 Everyone, so I think we should get started. For the two of you who are already here, Ashwin and Nikhil, hello. And for everyone else who's not here yet, I hope you'll be here soon. If you missed part of this, you can catch up on YouTube. There is a copy of the livestream. And we, as usual, have our guest appearance. Say bye. So today, we have my colleague from the Intercept. And we have a great direct from the people we see in conversation on Zoom's security versus business interests. Vivek can say an agenda better than I can. So I'll let him do that. But I'll just introduce our two panelists for tonight. Michael Lee, for the Intercept, the security. He's also the founder of the Freedom of the Press Foundation, I believe, trustee or founder. I don't know what the term you use out there. And Michael has been pointing out several serious issues with Zoom that have been reported in various places. And thanks to that, I think we now have a larger understanding of what risks that we have taken up when we use Zoom for our conversations. Vivek comes to it from a business perspective. Vivek is a lawyer by training, a programmer by hobby, and an entrepreneur by profession at this point. Vivek's paper we see provides information on what's going on with signal intelligence on businesses in India. Vivek, again, can do a better job of introducing this as an icon. And between the two of them, I've heard some fairly fascinating takes on how to interpret Zoom's security. Do you say Zoom is insecure? Therefore, don't use it. Or do you say it's all fine? Just use it. And I think between these two extremes, there's a fair bit of territory to be covered, which I will let our panelists take on for today. So Vivek, do you want to take off for a minute? Sure. Thanks, Kiran. Micah, it was good chatting today morning. In fact, Micah and I connected earlier today to go over some of the things, the standpoint and perspectives that we have and some that we share. I think the easiest way to get started with this is to understand how the intercept developed this story. And then we can discuss a range of topics, including the repropession of the impact and the worldwide response to Zoom's vulnerability. Micah, do you want to tell us how this started? How did you get start with the story about Zoom at a time when this was a fairly popular tool already? Yeah. So I've written a couple of stories about Zoom. But the first one that I wrote was about how, like if you went to Zoom's website and you looked at the security information and you read their security white paper, they claimed that Zoom was end-to-end encrypted. But we figured out that it actually wasn't end-to-end encrypted. I worked on it with Yawel Gower, who is another journalist. And she was the one who was actually talking to Zoom. But basically, she was talking to Zoom. She was talking to Slack and a bunch of other companies that have kind of been exploded in use ever since the pandemic started, trying to understand more information about how their privacy stuff worked. So she was asking Zoom a bunch of questions and including questions about how it was encrypted. And specifically with Zoom, the fact that they were saying that it was end-to-end encrypted was kind of a really big deal. Because with most stuff on the internet is not end-to-end encrypted. It's kind of very rare for things to be encrypted in this way. And what this means is that if you send someone a message and using a service that's not encrypted, like Facebook, like if you're just sending someone a Facebook message, Facebook has access to the content of the entire conversation. And then also Facebook, so employees maybe have access to it. But Facebook could also be compelled by governments to hand this over. So if you are an activist, if you're a journalist talking to sources, or any number of other reasons why you might have some very real privacy needs, Facebook could be compelled to help spy on you. And so if Zoom says that they're end-to-end encrypted, then that means that Zoom could not be compelled to help spy on you. So if you're having a Zoom meeting and it says that it's end-to-end encrypted and you trust this, then if it's like maybe you have a sensitive business meeting, you're talking about trade secrets or whatever, you might feel very confident to use Zoom for this meeting. But it turned out that that wasn't true. And we basically figured this out because Yael was asking them specific detailed questions about how their encryption works. And here, let me see, they finally told her. And this was a Zoom spokesperson, like one of their public relations people. They said, currently, it's not possible to enable end-to-end encryption for Zoom video meetings. Zoom video meetings use a combination of TCP and UDP. TCP connections are made using TLS, and UDP connections are encrypted with AES using a key negotiated over TLS. So there's a lot of technical stuff in there. How fast was this back and forth? So was there a long email fail, conversations? So this was the time you started? So I wasn't actually part of this communication. The other Yael was. But it was email. And basically the way that it worked with their PR people was she would write them an email with a bunch of questions and then wait for them to come up with the response that they were happy with being quoted. And then they'd send her a response. And then she'd email them with a bunch of follow-up questions and then wait for a response. So it was slow getting information out of them. But I think that our reporting and also a lot of the other reporting about the privacy and security issues that Zoom has kind of made them do a complete flip on how they've been dealing with this stuff. And instead of being very. Sure. Yeah. I think I wanted to get to that a little bit later. A little more curious about how you get started with the story like this. And so I have a couple of theories and you can help me out on which of those are more accurate. Is it because you specialize in an area that requires you to look at the security of the tools that you use, that you evaluate at Zoom, you and the colleagues that you mentioned? Was that the reason you started looking at Zoom and asking them specific questions over there? Already indications that there might be vulnerability. Anything