Bob Garfield: Since we all retreated to our homes about two weeks ago, we've been connected to one another mostly through our screens, work meetings, dinners, catch-ups with old friends, classes, religious ceremonies, weddings, funerals, they're all taking place in one place.

Female Speaker 2: We have been doing a lot of virtual happy hours with our friends over Zoom.

Female Speaker 3: Hi, good morning.

Child: Good morning Miss. Corn.

Male Speaker 5: Last weekend we did a bar mitzvah almost entirely online.

Female Speaker 6: [foreign language]

Reporter: They had a digital wedding. Friends and family logged on to the conference app Zoom, including Tony's mum.

Bob: A piece of software that until recently was mostly used for business to business conversations, Zoom has taken over our lives. Why not? It works seamlessly. For most users, it's free, which is one of the more attractive price points. As Joseph Cox recently reported on the new site Motherboard, there is no free lunch and there is no free lunch meeting. Joseph, welcome to On the Media.

Joseph Cox: Thanks for having me.

Bob: Zoom has become the default meeting place of the world. There are a lot of virtual conference apps, what's so special about this one?

Joseph: It has exploded in use, mostly because it's reliable. It can handle shoddy connections, it can also facilitate meetings of a quite large size., so if you want to catch up with friends, you're able to do that. Of course, it is free as well. It's plateaued from just a video conferencing piece of software, right up to a de facto social network now.

Bob: At last count, I believe there were 900 craptillion Zoom users, but it's free. What's the business model? It's not advertising, so what then?

Joseph: They do try to encourage people to upgrade to their more premium plans. You can pay for more features, maybe you can add more people and businesses especially, do do this as well. Of course, there is a lot of data transfer as well, is what we found.

Bob: Hold that thought. You first started reporting on Zoom in 2019. Even then, it showed itself to have one major glitch. Tell me about it.

Joseph: In 2019, a researcher found a pretty serious problem with Zoom in that a pretty skilled hacker would be able to take over a web camera of a Zoom user. Obviously, this is probably the last thing you want, when you're using a video conferencing piece of software. Fortunately, Zoom did fix that issue. Apple also had to push an update to deal with it itself as well. It put a blemish on Zoom's record.

Bob: You've been documenting the blemishes. Let's start with the Facebook data issue. Facebook and data are two words that when combined give you the heebie-jeebies. What are the particulars?

Joseph: I found that when you opened the Zoom app, it would send data to Facebook, regardless of whether you actually had an account on Facebook or not. This included the type of phone you were using, the timezone and city you were connecting from and a unique advertising ID that a company could use, potentially, to retarget advertisements in the future.

The key thing was that this was not mentioned explicitly in Zoom's privacy policy. A lot of apps do this, it's certainly not uncommon for apps to send data to Facebook, but you would hope for users to make an informed decision that companies would actually disclose that information. That's not what they did here. When I contacted Zoom for comments, they took some time, but a few days later, they actually decided to remove the code that sent the data to Facebook.

Bob: Didn't they claim that they weren't even aware that this code was in their software and that Facebook was getting this data? Is it like yeast sitting ambient in the air? How could they not realize that the code was there?

Joseph: Lots of companies including Facebook, they push out these so-called software development kits or SDKs, which are basically bundles of code, that lessen up to lots of features, but it means that the app developer doesn't have to build it from the ground up themselves. You could use the Facebook SDK to, perhaps, log in to Zoom via Facebook. Of course, the side effect of that is that it can result in some of this data transfer. Zoom apparently wasn't aware of that when they started using this code.

Bob: There is something else that's going on, I guess, in the realm of unintended consequences. If you sign up to Zoom using your account company email, you get a bonus, no?

Joseph: If you sign up with your company or your work email, Zoom will pull all of those users together. Let's say I sign up with my work email Josephcox@vice.com, Zoom will then puts all other vice.com users in my contact list. This is supposed to make it easier for colleagues to communicate with one another, because it already puts them in the contacts. That's an interesting feature and it might be helpful, but some users I spoke to, they found when they were signing up with their personal email addresses, not affiliated with work whatsoever, they were having thousands of people put into their contacts ,who were complete strangers. This gave them the ability to try to start a video call with them, see their name, see their photo and see if they were online.

It seems just to be a bit of an oversight from Zoom in that they allowed some email addresses like Gmail or Yahoo to not to work with this feature, but they haven't done it for every single email domain. It's had this really weird side effect of strangers exposing their data to one another.

Bob: Are there any actual horror stories intended to this glitch?

Joseph: Not particularly with that issue, but it does relate more to the more general Zoom bombing issue.

Reporter: Zoom meetings are getting hijacked in a new trend called Zoom bombing.

Reporter: At first, it seemed like people were checking in, and then very quickly it devolved into a lot of pornographic images being dumped as screenshots.

Joseph: People are hosting their public Zoom meetings, maybe, they put out a link and they say, "Hey, we're having a guest today who's going to lecture about something or educate us about something, and you're welcome to join if you want." Some people are joining and then using a feature in Zoom that allows them to share what's on their computer, they press the button, and then they are bombarding the Zoom call with hardcore pornography, right up to hate speech against racial minorities.

