Zoom under pressure

It’s the kind of problem many companies would love to have: suddenly people are using your product by the millions, to the point that it has become mission-critical for many, including journalists. Unfortunately for Zoom, what caused the demand (the company says twenty times more people are using the software now than used it in December of 2019) was a global pandemic, one that has exposed some of Zoom’s troubling weaknesses. A few are funny: Boris Johnson, prime minister of the United Kingdom, inadvertently shared the ID number for a cabinet meeting he held via Zoom, opening the door to anyone seeking to log on; a manager at a progressive advocacy group accidentally ran a meeting as a potato.

Somewhat more serious (although still on the nuisance end of the spectrum), attendees on some Zoom calls have been interrupted by pornography, thanks to a phenomenon that some are calling “Zoom-bombing” (borrowed from “photo-bombing”). Trolls appear to be dialing in to random Zoom calls and displaying porn videos or blasting other annoying audio and video. In a statement, Zoom said that hosts can prevent this by requiring a password, or by making use of various features such as the Waiting Room, which keeps new visitors at bay until the host allows them to enter. “We are deeply upset to hear about the incidents involving this kind of attack,” the company said.

Some flaws, however, can be extreme, such as a Windows vulnerability through which hackers were able to steal someone’s credentials. All a user had to do, according to a report from a software security blog, was click on a link in the Zoom chat window; if a hacker had configured the link properly, it would connect to the user registry within Windows and provide the user’s login and password. That scenario poses a significant problem for journalists who need to keep their conversations anonymous (in a blog post published Thursday, the company said it has fixed this problem). It’s not the first backdoor-style vulnerability Zoom has seen: until late last year, Zoom secretly installed a hidden Web server on Mac computers that could be used by hackers to take control of the video camera. (Zoom has since removed this feature.)

Related: America’s local newspapers confront an apocalypse

There are other security risks, too. For some time, Zoom has claimed on its website and in white papers that its video calls are end-to-end encrypted. But a report from The Intercept says that’s not the case—calls are encrypted for data traveling between a user and Zoom’s servers, but the company has access to information once it arrives. (Text chats are end-to-end encrypted, however.) With true end-to-end encrypted apps like WhatsApp or Signal, all information sent in either direction and from any location is locked up, and the companies in question don’t have keys. Zoom offers less privacy, since the company could mine data for its own purposes or be compelled to do so by law enforcement. In a statement to The Intercept, Zoom said that it “only collects data as needed to provide the service,” and that it does not “mine user data or sell user data of any kind to anyone”; it does comply with legal requests from governments and law enforcement officials. And in a blog post published Thursday, the company apologized for using the term “end-to-end encryption” improperly, but promised that it does not decrypt any of the data that is transmitted between users of the service.

New security risks seem to be popping up every day: a researcher said he found a way for hackers to easily take control of a user’s microphone and video camera (Zoom said in its Thursday blog post that it has fixed this problem as well). Nilay Patel, the editor of The Verge, said on Twitter: “The biggest question facing Zoom is whether these gaffes are move-fast-break-things mistakes, or reflective of a deeper culture of disrespect for user privacy. Or both.” Will Zoom take advantage of the historic opportunity with which it’s been presented, or sink under the weight of problems? Until we have more answers, journalists would be wise to use Zoom with caution.

Sign up for CJR's daily email

Here’s more on Zoom and its flaws:

  • Data leakage: Zoom is being sued by a user who claims it’s illegally disclosing personal information. Zoom collects data when users install or open the application; then, according to the lawsuit, the company shares it, without proper notice, to third parties, including Facebook. The suit, filed Monday in federal court in San Jose, California, contends that Zoom’s privacy policy doesn’t explain to users how it’s feeding Facebook. Zoom told Motherboard, which first reported on the data sharing, that it has removed the relevant code.
  • Privacy flaws: After receiving a damning review in Consumer Reports, Zoom rewrote parts of its privacy policy. Zoom’s original policy allowed the company to collect information from users’ meetings—from videos to transcripts to the notes that users might share through Zoom’s chat feature—and use that information for ad targeting.
  • AG letter: Zoom is now under the scrutiny of the office of New York’s attorney general for its data privacy and security practices. On Monday, the office sent Zoom a letter asking what new security measures the company has put in place to handle increased traffic on its network and to detect hackers, according to a copy reviewed by the New York Times. The letter referred to Zoom as “an essential and valuable communications platform,” but it noted that the company had been slow to address security flaws, including those “that could enable malicious third parties to, among other things, gain surreptitious access to consumer webcams.”
  • Use a VPN: Security experts say if you’re concerned about data leakage from Zoom, or about hackers making use of information in your calls, the best protection is to use VPN, or virtual private networking, software. VPN providers reroute all of your internet traffic through their own secure servers. They keep you anonymous, allow you to disguise your IP address, and provide end-to-end encryption of your data.