to give it away? Apart from the claim that it's end to end and therefore suspect in your eyes? Yeah. I mean, really it was just that we were evaluating Zoom. Like since January and February, I personally have been using Zoom a lot more often for a lot more meetings. And there's definitely. So I am the director of information security for the Intercept. So I have to have meetings with a lot of people related to sensitive topics. So we have a need for having secure communication. And especially where everyone is working from home right now, this all has to be remote. It all has to be over the internet. And so basically Zoom, even with all of these privacy issues, Zoom is fine for a lot of use cases. I think that Zoom is fine for, regardless of its encryption, for having a yoga class. Or whatever, for a lot of things like that. But if your threat model says that you need to have a private conversation, then Zoom, according to their marketing, seemed like you needed to have it, but in reality it wasn't. But yeah, really, I think that me and Yael were looking into services specifically like the technical claims of services, and specifically security and privacy, because that's largely what that's the work that I do, and that's what I focus on. And if it's true that Zoom is really very secure for all sorts of use cases, that would be great news. And so we started looking into it, and the fact that they published a white paper, a security white paper, and their white paper said a bunch of stuff but didn't really explain it very much, it just was very hand-wavy. And we're like, but how does this work? Is this true? Is this real? So we were just asking you about it. The white paper came out a while after you started engaging with them, or there was an existing white paper that they threw at you, or you just don't know. There was an existing white paper. Sure. So when did this all start? This is Fed early March. When did it happen? That's a good question. I think early March, I believe, we published the story in late March, and so I think that Yael was starting to talk to them and other companies too in early March. And but yeah, their white paper was actually published like a year or two ago, and so it's been around for a while. And I actually noticed that they have updated their white paper since our story was published, and the only thing they changed was they removed end-to-end encryption. Everything else is within. Is everything else accurate in your estimate? Yeah, I think so. I think that it's accurate. I think that it still has the issue where it just doesn't go into as much detail as I would hope it would go into with a security white paper. Apple also publishes security white papers on how iOS works and how it locks down iPhones and things, and they go into a lot of detail about how the encryption works and how everything works. And I still think that Zoom's white paper is still kind of hand wavy about the details. It's just sort of like, we're secure. Trust us. So yeah, and actually one of the other big things was in the user interface. Right now, if you like, well, I guess you're using mobile. You're using a phone. But on a computer, if you mouse over the little green lock in the corner, it says your client connection is encrypted. But in certain circumstances, if you use Zoom in such a way that you were expecting it to be end-to-end encrypted, so if you didn't have anyone calling in on the phone, if you end things like that, then when you mouse over it, it used to say your connection is end-to-end encrypted, which was just not true, because they basically were redefining the term end-to-end encrypted to mean something that it didn't normally mean. It normally means that participants are the only ones with the keys, but some of the endpoints were like in Zoom's cloud services, and that's not really how it works. So let's call this, you did two stories on Zoom, right? Or did you do more? I've only, I've done two stories, yeah. Let's call them story one and story two. Story one took them how long to respond? So they actually responded right away. I think the next day, I think they published a blog post, basically apologizing for being misleading about end-to-end encryption, and then really, for both stories, their response was immediate, which was, and this is, I think, where Zoom turned around and started to be way more transparent about things and way more upfront in commit and starting to make commitments to focus on privacy and security. But yeah, their response was really fast, and it was actually a pretty good response. That's interesting. So story one was all about, this was all about end-to-end encryption. And the story two was something that snowballed into something else with the whole Chinese angle. I mean, it was an interesting catch. It was an awesome catch. But they came back with something, with a response that seemed credible. Did you believe them? The fact that they added those Chinese data centers because they had to deal with increased demand in China. Yeah, I think so. I mean, okay, so the second story was about citizen labs research, which is these computer security researchers that do kind of public interest research out of Toronto, Canada. And they basically found a bunch of issues with Zoom. And one of the big issues was that in their test call, where one of the researchers was in Canada, the other one was in the United States, they noticed that some of the infrastructure for the Zoom servers they were using were coming from China. And they were like, why would this be the case? And in fact, it was actually the way that Zoom calls work. There's a, the participants join the meeting. There's a server that Zoom controls that generates an encryption key for the meeting and then sends it to the participants and so this server that was generating encryption keys was in China and it sent a key to at least one of the participants and then they use that key to encrypt the meeting. And so yeah, what Zoom's explanation for this was is that when COVID-19 was starting to spread rapidly, it started in China and so they had a lot of demand for working from home and working remotely in China and so they really had to scale up in China fast so they added a whole lot of new servers in China and they were, and