There is a real spectrum here of or it may be a funny little prank, right up to when it can actually be targeted harassment as well. You could put a password on your meeting, but if you want it to be public, you don't want to do that. You'd then have to go into the settings and disable something else, like not letting people share their screens. The burden is delegated to the user to work that out.

Bob: There's one final issue and that concerns the company's claim that it offers end-to-end encryption of its meetings. That just isn't true?

Joseph: Yes. In their marketing material and on their website, Zoom promptly says that it has end-to-end encryption. This means in short, that if I'm having a Zoom conference call, the only two entities who are going to be able to read that communication or view it, is going to be me and the person I was speaking to. That is the attraction of end-to-end encryption and why messaging platforms such as WhatsApp have rolled this out. However, Zoom simply does not use end-to-end encryption, even though it says it does.

The intercept found that when they went through the technical details and approach the company, Zoom admitted, it doesn't actually do this. Of course, that is an incredibly misleading marketing. That needs to be remedied and users need to be aware of that. There is also a trade-off because Zoom has become so large, so rapidly, and technical limitations of you being able to dial into a meeting with a telephone call rather than with the computer, it's actually quite complicated to get end-to-end encryption going, but that doesn't mean they should be misleading users about that all.

Bob: It turned out that the only thing that was end-to-end encrypted was the messaging that Zoom users could do back and forth individually, while in the larger meeting.

Joseph: Right, and of course, if a user reads the website and sees end-to-end encryption, it's going to be fair to the user to assume that, "Oh, that means my Zoom meetings, my big conference calls with my friends or my company, are also encrypted in this way." Unfortunately, that's not the case. This sort of encryption they use, does potentially give Zoom the possibility to look at more user data, than it would be if it was properly encrypted.

Bob: None of what we've been discussing seems that Zoom is a menace to our privacy in a large way, but the company has gotten into the sights of various regulators. What's going on?

Joseph: New York sent a letter to Zoom, asking them to clarify what security measures and privacy protections they have actually put in place, especially as Zoom has skyrocketed in popularity. After our reporting about the Facebook data transfer, a user did file a class-action lawsuit in California, citing the state's new Data Protection Act, arguing that user data was transferred without permission. We have to see if that actually stands up in court or not.

Bob: A key principle of internet law is the notion that platforms are not responsible for the content that they pass along to users. Where does Zoom fit in, in this notion of being held harmless for the mischief of those who use the platform?

Joseph: Maybe five, 10 years ago, there was a much more widespread belief that Facebook and Twitter and social networks could be hands-off, the users do their thing and we'll stop you if you do anything illegal, but that's it. There's been a great cultural shift in that, especially around the social networks and they are being particularly more hands-on when it comes to all sorts of contents and especially harassment as well.

I think logically that could extend to zoom because it's not just a video conferencing piece of software today. It has become a social network. Children are using the zoom, teenagers, young adults, everybody basically is on this platform. When harassment is taking place, when targeted racial harassment is taking place, logically, Zoom also has the same responsibility to protect its users.

Bob: Is there a larger lesson to be drawn here? Just about the general risks we all take and the trade-offs that we make when taking advantage of technology, particularly social media, the utility is obvious there, but not without its dangerous.

Joseph: Yes. When a social media app or any communication type platform, skyrockets in popularity, people need to bear in mind the particular risks of that. Maybe if the app hasn't received all that much scrutiny before, maybe users aren't aware about that. Of course, it would be nice if companies prioritized the engineering of privacy and security before they became massive communication platforms, but at least, maybe they can deal with that afterwards.

Bob: In the meantime, what can we do to protect ourselves from oversight, from glitches, bugs, unintended consequences? What does good meeting app hygiene look like? I'm going to assume nitrile gloves are not going to do the trick.

Joseph: I would recommend that users read the app description on the Apple app store or the Google play store and decide whether they're okay giving this application access to the camera, the microphone, maybe their contact lists, if it asks for that. If you are concerned about installing a piece of software, perhaps just use Zoom in your web browser. Hopefully, there's less data exposure there. Of course, keep your software up to date.

In this case, when Zoom did remove the code that sends data to Facebook, users had to update the app to get our latest version on their device. That's something that users should be doing probably for privacy and security perspective, in general, but especially applies here as well.

Bob: Joseph, thank you. Appreciate it.

Joseph: Thank you.

Bob: Joseph Cox covers hackers' crimes and privacy for Motherboard. That's it for this week's podcast extra. Sign up for more On the Media at, on themedia.org/newsletter, and please, please, please wash your hands.

Copyright © 2020 New York Public Radio. All rights reserved. Visit our website terms of use at www.wnyc.org for further information.

New York Public Radio transcripts are created on a rush deadline, often by contractors. This text may not be in its final form and may be updated or revised in the future. Accuracy and availability may vary. The authoritative record of New York Public Radio’s programming is the audio record.