Zoom’s big privacy reckoning

People Are Talking

From Protocol: Google's ban on coronavirus ads is a campaign win for President Trump, ad exec Josh Koster said:

• "They're trying to avoid people price-gouging face masks and selling fake cures, and generally exploiting the crisis for profit. But that's an entirely separate use-case from nonprofit organizations trying to spread accurate information about the situation and holding elected officials accountable for the life-and-death decisions they are currently making."

Andreessen Horowitz general partner David Ulevitch offered a template for managing layoffs:

• "Properly executing a layoff is important in a few dimensions: legally, culturally, and ethically. How you handle a layoff, how you communicate it to the people impacted, and how you manage and lead throughout the process really matters."

Microsoft's Brad Smith applauded Washington's facial-recognition privacy law:

• "This balanced approach ensures that facial recognition can be used as a tool to protect the public, but only in ways that respect fundamental rights and serve the public interest. While regulation in this field will clearly evolve, Washington's new law provides an early and important model."

From Protocol: Nancy Pelosi and Ro Khanna urged the Trump administration to rethink the way it categorizes startups:

• "Startups are the engine of the innovation economy, and our districts in California's Bay Area and Silicon Valley are home to thousands of these companies. Other high-tech hubs around the country with a strong startup ecosystem will also be in need of … financing to preserve jobs and survive."

The Big Story

Zoom: great video chat, less great privacy

It's like Uncle Ben said: With great popularity comes great scrutiny. (Or something like that.)

As Zoom's usage has gone through the roof — according to one study, 4.84 million people used the app on Monday alone — users and researchers have found some problems with the service.

• The company promotes its product as "end-to-end encrypted," but The Intercept found that's not really true. Zoom can actually access audio and video from meetings, though it says it doesn't.
• Zoombombing is a real and growing problem. The Boston office of the FBI had to issue a warning after online classrooms were infiltrated by trolls.
• Many users have been surprised by a surveillance featurecalled Attention Tracking, which can alert a meeting host when a viewer clicks away from Zoom for more than 30 seconds.
• And that's not to mention the semi-sketchy things Zoom does in the name of making it easy to install the app and join a meeting, like its trick to skirt administrator rights on your Mac.

Not so long ago, Zoom was a business tool. Now it's used socially for happy hours, yoga classes, family get-togethers, and so much more. Even if the technical infrastructure can keep up, Zoom's been slow to understand that the rules of the road have to change.

• Casual users don't expect Zoom calls to feed into Google's advertising dossier on them, but that's exactly what Zoom's privacy policy currently allows for.

Things have gotten bad enough that New York Attorney General Letitia James sent Zoom a letter saying her office was "concerned that Zoom's existing security practices might not be sufficient to adapt to the recent and sudden surge in both the volume and sensitivity of data being passed through its network."

• Harvard's Doc Searls echoed the sentiment: "What Zoom's current privacy policy says is worse than 'You don't have any privacy here.' It says, 'We expose your virtual necks to data vampires who can do what they will with it.'"

More Zoom

What Zoom's doing to fix its privacy problems

On Sunday, Zoom issued an update to its privacy policy, which the company told me is designed mostly to make its existing stance clearer. "Zoom does not sell our users' data," the policy now says — a line similar to one that Mark Zuckerberg has used over and over. Zoom also said it doesn't monitor meetings or their contents.

Behind the scenes, though, Zoom is still trying to figure out its place in this new world, and its responsibility to millions of new users.

• "The product wasn't designed for consumers," Zoom CMO Janine Pelosi told me, "but a whole lot of consumers are using it." That's forced Zoom to evaluate a lot about the platform, but especially its default privacy settings.
• Zoom's already made one change, so that school accounts by default will only allow the host to share their screen. "Of course you can do passwords," Pelosi said. "You can be smart with your meetings and where you put those links, etc. But we thought that that was a prudent decision to make."
• Eric Yuan, Zoom's CEO, also said that Zoom plans to enforce settings like waiting rooms and meeting locks in school accounts, to keep unwanted people out.
• When I asked about encryption, Zoom's Lynn Haaland told me only that the company is looking into it.

More than anything, Zoom's job is to educate users on the platform, Pelosi said, and tell them about "its best practices when it comes to security, whether it's for the use case in the classroom or people that are hosting virtual happy hours."

• Password-protected meetings are the default, for instance, but many people turn them off for convenience. They should stop.
• And the company's trying to normalize Attention Tracking so it doesn't surprise users, and so that they know that the company doesn't track what they're doing, only that they've clicked away.

But Attention Tracking is a perfect example of Zoom's challenge. The feature was originally designed for staff training, where it might be useful to make sure people are watching. And it's off by default. But it can be turned on by an admin without warning or notice, and that makes users feel spied upon.