normally they say you're outside of China then you don't use Chinese servers but they didn't actually have that setting on a bunch of the new servers that they added. And so by mistake, this was happening and sometimes you would be using Chinese servers but then they said that they fixed this and now you should never be using Chinese servers unless you were actually in China and the reason why using Chinese servers is an issue at all. It would be much less of an issue actually if Zoom were actually intending to encrypt it because even if your traffic were going through China, even if the Chinese authorities were able to compel Zoom to handover copies of your meetings, all they would be able to do is handover encrypted copies of your meetings so they couldn't spy on you without basically hacking your devices or somehow stealing the encryption key for the meeting. But the fact that they actually generated the keys in China was a big deal. But yeah, I think that they were, I mean their explanation made sense to me and they promised that this is not happening anymore. So how long did it take you to, or rather should I say, from the time you published that story, at any point did you stop using Zoom? I have not stopped using Zoom. So actually my company, we first look at media, we have this tech blog and the security team, we published this blog post that's all about developing a threat model for video conferencing. And really what it means is when you're thinking about what communication tool you want to use, it's always, it's not like don't use Zoom, it's not secure, use something else that's secure. It's always depends on the threats that a specific meeting faces. So if you, so like maybe certain types of meetings that you have are not very sensitive all, other types are very sensitive, you basically make a decision on a meeting per meeting basis. And so a lot of the meetings that I have, Zoom is fine. And it's actually, I think one of the things about Zoom that is great is that it works really well. It's very smooth and frictionless. People don't need, it's like really easy for people to use. Like if you start a Zoom meeting, you can send people a link and a bunch of people can join it. And it's like so much less work than so many other things. You don't need to have, you don't even need to have software installed. It works on all sorts of devices and all sorts of stuff. So for a lot of situations, Zoom is like great for that. It's just that, but yeah, like basically, like as soon as we figured out that Zoom's claim for end-end encryption actually wasn't real and that there was other like significant security issues, we basically decided to stop using Zoom for anything sensitive. And we're still not using Zoom for sensitive meetings until it seems like they actually start implementing end-end encryption. How far away do you think that is? Well, they, okay, so Zoom, their response has been very positive and they have been very quickly fixing a lot of security issues. The problem with just enabling end-end encryption is it's not so simple. It requires kind of like completely changing the architecture of how things work. And so, but I mean, but like they're actually in a pretty decent place to do it. The way that Zoom meetings currently work, they're already encrypted using a key that all of the participants in the meetings share and that's kind of like a prerequisite to getting end-end encryption working. Now they just need to make sure that they never have access to the key, that only the participants generate the key for the meeting. I don't know how long it's going to be, but they have definitely been like they announced they're going to freeze all of the features that aren't security and privacy. They've already fixed a bunch of issues. They've improved the encryption. There was a kind of big encryption problem that the citizen lab researchers found. They've just released like Zoom 5 that like yesterday I think or the day before that fixes this. Every time I reached out to Zoom, there were a whole bunch of new updates. All of them right now are all security and privacy issues. That's it because they're saying like they're not adding any new features. They're just making improving the security and the privacy. So it's going to go on better. I have no idea how long it's going to be before there's end-end encryption. And once they actually do support it, I'm probably going to have some healthy skepticism. I'm going to look into it in detail and try and figure out if it works. And also it would be great if they really wanted to do a good job of it would be great if they made it verifiable, which means making it so that I don't know, like so Signal is an encrypted messaging app. Signal lets you do something called verifying safety numbers. I don't know. Have you ever verified safety numbers on Signal? So most people don't do it, but basically what it means is that you're able to compare QR codes on your phones. And if the QR codes are the same, then you could be completely sure that there's not a man in the middle attack. If you don't do this, then you have no way of knowing that like if you're sending me a signal message, maybe you're actually sending some attacker signal message and they're just forwarding it to me. But if we compare the keys that we actually have on our devices, then we can be sure that it's actually encrypted and no one's buying on us. And it would be great if Zooms and Den Encrypton supported something like this too. And so we'll see how that goes. But I don't know. I would hope that within months, oh yeah, WhatsApp has that too. WhatsApp also supports comparing fingerprints and verifying that your encryption works. So I would hope that Zoom supports that. And I would hope that maybe their Enten Encrypted feature will be available within months. And also I would hope that it's available for free, that it's not just like business customers. That it becomes a separate price and fee of kind of thing. Yeah. And like the thing about Enten Encryption is if you're having an Enten Encrypted meeting, it's not going to have as many features as the other ones. Like you can't call in on a phone, for example. Like right now you can call into a Zoom meeting on a phone. But if you're in an Enten Encrypted meeting, the phone