Hi,
Zoom has become a household name over the last few weeks and now synonymous with video calls. People are using it for everything from office meetings, teaching, group workouts, personal training, game nights, dating, virtual parties, and family calls, as social-distancing and lockdowns remain in place worldwide. The Prime Minister of the UK, Boris Johnson, even uses it for Cabinet Meetings [Twitter].
It’s incredibly impressive that in a span of three months, Zoom has grown its user base from 10 million active users to 200 million users. And their systems have withstood that surge in traffic with barely any downtime. From a technology perspective, it’s a phenomenal achievement. Hats off to their entire team for pulling that off.
On the other hand, their handling of privacy is mind-boggling. They have made almost every privacy mistake there is to be made. Most have come to light over this past week.
😱 A Privacy Nightmare
Zoom’s iOS app was sending data to Facebook even if you didn’t have a Facebook account [Vice] - They have removed the code, but they are still facing a class-action lawsuit [Cyberscoop] and an investigation by New York’s attorney general [The New York Times].
Thousands of videos that included personally identifiable information and deeply intimate conversations were left exposed on the open web [The Washington Post].
Zoom allows hosts to see if an attendee does not have Zoom Desktop Client or Mobile App in focus for more than 30 seconds, effectively tracking who's not paying attention during a call [Huffpost].
Private chats that you may have with other participants may be exposed when the chat is downloaded for meeting minutes [Forbes].
“ZoomBombing” is now a thing. Zoom’s default settings allow anyone to share their screen. And many hosts are creating links without passwords and posting them on public websites. This is allowing strangers to join meetings and screen sharing filth to all participants on the call [TechCrunch].
A feature on Zoom secretly displayed data from people's LinkedIn profiles [The New York Times] without asking for their permission or informing them.
Zoom routed traffic for some non-Chinese through China by mistake [TechCrunch].
Zoom’s meetings are not really end-to-end encrypted and its definition of the term, lets Zoom itself access unencrypted video and audio from meetings [The Intercept].
Zoom uses unnecessary shady practices during installation on macOS [VMRAY] that mimics those used by malware. An ex-NSA Hacker has already provided details of how this can be exploited [TechCrunch].
These privacy oversights are not just side-effects of the surge in traffic due to the coronavirus. In July 2019, Apple had to issue a silent update to all Mac computers to remove a hidden web server installed by Zoom [TechCrunch].
The video conferencing giant took flack from users following a public vulnerability disclosure on Monday by Jonathan Leitschuh, in which he described how “any website [could] forcibly join a user to a Zoom call, with their video camera activated, without the user’s permission.” The undocumented web server remained installed even if a user uninstalled Zoom. Leitschuh said this allowed Zoom to reinstall the app without requiring any user interaction.
⚒️ Fixing the Situation
To their credit, Zoom is being very responsive to most of the issues and has already fixed some of them. In a blog post [Zoom Blog], Founder and CEO Eric Yuan, addressed many of the points and what they’ve done to fix them or what is in progress. He even promises to suspend all new-feature development and focus on fixing all the safety and privacy issues over the next three months:
Over the next 90 days, we are committed to dedicating the resources needed to better identify, address, and fix issues proactively. We are also committed to being transparent throughout this process. We want to do what it takes to maintain your trust. This includes:
Enacting a feature freeze, effectively immediately, and shifting all our engineering resources to focus on our biggest trust, safety, and privacy issues.
Conducting a comprehensive review with third-party experts and representative users to understand and ensure the security of all of our new consumer use cases.
Preparing a transparency report that details information related to requests for data, records, or content.
Enhancing our current bug bounty program.
Launching a CISO council in partnership with leading CISOs from across the industry to facilitate an ongoing dialogue regarding security and privacy best practices.
Engaging a series of simultaneous white box penetration tests to further identify and address issues.
Starting next week, I will host a weekly webinar on Wednesdays at 10am PT to provide privacy and security updates to our community.
The response is commendable and Eric Yuan sounds sincere. But I’ll reserve judgment on whether they’ve done enough to address all these privacy violations after the 90 days.