 

Other notable stories:

  • The White House Correspondents’ Association, which organizes presidential briefings, published a statement Wednesday saying it had removed the One America News Network, a right-wing organization, from the regular rotation of seats in the briefing room (although it didn’t mention OANN by name). The WHCA imposed rules last month on how many reporters could attend briefings in order to ensure that they maintain a safe distance due to covid-19. Only fourteen reporters are allowed to attend at a time, spaced out across the room’s forty-nine seats. White House reporters say an OANN reporter, Chanel Rion, broke the rules twice by standing at the back of the room, claiming she was personally invited by Stephanie Grisham, the White House press secretary. “We do not take this action lightly,” the WHCA board wrote in its statement. “This is a matter of public safety.”
  • JPI Media, owner of the Yorkshire Post and Scotsman, newspapers in the United Kingdom, is putting 350 employees on furlough and cutting the salaries of those who continue working by up to 15 percent. David King, the chief executive of JPI, said 250 sales staff and some 100 other employees will be put on leave “in light of the significant reduction in advertising volumes.” The London Evening Standard, too, has furloughed a number of full-time employees, and all other employees have had their pay reduced by 20 percent for two months, down to a floor of $65,700. And City AM staff will be put on furlough; the digital edition is suspended. Staff who continue to work will be paid 80 percent of their salary.
  • Edward Felsenthal, the CEO of Time, on the other hand, not only pledged to his staff, of 275, that the company wouldn’t have any layoffs for ninety days, but also that Time would continue growing through new hires, investment in consumer products, and its documentary division. “We’re fortunate,” Felsenthal said of the company’s owners—Marc Benioff, CEO of Salesforce, and his wife, Lynne Benioff, a philanthropist—who also promised there would be no significant layoffs at Salesforce for ninety days.
  • The Reporters Committee for Freedom of the Press has released its US Press Freedom Tracker report for 2019, which notes that journalists in the United States continue to find themselves the targets of physical attacks and threats. According to the tracker, there were thirty-four physical attacks on journalists last year, and data suggested that female reporters were at particular risk of sexual abuse. President Trump’s statements criticizing the press also increased in 2019, setting new records for the number of times he called the media “fake news.”
  • As part of our ongoing Year of Fear series, CJR and The Delacorte Review have been bringing you coverage of how the upcoming election is affecting American towns. In the latest chapter, Sandra Sanchez writes about how Nayda Alvarez and her family, in Texas, are watching the border with Mexico. They are afraid Trump might close the border, or blame Mexicans and other migrants for delivering the coronavirus.
  • More than seventy journalists and professors signed an open letter on Wednesday addressed to Rupert and Lachlan Murdoch, criticizing the way Fox News has handled its reporting on the coronavirus. Viewers, including Trump, “have been regularly subjected to misinformation relayed by the network,” the letter states, “false statements downplaying the prevalence of covid-19 and its harms; misleading recommendations of activities that people should undertake to protect themselves and others, including casual recommendations of untested drugs; false assessments of the value of measures urged upon the public by their elected political leadership and public health authorities.”
  • Facebook and Fox News will be hosting a virtual town hall Thursday at 7pm about the coronavirus pandemic, using Facebook’s Portal video-calling devices. Facebook is shipping a Portal Plus device to every audience member, some thirty people, so they can participate.
  • A number of news organizations are boycotting presidential briefings—not just because they seem increasingly hard to justify as news, but also because editors are concerned about the health risks. Two White House correspondents are already suspected of having contracted covid-19. That the New York Times, the Washington Post, and CNBC, among other outlets, would stay away from the briefing room may fundamentally change the character of the briefings.
  • Both MSNBC and CNN cut away from Trump’s most recent press briefing on the coronavirus before it was finished. MSNBC carried most of the proceedings live, though Chuck Todd warned his audience in advance that “we know these briefings have a tendency to veer in a lot of directions. Not all of them are informative or relevant in the midst of this crisis.” CNN skipped Trump’s opening remarks and started airing the briefing only when the lectern was ceded to Deborah Birx and Anthony S. Fauci, the medical experts on the president’s covid-19 task force.
  • The website of the Boston Globe has launched a feature called Boston Helps that readers can use to connect with people who might need assistance during the covid-19 quarantine. Matt Karolian, the general manager of Boston.com, tells the Nieman Lab that Boston Helps gives people five ways to support a neighbor: paying for someone’s groceries; paying for someone’s essential toiletries; paying for meal delivery; paying for a ride-share service; or making a general donation. CJR spoke with Karolian recently in a Galley discussion.
  • The Philadelphia Inquirer writes about Alice Stockton-Rossini, a radio reporter for 710 WOR, a station in New York. Stockton-Rossini spent days reporting from a coronavirus containment zone in New Rochelle, then went to a ninetieth-birthday party she had planned for her mother. Not long afterward, both she and her mother got sick; her mother was hospitalized and tested positive for covid-19. Two of the people who attended the party have since died, including her mother’s next-door neighbor. “I can hardly bear it,” Stockton-Rossini said. “I had to tell my mother her best friend died.”

ICYMI: Why did Matt Drudge turn on Donald Trump?

Has America ever needed a media watchdog more than now? Help us by joining CJR today.

Mathew Ingram is CJR’s chief digital writer. Previously, he was a senior writer with Fortune magazine. He has written about the intersection between media and technology since the earliest days of the commercial internet. His writing has been published in the Washington Post and the Financial Times as well as by Reuters and Bloomberg.