calls will be completely disabled because you need to actually use a special Zoom client to connect that supports Enten Encryption and just like calling in from a phone, it's impossible to do that. And so there's, and also like streaming on YouTube or cloud recording, like all these things won't work in an Enten Encrypted meeting. So Zoom will have to make it so that when you start, when you host a meeting in Enten Encrypted mode, it works a bit differently. It disables a bunch of features. But I think that there's a real need for secure communications, especially when all of these communication that used to happen in person now just happens over the internet. And so there used to be, things used to be a lot more secure. And now that everybody has to work from home, everybody has to go over the internet. And it's, and it's not like, I mean, we know from the NSA and the GCHQ and the Snowden documents and stuff, everything on the internet is being spied on all the time. And so it's, so, you know, we need to use encryption to solve this problem. And I hope that it's available to everybody and not just paying customers. Yeah. The only challenge that I see is that video is much harder. I mean, there are a whole bunch of trade-offs when you develop it, which is where I came from. The reason that I'm probably on this call is because of something I wrote on my newsletter with respect to Zoom, which is, as a founder and a product developer, you empathize with the challenge that someone something that scales, something that does really well from a product market fit perspective, which is that it solves the users problem, get on a video called fast, make it really easy to join a call, make it really easy to invite someone, etc., etc. And these were unsolved problems from, from WebEx days, right? And Zoom made it spend 36, 36 to months or more solving these problems and maybe, maybe simply do that. The problem that they didn't solve, which, which they focus on right now is security. But, but, but that's the trade-off that every founder or every product developer or manager faces, right? In terms of being able to decide what to prioritize and product development. Now it's fairly clear that these guys just have to solve security, but, and it's very clearly now a security issue. But, but before it became a security issue, if I could split it up, it was a marketing and communications problem on one, on the one hand, right? And, and the technical challenge on the other hand, and on the other, and on the third side, it was an optimization issue. How do you optimize the speed? How do you optimize for concurrency for thousands of video participants? That was the problem that none of the other products were solving for. So you actually had three different things going on at the same time. How much of that you see changing at organizations that are doing spectacularly well, which is Zoom, which is more coherence in terms of customer-facing products? Yeah. I mean, I think that one thing that Zoom did differently than some of its competitors. So like Google Hangouts is, you know, a competitor of Zoom. And I think that something that's very different is Google Hangouts. They also don't publish a lot of details about exactly how everything is secured. But they never made the claim that it's end-end encrypted. We can't spy on you. And I feel like that's the big, that's the big thing. It's like, if you read Google's privacy policy, they're like, you know, we only will share your information if we're compelled to by law and things like that. But they never, they never were like, this is totally secure. It's end-end encrypted. And Zoom was like that. And so I think that that's the biggest issue is that I think that the marketing of it sort of just jumped the gun and was just like, oh, this sounds really good. Let's just put it all over our material. And it was very like buzzword-heavy without actually, you know, being accurate. And so I think that that's- The possible that they could have just gone ahead without making it more secure if they just said upfront, you know, when some people started using it, that it is what it is. Yeah. Which I mean, which is what, like, this is how Slack works, right? Everybody uses Slack all over the place. Slack is an end-end encrypted, but they don't claim to be end-end encrypted and everyone like understands the trade-off. So if you're like, okay, I have a business. I have to, you know, have different teams communicating. I need to have some sort of like chat with different channels and stuff. Slack has all these features that I want. Yes, Slack can spy on the messages. They can hand the messages over to the government. But maybe it's worth the trade-off. And so I think that that's kind of, that like people that use Slack were, despite the fact that it's not very secure. And there's all other alternatives that are more secure. There's like Keybase is an example of something that's kind of like Slack. You could have teams, you can chat. And you could have signal groups and WhatsApp groups. These are much more secure than Slack, but they don't have the same features that Slack has and people might decide that they want to use Slack anyway. So yeah, I think that that was like the big issue was really just being accurate and honest in the marketing. And like if Slack was just like, we're so encrypted, no one can spy on anything you say in Slack. Then maybe a lot of people would use Slack because of that, even if it's a lie, you know. How much in the word broadband are you using? What are you using? What am I using? Oh, I'm using cable internet in California. Xfinity, Comcast. It's the town that I live in doesn't have that many good options. But I mean, I have pretty decent internet. Yeah, in the United States, the ISPs are monopolies. I have all full internet. I have ACV that doesn't take the work, which is why I'm on a GO4G line right now. Someone else asked if you are encouraged by the security changes the Zoom has made, especially post 30th March regarding encryption, I think we pretty much banged that question to death. Do you think there's a Chinese angle to this at all? Do you think what does this do for Zoom in terms of positioning? What does this do for China as the big bad guy in the corner? Yeah, I mean, I do think