Just in time for
one backlash against the technology industry to end — or at least pause — a fresh set of concerns has arrived to occupy our attention. Zoom, the once-obscure enterprise video chat app company, rocketed to prominence as COVID-19 forced tens of millions of Americans — and most of Silicon Valley — to begin working, schooling, and socializing at home. Like lots of people, I’m now on Zoom for multiple hours a day. But
with all that new usage comes heightened scrutiny — and in the first weeks of the Great Social Distancing, Zoom has repeatedly come up short.
The first problem was the
Zoombombings. I don’t know if I was the first victim of this, but I was certainly one them. My friend Hunter and I started a virtual happy hour a few weeks ago, and after we tweeted the links, some trolls kept stopping by to take over our screens and share porn. We quickly learned how to
fix the problem, but Zoombombings
continue every day.
The FBI is looking into it, and so is
the New York attorney general’s office. The problem is that Zoom allows people who have joined your call to share their own screens by default, and the controls for changing this setting are difficult to find.
The second problem was that Zoom began to generate directories of every email address that signed into a call and then let strangers start placing video calls to one another. As with screen sharing disabled by default, this was arguably a feature that made sense for intra-company chats but not for broadcast.
Joseph Cox had the story at Vice:
The issue lies in Zoom’s “Company Directory” setting, which automatically adds other people to a user’s lists of contacts if they signed up with an email address that shares the same domain. This can make it easier to find a specific colleague to call when the domain belongs to an individual company. But multiple Zoom users say they signed up with personal email addresses, and Zoom pooled them together with thousands of other people as if they all worked for the same company, exposing their personal information to one another.
”I was shocked by this! I subscribed (with an alias, fortunately) and I saw 995 people unknown to me with their names, images and mail addresses.” Barend Gehrels, a Zoom user impacted by the issue and who flagged it to Motherboard, wrote in an email.
The third problem was that Zoom ran around telling everyone that its platform is “end-to-end encrypted,” when in fact it had redefined “end-to-end encryption” without telling anyone. Micah Lee and Yael Grauer
had the story in The Intercept:
As long as you make sure everyone in a Zoom meeting connects using “computer audio” instead of calling in on a phone, the meeting is secured with end-to-end encryption, at least according to Zoom’s
website, its
security white paper, and the user interface within the app. But despite this misleading marketing, the service actually does not support end-to-end encryption for video and audio content, at least as the term is commonly understood. Instead it offers what is usually called transport encryption, explained further below. […]
The encryption that Zoom uses to protect meetings is TLS, the same technology that web servers use to secure HTTPS websites. This means that the connection between the Zoom app running on a user’s computer or phone and Zoom’s server is encrypted in the same way the connection between your web browser and this article (on https://theintercept.com) is encrypted. This is known as transport encryption, which is different from end-to-end encryption because the Zoom service itself can access the unencrypted video and audio content of Zoom meetings. So when you have a Zoom meeting, the video and audio content will stay private from anyone spying on your Wi-Fi, but it won’t stay private from the company. (In a statement, Zoom said it does not directly access, mine, or sell user data.)
At this point, you may be wondering what Zoom has to say about all this. Over at
Protocol, David Pierce talks to Zoom’s chief marketing officer, Janine Pelosi, about the past few weeks.
He writes:
“The product wasn’t designed for consumers,” Zoom CMO Janine Pelosi told me, “but a whole lot of consumers are using it.” That’s forced Zoom to evaluate a lot about the platform, but especially its default privacy settings.
On the surface, this sounds reasonable. Zoom is a business tool, but it’s now being used outside of businesses, and so new vulnerabilities have emerged. And yet that argument is challenged by all of the problems above, which basically resolve to this: in order to make a popular video chat app, you have to make it extremely easy to use.
In other words, you have to make it a consumer app.
In the old days — the 1990s, basically — the tools you used for work were decided by your workplace. They bought you your computer, and your license for Microsoft Office, and whatever other arcane and generally awful-to-use programs you needed to get your job done.
That all changed once people got mobile phones and could begin using whichever programs they wanted to. A new class of productivity tools arose emphasizing design and ease of use: Google Docs, Box, Dropbox, and Evernote led the way, with Trello, Asana, and Slack following a few years afterward. These were tools built for work, but they were designed for consumers. It’s why they succeeded.
Zoom learned that lesson, and has applied it consistently since its founding in 2011. Designing for consumers is why, for example, Zoom goes to such great lengths to install itself on your Mac without you having to get permission from an admin. Designing for consumers is why Zoom tries to generate a company director on your behalf. Designing for consumers is why Zoom allows you to log in with Facebook. (Something else
it got in trouble for —
perhaps wrongly — this week.)
Freeze feature development and spend the next 30 days on a top-to-bottom review of Zoom’s approach to security and privacy, followed by an update of how the company is re-allocating resources based on that review.
That won’t stop the occasional zero-day exploit from popping up. But it would go a long way toward demonstrating that the company understands the stakes of our new world and is prepared to act accordingly. Zoom’s problem has never been that, as its chief marketing officer says, “it wasn’t designed for consumers.” The problem is that it was.