The Privacy Plague Starts at Home

Self-isolation and lockdowns have fueled a surge in remote work, overcoming earlier corporate resistance to allowing, let alone encouraging, working from home. The remote work culture, commonplace for freelancers and other gig economy participants, has proven novel for displaced office workers. The presence of barking dogs, toddlers, spouses and other ambient noise generators adds character to otherwise banal meetings. So does the knowledge that on video calls, beneath the clean cut appearance of co-workers or behind their avatars they may actually be lacking pants or sporting bed hair and incipient beards.

The Coronavirus crisis is also sorely testing the limits of the technology that supports remote working. The distinction between a conferencing service and a webinar platform is now a blur. Video meeting applications that seldom saw more than a dozen concurrent participants now must regularly handle 10X that number. Platforms that hosted a few thousand simultaneous conference calls find themselves severely stress tested with 100X that volume.

And then there’s security.

As remote work and online meetings have become the new normal, the level of sensitive content has risen as well. Video conferences now regularly include sharing of proprietary corporate information, financial data, HIPAA-governed medical data and other heretofore closely-held content. While mature platforms like Cisco WebEx and Microsoft teams focus great energy and substantial experience on securing their conferencing services, newer arrivals to the remote goldrush have been markedly less assiduous in protecting their customers’ conversations and content.

While we are hesitant to point a finger at particular platforms and vendors, Zoom is certainly a case in point. While the company was founded in 2011, their market presence only really took off in the last 1–2 years, especially through corporate resale channels and with enterprise custom branding. Zoom’s relative ease of use and cross pollination by displaced enterprise workers and sundry house-bound groups (schools, medical providers, politicians) has made Zoom into the darling of the locked-down social set. What makes Zoom remarkable are the company’s and platform’s wild missteps during last year:

  • Zoombombing: Minimal authentication and other security have allowed trolls and other interlopers to show up in meetings uninvited to spy and disrupt.
  • The malware client: Zoom desktop app installation silently bypassed security checks in MacOS and Windows to ease and accelerate on-boarding. The installation hack left users vulnerable to takeover of webcams and other resources even after removal of the Zoom client software. The decision to bypass was defended by Zoom security chief Richard Farley as being “the right decision . . . at the request of some of our customers”
  • Forced Update: The issue proved so serious that Apple force-deployed a silent update to remove the Zoom component, the first time Cupertino has ever publicly taken action against a popular app. (Ultimately, Zoom did apply their own patches to improve the app’s security posture).
  • Data Mining: The Zoom privacy policy permits the company to mine call content and sell it to advertisers like Facebook. Princeton CS prof Arvind Narayanan calls Zoom a “privacy disaster,” with “creepy” tracking features that send info to Facebook and inform meeting hosts when you switch away from the app.
  • Encryption Deceit: The Zoom website touts end-to-end encryption but provably offers limited or no such functionality, although they apparently promised to try and do better. And when Zoom does encrypt, key generation and storage occurs in China (for better or worse); that “it’s also unclear how Zoom generates keys and whether they’re adequately random or might be predictable.”

This list goes on, with consequences. Apple, Google, the FBI, NASA, SpaceX, the U.K. Ministry of Defense and many public schools have either banned the platform or issued advisories regarding its use.

While Zoom is currently the poster slouch for lax security and privacy practices, their issues are commonplace across social and conferencing platforms: slapdash apps developed (sometimes intentionally) by companies and contractors with limited or non-existent privacy and security policies and experience. And while Zoom’s woes have reached the mainstream media, mainstream users remain unaware or unconcerned about the risks presented by those platforms.

My own experience confirms this knowledge and attitude gap.

  • In a recent telemedicine session, my personal physician was unaware that his choice of platform was likely in violation of the HIPAA constraints that also prevent me from communicating with him by email. He shrugged off my concerns but offered to speak next time via phone. His office then charged me $110 for my twenty minutes.
  • Last week an Israeli IT security firm that I work with set up a Zoom call. When I protested, their team (all ex-IDF) suggested that my concerns were, well, paranoid.
  • Just today a friend asked for my assistance in filling out an online medical marijuana waiver/consent form. Upon completion, her doctor’s assistant provided a link to a telemedicine session on . . . you guessed it.

Like Groucho Marx’s lamented “good five-cent cigar”, the world is sorely lacking a good, cheap and secure social conferencing platform. In a future blog, we’ll examine whether or not there’s an iron triangle standing in our way.