoax started. (Vanessa Molter and Graham Webster / Stanford Internet Observatory)
The coronavirus pandemic shows why Comcast could get rid of its data caps permanently without killing its business. (Jon Brodkin / Ars Technica)
Hackers are taking advantage of the coronavirus pandemic to launch cyberattacks against healthcare providers. In one instance, the criminals used encryption to lock down thousands of the company’s patient records and promised to publish them online if a ransom wasn’t paid. (Ryan Gallagher / Bloomberg)
Startups are desperately fighting to survive the coronavirus pandemic. Some are laying off workers and slashing costs — but even that might not be enough. (Erin Griffith / The New York Times)
Americans streamed 85 percent more minutes of video in March 2020 compared to March 2019. Binge watching on Hulu has grown more than 25 percent in the past two weeks alone. (Sara Fischer / Axios)
Snap says video calling is up 50 percent month over month. This blog post about how usage has changed with the coronavirus pandemic is the kind of check-in I’ve been asking for from big tech companies.
Rebecca Jennings invites you to post with abandon. She says the digital world is now a far happier place than the real world, which is a perfect excuse for you to spend time on social media doing various Instagram and TikTok challenges. (Rebecca Jennings / Vox)
Total cases in the US: 205,172
Total deaths in the US: At least 4,500
Reported cases in California: 8,582
Reported cases in New York: 83,760
Reported cases in Washington: 5,292
⭐Democrats are worried that Google’s ban against most ads related to COVID-19, from nongovernmental organizations, could help Trump get re-elected. They say it allows the President to run ads promoting his response to the crisis while denying Democrats the chance to run ads criticizing this response. Emily Birnbaum at Protocol reports:
Prominent Democratic PACs in recent days have funneled millions of dollars into television ads accusing Trump of mishandling the coronavirus crisis. But staffers of several Democratic nonprofits and digital ad firms realized this week that they would not be able to use Google’s dominant ad tools to spread true information about President Trump’s handling of the outbreak on YouTube and other Google platforms. The company only allows PSA-style ads from government agencies like the Centers for Disease Control and trusted health bodies like the World Health Organization. Multiple Democratic and progressive strategists were rebuked when they tried to place Google ads criticizing the Trump administration’s response to coronavirus, officials within the firms told Protocol.
Google’s data centers use billions of gallons of water to keep processing units cool. Some of the centers are located in dry areas that are struggling to conserve their supplies. (Nikitha Sattiraju / Bloomberg)
As presidential candidates pivot to campaigning almost entirely online, political tech startups are scrambling to keep up with demand. Business is booming for companies that allow candidates to easily text or call voters and donors. (Issie Lapowsky / Protocol)
Wisconsin faces a shortage of poll workers and a potential dip in voter turnout due to the due to the coronavirus pandemic, but the state is moving forward with its April 7th primary anyway. (Zach Montellaro / Politico)
Oracle founder Larry Ellison is helping President Trump build a database of COVID-19 cases. He’s also turning his Hawaiian island resort into a health and wellness laboratory powered by data, whatever that means! It all promises to be a very good Netflix series someday. (Angel Au-Yeung / Forbes)
Facebook is stepping up its efforts to help with the US census. Facebook and Instagram now have notifications reminding people to complete the census, and the company is also working to combat misinformation about the process. (Facebook)
⭐YouTube is planning to launch a rival to TikTok called Shorts by the end of the year. The app will take advantage of YouTube’s catalog of licensed music by allowing users to choose songs as soundtracks for their videos. Alex Heath and Jessica Toonkel at The Information have the story:
TikTok’s business is small relative to that of YouTube, which had more than $15 billion in advertising revenue last year. ByteDance makes the vast majority of its revenue in China—including from its local TikTok equivalent, known as Douyin—and has used its financial resources to aggressively advertise TikTok in the U.S. and elsewhere. In a note to employees late last year, ByteDance CEO Zhang Yiming urged them to “diversify TikTok’s growth” and “increase investment in weaker markets,” according to Reuters.
The part of the economy dedicated to creating novel Instagram backdrops is tanking due to the coronavirus pandemic. Color Factory and Museum of Ice Cream both shut down for now, laying off most employees. (Ashley Carman / The Verge)
YTMND is back, nearly a year after being brought down by a server failure. The site has modernized a bit, and no longer needs Flash to view its archive of looping GIFs and synchronized music. (Jacob Kastrenakes / The Verge)
Jack Black joined TikTok. His first video shows him doing a dance he calls the “Quarantine Dance.” He’s, um, shirtless. And wearing cowboy boots. (Taylor Lyles / The Verge)
Animal Crossing’s social media explosion has left some fans feeling frustrated and jealous of other peoples’ elaborate designs. The game has become a phenomenon on social media in part because of a new button that lets players easily share screenshots. (Patricia Hernandez / Polygon)
Things to do
Stuff to occupy you online during the quarantine.
Participate in the 2020 census! It takes about 10 minutes and helps direct billions of dollars in federal funding to local communities. (And if you won’t listen to me, perhaps you’ll listen to Sheryl Sandberg.)
Go to one of these virtual events with authors and illustrators creating content specifically for kids.
Watch Protocol’s Issie Lapowsky interview Rep. Ro Khanna, who represents Silicon Valley, in a Zoom meetup on Thursday at noon PT.
Talk to us
Send us tips, comments, questions, and Zoom vulnerabilities: email@example.com and firstname.lastname@example.org.