It appears to me that Zoom’s culture is one in which privacy is an afterthought, and almost irrelevant. All types of software have bugs. It’s inevitable. Sometimes, those bugs will be privacy bugs. However, most of these privacy violations by Zoom are willful implementations, not software bugs. This suggests a culture of a lack of respect for privacy.
Many of these issues were fixed only once they were discovered and highlighted in the media. Their responses appear to be more of a PR response, while what is required is a change in their corporate culture where privacy is a priority. That is not possible in 90 days, but I hope it’s a start towards that.
Zoom is great software and loved by millions of people around the world. For many, it’s a lifeline during these times of self-quarantines, lockdowns, and social-distancing. Fixing these issues and prioritizing users’ privacy will make it a loved and respected company. This tweet says it perfectly:
Here are some steps that you can take now to better secure your Zoom meetings [MakeUseOf].
📱 Tech in the age of coronavirus
⚙️ As supply chains and manufacturing are disrupted by government lockdowns worldwide, D.I.Y. solutions are coming to the rescue [The New York Times]. Gui Cavalcanti started the Open Source COVID19 Medical Supplies Facebook group which now has almost 50,000 members. Together, they are building a catalogue of open-source solutions to make face masks, oxygen masks, hand sanitizer, ventilators, and other equipment.
In Wisconsin, three engineers headed by Lennon Rodgers, director of the Engineering Design Innovation Lab at the University of Wisconsin-Madison, made a prototype of a face shield [WIRED] which was approved by the UW Hospital. They made more than 1,000 face shields for the hospital to use. Ford picked up the design and is making more than 75,000 face shields through a subsidiary.
💨 Virgin Orbit, normally builds and operates satellite launchers. However, to address the shortage of ventilators, their team has developed a new mass-producible bridge ventilator to help with COVID-19 [Virgin Orbit]. Bridge ventilators help to treat moderate cases to free up high-end ventilators for more serious patients. Virgin Orbit is currently waiting for FDA approval before commencing manufacturing. (🎩Hat tip to Tushar for sharing this article.)
💻 A couple of weeks ago, 400 cybersecurity volunteers from more than 40 countries formed a group called the COVID-19 CTI League [Reuters]. They will work together to thwart hacks against medical facilities, health organizations, and other frontline responders. They have already dismantled one campaign trying to spread malicious software. Rogers, a member of the group, says:
“I have never seen this level of cooperation,” Rogers said. “I hope it continues afterwards, because it’s a beautiful thing to see.”
🔎 (Lack of) Privacy in the age of coronavirus
🤳 The Indian State of Karnataka is mandating that those quarantined at home send them a selfie every hour [BuzzFeed] from 7 am to 10 pm. The selfie has to be taken through an app created by the government which also sends their GPS coordinates. Those who violate the rules are transferred to government-run quarantine centres that are very unsanitary.
🕵️♂️ NSO Group, an Israeli cyber-security company has created software that uses mobile data to monitor and predict the spread of the coronavirus [BBC]. In an ongoing lawsuit, NSO Group has been accused of supplying software to the Saudi government, which the country is said to have used to spy on the journalist Jamal Khashoggi before his murder. WhatsApp has also sued them for allegedly sending malware to the phones of human rights activists and journalists. (🎩Hat tip to Darshit for sharing this article.)
🚶♀️ Google launched a COVID-19 Community Mobility Report that uses location data shared by its users to provide insights into mobility trends over time in different locations and places of interest. They say this is data that has been explicitly shared by their users via an opt-in and all the data is anonymized. (🎩Hat tip to Shruthi for sharing this article.)
☣️ Edward Snowden warns 'bio-surveillance' may outlast coronavirus [Big Think] - This is a must-read. Snowden provides a dire warning that governments may persist with surveillance installed to curb the spread of the coronavirus long after it’s gone. I had mentioned this was a fear of mine too in Issue #21 of this newsletter.
Quote of the week
"They already know what you're looking at on the internet," he said. "They already know where your phone is moving. Now they know what your heart rate is, what your pulse is. What happens when they start to mix these and apply artificial intelligence to it?
—Edward Snowden, from the article on Big Think, warning about bio-surveillance
I wish you privacy, good health, and a brilliant day ahead :)
Neeraj