that there's a Chinese angle to this because Zoom has a lot of, I don't remember the details, but Zoom has, there's like some contractor companies that do a lot of the development for Zoom that are based in China. So a lot of the engineers are Chinese engineers and then their infrastructure, some of it is in China. And the reason why I think that this is important is just because China is a very authoritarian government and they have no qualms on spying for political reasons. But also to be fair, the US doesn't really have qualms for spying for political reasons either. And that's where the rest of the servers are. To be fair, most countries today don't have qualms. Yeah. But I could definitely see being concerned for a number of reasons, including the fact that the Chinese government helps steal intellectual property. There's Chinese people all over the world who are students studying abroad or people who have a lot of family in China, who might be doing some sort of pro-democracy activism and they really don't want the Chinese government to be monitoring them. So there's a lot of legitimate reasons to be concerned about the Chinese angle. But I do think that if most of, if it's actually true, if Zoom has fixed this problem, if you're outside of China, you're having Zoom calls, and none of the traffic is going through Chinese servers anymore. And I think that it's always possible that Zoom has some sort of deal with the Chinese government where they help them spy on meetings. But I haven't actually seen evidence of that. So yeah, I think that it's a problem. But I think that the best answer to this problem is a technical answer. It's securing meetings in such a way that Zoom, the company itself, can't spy on them. And if they can do that, if they could actually implement antenna encryption, then if Zoom can't spy on them, then Zoom can't help any government spy on them, including China. What do you think of the future of a lot of technology products? I mean, right now, the spotlight is on Zoom, because everyone has to use Zoom, pretty much, except for the holdouts who use Meet in Microsoft Teams or who use Microsoft Teams. But I'm guessing there are at least 100 odd products out there that are extremely critical in the lockdown mode, probably going to be important going forward, everything from health test software to the entire gamut of SaaS collaboration, you name it. That's secure. Video is obviously far more challenging to secure. But I'm guessing there are privacy issues, a lot of things where the spotlight is going to turn on a ton of these companies that, in terms of context, founders talk about good problems to have and bad problems to have, bad problems to have, or you don't have customers, good problems to have, you have a lot of things, and you can't set the same or you screw up in so many different ways that you get the spotlight turned on for awful things that you've done or that the Facebook friends do problem, so to speak. How do you think this is going to pan out when the spotlight suddenly turns away from Zoom, to many of these companies? Is it going to be a great time for you to be writing? Yeah, I think so. I mean, I think that nothing is perfect. All of these things have various problems, and I think that the privacy and security issues, we're just scratching the surface right now. I feel like we're moving into this world where people are really just moving their entire lives onto the internet so much more than has happened since the internet has existed. And when the pandemic is over, I think a lot of it's going to stay there. I think that it's really hard to predict exactly what this really means in terms of privacy and security, but if suddenly a couple of big services start getting hundreds of millions or billions of people on Market Share, that's a lot of power and also a lot of power for the governments that have the jurisdiction of those services. The US government is able to basically spy on anything that happens on Facebook, and Facebook has a lot of customers all over the world. And so I think that this problem is going to it's not going away, and I think it's just a really challenging problem. How do we protect privacy and security when it's so easy to spy on everything online? Are you tilted away from the idea that that entrepreneurs can provide solutions to many of these problems? I mean, do incidents like that reinforce the perception that the best solutions should be open source or collaborative from the ground up, grassroot kind of stuff without either government or agglomerations of capital called companies? Yeah, I mean, I think it's difficult. I think that most of the open source decentralized stuff is like there's a lot of really good advantages, but also a lot of times it doesn't like just work like a lot of other technology. So a good example is Jetsy Meet. Jetsy Meet is an open source video conferencing system. It's not end-to-end encrypted, although they're working on an end-to-end encrypted version, but it's open source so you could host your own server. So basically you have to trust the server. So if you wanted to, you could run your own Jetsy Meet server and then use it for your internal communication and that's actually very good. That's more secure than Zoom in a lot of ways, but also Jetsy Meet as a product, if you have a meeting and there's more than 15 or 20 people in it, it just starts to break down. It doesn't work very well. There's a feature to blur your background and if everybody starts blurring their background, then it just like crashes your web browser. And I think that this is one of the things that companies like Zoom and also other startups, they have like a team of engineers that they pay a lot of money to fix these problems, whereas the more grassroots open source stuff that might be good and in a lot of ways secure don't have and then it also takes a lot of resources to run your own server. It's so much easier. I guess it's also a function of momentum, right? So you have two examples with I mean when you have, when Facebook at its moment, when they had embarrassment after embarrassment in terms of privacy issues, I think it was 2014, 2015, I don't remember when, but and those responses were pretty delayed. At that time, you had a whole bunch of folks come