Pelosi told me Zoom is listening to all feedback, and making adjustments as it goes. "If we need to change something from optional to default," she said, "we're going to do it swiftly and then we're going to communicate it."

• But if the AG's office wants to see a cohesive privacy plan for Zoom The Consumer App, I'm not sure it will find one yet.

If you're concerned about the privacy situation, Consumer Reports has some good best practices. The big one: Make sure your meetings are password-protected, and don't share your links or passwords widely.

A MESSAGE FROM SLACK

Learn more at slack.com

Communications

Phone calls are back, baby

We've talked a lot here about the rise in video chat, messaging and the like. But there's another big winner in these isolated times: good ol' fashion phone calls.

• Verizon reported 800 million calls are happening every weekday on its network — that's twice what it typically sees on Mothers' Day, the phone-call-iest day of the year. Calls are 33% longer, too.
• AT&T reported that emailing and web browsing traffic is down (though most of that has just transitioned to Wi-Fi, since everyone's at home). But voice calls are up 33% and Wi-Fi calling has nearly doubled.
• Voice calling has more than doubled on WhatsApp and Messenger "in places hit hardest by the virus," Facebook said. I'm counting these as phone calls, because they've replaced regular calls for so many people.

Ironically, the rise in voice calling may be a bigger network strain than all that extra Netflixing we're doing, especially in places where voice isn't yet carried over data connections. When the U.K. government first issued its lockdown orders, multiple carriers had issues with the added strain.

We've been asking for years if phone calls were dead. Now we have an answer: nope.

Number of the Day

5,200,000

That's how many Marriott guests had their information — name, contact info, loyalty information, even some other linked accounts — stored insecurely for more than a month, where it was accessed "using the login credentials of two employees at a franchise property." It's not as bad as Marriott's last breach, of course, which affected a whopping 500 million customers. So ... progress? Marriott said it reached out to all affected guests, and is offering them a free year of IdentityWorks monitoring service.

In Other News

• Today in coronavirus: Instacart warned some shoppers they may have been exposed to the virus — and strike organizers said, see, we told you so. New York is investigating the firing of a strike-organizing Amazon worker. Apple told some contractors it wouldn't pay them for now, but then U-turned and said it would pay everyone. Tesla wants to supply ventilators for free, but only to those who promise to use them rather than store them. GrubHub is offering a $10 delivery deal, and making restaurants pay for it. And companies are trying to get out of long-term deals with Salesforce and Oracle.
• Facebook has a new partner for AR glasses tech. It's working with Plessey, a U.K. manufacturer that builds microLED displays, to help it make the displays it'll need for "a glasses form factor that lets devices melt away so we can be more present with our friends, families, and surroundings."
• Russia postponed a law that will require all computers, TVs and phones sold in the country to come with Russian-developed software pre-installed. It now won't go into effect until 2021.
• Facebook and Twitter both took down videos of Brazilian president Jair Bolsonaro, citing misinformation in his speech endorsing malaria medication to treat coronavirus. It's one of the first times the platforms have acted against politicians and world leaders.
• Color, a health-tech startup, said it's developing a lab in the Bay Area that can process 10,000 coronavirus tests a day and deliver results in less than 24 hours. It's also open-sourcing the lab's design and processes for others to use.
• Apple bought the Dark Sky weather app, and plans to shut down its API and discontinue the Android version. Which isn't exactly off-brand, but is still kind of mean.
• Xerox is finally giving up its pursuit of HP, after months of trying to force a merger. The company cited "the current global health crisis and resulting … market turmoil" as the reasons for its retreat.

One More Thing

An AI that's unbeatable at Asteroids

One of my favorite AI benchmarks is the Atari 57 test: Can your algorithm do better than humans at 57 games from the Atari 2600? The idea is that the games are fun and hard for humans, varied enough to cover lots of tasks, and a perfectly controlled setting. Alphabet's DeepMind team announced yesterday that its Agent57 project is the first ever to beat average human performance in all 57 games. (If you'd like, you can watch each one on YouTube, from Asteroids to Ms Pac-Man to Pitfall.) In trying to beat the games, it's fascinating how many deeply human problems the DeepMind team had to have its AI solve. Do you favor trying new things or doing what works? How do you find the clue hidden in a game's wordplay? DeepMind says there's more work to do, but it may be a small step closer to general AI. I'll be honest, though: I could definitely still beat it in Montezuma's Revenge.

Sign Up

Protocol Cloud is your weekly guide to the future of enterprise computing. Protocol senior reporter Tom Krazit will give you the latest on how cloud computing is turning the technology world on its head, and how you and your company can capitalize on it.

Sign up here