out and say, you know, the way to do social networks is not like this and everyone had they taken how to do a social network, open collaborative, you know, developed under the sunlight and none of them took off, flopped horribly. On the other hand, you have, I still use Mastodon. I still use Mastodon. I mean, I'm not going to ask what you do there. I mean, I don't do that much. I use Twitter a lot more, but still on principle, I'm guessing. But the point is you have, you have examples like that, which is developed a little too late and then can't gain momentum. You have examples like, you know, Linux, which was developed many years after people saw that, you know, the OS wars had been won. You have, you had Mozilla that was developed many years after folks started browser walls had been won, which then inspired, you know, Chrome. But you have cases where open collaborative work has worked as long as it won the platform battle, which is good engineering, obviously, but the ability to get into to widespread use. I think that that's the key challenge, which is that if you have software, if you have a felt need to have open, for instance, video services, that can create the momentum for widespread development. I haven't yet put together a hosted version of that video server. I've actually been meaning to do that. But the problem again, there is interoperability. You have to have something that's interrupted with either other services or in a way that can rapidly, that has inbuilt network effects, and that's graphically pulling people into that service. I mean, Zoom started somewhere. So the question really is, are you going to have a whole bunch of folks getting building? I mean, can you use paranoia for good is my question. Yeah, I mean, I think so. I think that I think that there is a big demand for privacy right now. And I think that that with with Zoom, I think that they just didn't really have a big demand for privacy until now. And so I think that that's why yeah. And so I think that that's why they've never focused on it. I mean, I don't know. It's always like, I'm a pretty big privacy nerd. And so I'm always like looking into doing stuff that is more private online on my computers and phones. But I'm not sure if there's really enough demand for privacy to really fuel a lot of technology that like like, for example, I've I've I've used special Android distributions that are way more private that don't have Google apps on them that and things. But it's like, I don't know, it's very cumbersome. It's very hard. I think it would be very hard for most people like you can't just like install like the Lyft app, for example, which is, you know, something that a lot of people kind of need. And so, but I do think that there is there's enough demand and I think that the demand is growing for privacy as everything is moving online that, you know, it I think that even with video with video conferencing, if there was some service that was like private that was competing with Zoom and that like worked well, that you could have meetings with like dozens of people. But it had like much better privacy. I can see that taking off as well. You know, like right now, if they if they did a faster job than Zoom did. So yeah, I do think that there's definitely an opening for companies to try and like do a really good job with privacy and security and sell that right now. What do you think about the point of view that quite often when new technologies emerge into widespread adoption? At some point, governments intervene to claim their, you know, their foot in the door, so to speak, to make sure that they can survey them, that they can spy and they do it in ways that the general population remain unaware of, obviously. Do you see that likely to happen in a situation where working from home, remote work becomes pervasive, governments will find a way one way or another to gain access to this infrastructure, you know, to protocols to figure out a way to access these platforms no matter how secure they are. I mean, yeah, I think that it's definitely there's a lot of value for governments to do this. And I do think that I mean, I think that that a lot of governments, definitely the United States and the Five Eyes and lots of other governments are are going to try. I mean, this is like, like, there's agencies whose job is to do this sort of thing. Yeah. So, but then this is actually one of the places where, you know, open source technologies that become widespread and successful really help because it's a lot harder to you know, secretly have like a secret deal between an open source project and like the NSA to insert some code that is going to have a backup. It's not that it's it's definitely possible. But I do think that like open collaborative projects are much harder to break in this way. And this is also like, like, why, you know, if Zoom does make end-to-end encryption, I would love it if it's verifiable if you can verify the fingerprints because it's because like if companies really, really care about this, if it's not just they don't just want to have marketing about, hey, look, we're secure, but they actually care about being secure. They need to design their products in such a way that they are potential attackers. So they need to be like, okay, let's say we have a malicious employee that has access to all of our servers. Can they still not spy on our customers? Like that's what they have to do. And that's a very hard problem to solve, but it's a possible problem. It's possible to solve. And I think that like, Signal has done an excellent job of solving this problem of making it so that like, as a company, they don't have access to they have access to as little as possible. And everything is encrypted and things like that. So I think that that's an important thing. How effective do you think it's going to be to protect against the surveilling of metadata with respect to video and other work that scales now in this kind of environment? Yeah, that's a much harder problem. Like the production of metadata, like there are potential, like, so I keep talking about Signal. Signal has done some pretty interesting stuff to protect metadata, where basically like, it's called field sender. So if we have already started having a signal conversation, if I want, if I send you a message, what I'll do is I'll send an encrypted blob to Signal servers and Signal servers will be able to see who it's to but not who it's from. So they'll just say, Oh, this is the recipient. I have no idea about anything else. And then they send the whole encrypted blob to you and you decrypt it and you're like, Oh, this was the sender. And so that's that's an example of protecting metadata. But like nobody else does that. This is the only example of actually protecting metadata on a service that I'm aware of. But because it's a very hard problem. But it's but it's definitely a problem that people can solve, you know, like cryptography can do a lot of stuff. But I think that for a lot of for a lot of businesses and a lot of people, it's more important to just be able to have a meeting that works than than that. But I mean, that's, I don't know, it's an important thing. Governments are interested in the metadata too. I mean, obviously, it's a question of how many people care enough about about about their privacy. In India, we have huge debates about about unique ideas. But I think at the end of the day, it's also a function of a culture of building products. How I mean, as as as a writer and as you are at the intersection of tech and entrepreneurship, what do you take on on everyone from Elon Musk to Mark Andreev and Navarad Khan, and at least Silicon Valley, talking about building is an ethic. I mean, the reason I asked you, I think it ties in to many of these issues, including where everything can be solved by just building. So, let's see, I mean, I think that I am very skeptical of a lot of Silicon Valley solutions to a lot of problems because a lot of the time, I don't know, it kind of reminds me of people thinking that like blockchain can just solve everything. I think that like, you know, so for like the pandemic, it seems like there's a lot of companies that are interested in starting to do like surveillance or like, like I saw something, who was it? I forgot which company, but but they're like, I know we can do contact tracing by facial recognition, so that we just, you know, record everyone's faces to figure out who they are and use cameras to figure out who was in the room with who and have giant databases of everyone's faces. And so, so I feel like tech companies are really good at building specific products, but they're not necessarily good at doing the right thing. Like, I'm not quite sure if I think that Facebook as a company is like is like an overall positive thing for society. And so yeah, so it's like, so I feel like definitely like they're needed, like we definitely need companies that can build good products that work, that can make it so that we can all communicate and and it solves real problems. But I think that we need more than that, too. I think that we need we need to make sure that that, you know, it's not just tech companies getting to make all the decisions. By the way, we were discussing secure drop in the morning. Has the number of tips gone up since you wrote the story? Have you had more interesting leads? Um, I haven't, I haven't gotten many more Zoom tips, but I mean, well, we have gotten some tips about like, you know, specific instances of Zoom bombing and things like that. But yeah, I know, like there's, I don't know, there's a lot of really bad Zoom bombing stories out there. But, but yeah, in terms of like, I think that the number of tips just in general have has gone up since the pandemic started. There's a lot of interesting stuff going on right now. And a lot of people are talking about it. Are you ever going to write a third Zoom story? Oh, a what? Zoom story? A third one? Oh, quite possibly. I mean, it just depends on if there's a good story to tell. Like, I think, uh, yeah, I mean, I'm, I'm very interested in what they're doing right now on, on how they're improving things. And, you know, if they, if they do a really good job, or if they like do a really bad job, if they like mess up in a really bad way or something, like, yeah, I definitely think that that is in the public interest. And so, so yeah, I mean, it just depends. I don't have another Zoom story that I'm working on right now. So I don't really have like a lead to follow, but, but, but yeah. There's a question that I actually wanted to ask you earlier, which I remember now, which is, has it always been engagement with PR? Do you appreciate actually engaging with PR? Have folks beyond PR ever reached out to you, same Zoom or other products in other companies where you've done investigative pieces? Yeah. So with Zoom, we've only talked to their PR people, but I really like talking to engineers. There's definitely, the PR side of companies are always, you know, they don't always necessarily give you information that's like super useful, right? They give you something that, but the engineers are like, you know, the people who understand how the technology works, a lot of times will just be a lot more straightforward and just be like, oh yeah, it works like this. I guess that thing is possible. You know, we have these various issues. And so, yeah, there's definitely like, it's definitely nice to talk to people who aren't just on the like public marketing side of things. Do you reach out to investors or venture firms when you do a story about a tech company? I haven't done that. But I mean, I think that's not a bad idea. Most of the ways that I end up like writing about something like this is I get a lead somehow and I start following it. So really like we weren't actually planning on writing this story about Zoom and then encryption. And yeah, all the other journalists that I wrote this story with, she was working on basically like a different unrelated story about just about a bunch of these collaboration tools that people are starting to use now. And she was, and I was talking to her about Zoom and about like what questions to ask them. And she like told me this quote that they gave her where they're like, Zoom doesn't support end-end encryption for video calls. And we were like, what? And so then that's dig into this a lot more because that was kind of a big deal, especially like then we go to like zoom.us slash security and it's like end-to-end encryption. So by the way, I'm putting this piece on Twitter because this is definitely tweetable. Okay, I have some random questions. Someone probably wants to know your take on the new Google Hangout feature. On the what Google Hangout feature? On the new Google Hangout features. Oh, what are the new features? I actually don't know. Oh, I mean, Google Hangout, so just and I'm not sure what the new features are. I mean, I think that there's a Google Meet is like the G Suite. Yeah, it's like the company, the business version of Google Hangouts. And I think that they're because of the pandemic, they're giving like wider access to Google Meet. I mean, I think that it's it's a pretty good service. It works really well. There's definitely been times where I've tried to have calls on like Jitsi Meet, the open source, self-hosted thing that just like didn't work and we kept having to try refreshing our browsers and there was problems. So we switched over to Google Meet. But yeah, like it's also not private. It's similar. It's like who do you want to be able to spy on your meetings? Do you prefer Zoom spying on your meetings? Do you prefer Google spying on your meetings? You just make a choice. Do you have a view on government procurement for products like this? I mean, before this started, we had the whole $10 billion contract. Sorry. Do you think that there's a risk that governments will be forced to buy specific products, especially for video calls and whatever? Yeah, I mean, I do think that there is a risk. I think that one thing that Zoom has promised to do because of pressure from this human rights group called Access Now is to publish a transparency policy which a handful of big companies publish. And so Google publishes a transparency policy where they basically regularly, I think every quarter, they update it and they say how many requests for user data they've gotten and how many of those requests they've complied with and they break it down by country. So I think that Zoom, so we right now at the moment, we have no idea how much governments around the world are putting pressure on Zoom to like spy on their users. We just don't know. We do know about Google. We do know about Facebook because they publish these transparency reports. And so for example, with Google, like, you know, the US government requests data from, I don't know the numbers off the top of my head, but like tens of thousands or hundreds of thousands of Google accounts, you know, every quarter, and Google complies with those. But then, you know, the Venezuelan government doesn't get any data from Google. And so I think that this is a good thing to keep in mind. And this is one of the reasons why transparency reports are good, because if you are Venezuelan and you're trying to decide like, what's the most secure video conferencing system, maybe Google Meet or Google Hangouts is a great choice for you because you know that your government isn't isn't that Google isn't cooperating with your government, right? And so, so I'm definitely looking forward to Zoom publishing transparency reports, because I would be very interested to know like, how much does Zoom cooperate with requests from the Indian government? We just don't know. But we do know with Google. And actually I should look that up. I'm not really sure. Alec Aldrin Loughra is asking how difficult is it to use end-to-end encryption in Zoom to allow end-to-end encryption, which is something that we discussed earlier, but yeah. Yeah. So at the moment, it doesn't support it. So this is like a, you know, this is how difficult would it be, will it be for Zoom to develop this feature? I think that Zoom is actually in a really good starting place to make end-to-end encryption like the way that the way that Zoom meetings currently work. They're in a good place to add end-to-end encryption onto how their system already works. But basically the way that Zoom meetings currently work is there is a type of server that's hosted in the Zoom cloud that's like a key management server. Every time you start a meeting, the key management server creates an encryption key and then sends a copy of that key to all the participants in the meeting. And then the whole meeting is encrypted with that key. And so for end-to-end encryption to work, you need to get rid of the key management server. Instead you need to make it so that like the meeting host generates the key and sends a copy of it to the rest of the participants in the meeting. And in order to do this well, I think it might be like, there's a lot of things that can go wrong, but they're hiring, they've been doing these webinars, weekly webinars about security and privacy updates that they're adding. And they say that they have like a bunch of PHT cryptographers working on this and they seem to be talking to a bunch of very competent people that know how to do this. So I definitely think that it's possible and it looks like it's in the works. Often, I think we've been through an excruciatingly long one hour at current stage. I've pretty much killed everybody's request to us about Zoom. I think thank you so much, Micah, for being on this call. There are actually a dozen other random questions that I did not ask you. And you thank me for that when you hear about this question. Yeah, I don't think we have any other questions from folks watching. Thank you so much again. Kiran, are you there? Yep, still here. And that's my kid discovering that the meeting is coming to an end. So everyone who's been watching, thank you for being here. I think this has been a great one hour. And thank you again, Micah and Vivek. So if you want to follow more on this, I should just go into haskeek.com and signing up. We do not send notifications on the website right now, but we will do that soon. Yeah, and signing up is a great way to ask for updates when these things happen. This video has also been on YouTube and Facebook and Twitter, although I think it's a bit late. So I don't know how many views we have had. I don't think it's been a great but we have recordings. So that means we will make sure people watch this stuff because I think this has been an incredible amount of knowledge that has come out of this hour and it deserves to be in more years. So everyone who's been here, thank you. I think we shall end this here. Goodbye and good night. Bye.