CEO DailyCFO DailyBroadsheetData SheetTerm Sheet

Which video chat app is best for security?

April 29, 2020, 3:01 PM UTC

This is the web version of Data Sheet, Fortune’s daily newsletter on the top tech news. To get it delivered daily to your in-box, sign up here.

Virtual conferencing software—most notably Zoom, despite many recently uncovered vulnerabilities—is surging, as this newsletter has noted often.

The U.S. government considers the remote-working trend to be a matter of national security. The National Security Agency recently released an assessment of 13 of the most popular commercial video chatting tools. In a statement accompanying the report, it said, “By following the practical guidelines, users can draw down their risk exposure and become harder targets for malicious threat actors.”

The NSA’s highest marks went to Facebook’s WhatsApp, Signal (whose code WhatsApp uses), and rival chat app Wickr. Some of the grading criteria: Does the service use end-to-end encryption, which blocks eavesdroppers and snoops? Does it have multi-factor authentication, an option that securely locks down user accounts? Is the technology based on publicly inspectable, open-source code, which is considered more secure than inscrutable proprietary software?

Every other service has at least one deficiency, in the eyes of the NSA. Google G Suite and Microsoft Teams lack end-to-end encryption and do not use open source code. Cisco Webex, Zoom, Slack, and Skype for Business have suboptimal data deletion policies. GoToMeeting has no multi-factor authentication option. SMS texting fails on pretty much all fronts.

The report isn’t comprehensive. The NSA makes no attempt to rate code bugginess, nor the prevalence of exploitable vulnerabilities; any discussion of Zoom “zero-days” or Microsoft Teams GIF attacks are out of scope. Facebook’s innumerable privacy breaches garner no mention.

John Scott-Railton, a security researcher, griped in a tweet that the report took Zoom’s claims of implementing end-to-end encryption at face value, despite his research indicating otherwise. And perhaps most strangely, the report entirely omits a review of Apple’s FaceTime, a service frequently praised by security experts.

In their breakneck quests to attract large followings, tech companies often disregard safety measures and proper audits, a decision that juices growth but ultimately hurts users in incalculable ways. As Jeffrey Vagle, an assistant professor of law at the Georgia State University College of Law, notes in a perspicacious piece for the security blog Just Security, businesses all too often fall prey to bad incentives, optimizing for growth rather than security.

A moral hazard, as economists call it.

***

Tune in

If you enjoyed last week’s live Data Sheet conversation, I’ve got good news to share. Today, Adam Lashinsky, Fortune’s executive editor and usual Data Sheeter, will be chatting over Zoom with longtime tech analyst Gene Munster about how he sees the investing environment playing out.

The call is live on Wednesday, April 29, at 10:00 Pacific/1:00 Eastern. They’ll take your questions via chat. (This call will be audio only: You have permission to multi-task.) 

Register here for free. Or, watch the live stream without registration here.

Robert Hackett

Twitter: @rhhackett

Email: robert.hackett@fortune.com

THREATS

Contact lenses. Apple's and Google's "contact tracing" app project—now called "exposure notification"—started as a small endeavor, codenamed "Bubble," spearheaded by a handful of employees at Apple, CNBC's Christina Farr reports. After less than a month of development, the tech is due out on Friday. Meanwhile, the United Kingdom has broken with growing international consensus and plans to run its own version of a contact tracing app on centralized British servers, versus the decentralized phone-to-phone approach preferred by tech companies in America.

Robots wanted. Facebook has reorganized some of its security teams, the New York Times reports. The company is doubling down on investments in automated threat detection, displacing more than two dozen employees in the process. Meanwhile, higher up in the organization, CEO and founder Mark Zuckerberg is consolidating power. Five members of Facebook's nine-person board—many of whom butted heads with Zuckerberg over regulatory issues—either have been or are in the process of being replaced, notes the Wall Street Journal.

Singing the blues. An employee of the controversial surveillance tech firm NSO Group, now being sued by Facebook's WhatsApp over hacking allegations, once abused the company's phone-hacking tools to target a love interest, Vice Motherboard reports. The company allegedly fired the employee shortly over the breach. Speaking of reprehensible things, Damien Patton, the CEO of Banjo, a Softbank-backed data-mining startup, admitted to being a neo-Nazi skinhead in his youth, OneZero reports. (Patton says he is making amends "for this shameful period in my life.")

Hammers see only nails. Phone-hacker Cellebrite, whose tech allegedly helped the FBI get into that San Bernardino terrorist's iPhone in 2016, is pitching itself as a way for governments and law enforcement to fight the spread of COVID-19. The company said in a sales email that it can siphon data off locked phones to obtain contacts and location data that police can use to "quarantine the right people," Reuters reports.

This guy should have worn Groucho glasses.

ACCESS GRANTED

Software is eating the world—including the justice system. Parolees around the country are being asked to download a smartphone app, Guardian, that's designed to track their whereabouts. Gizmodo interviewed recently incarcerated people under Guardian's surveillance, plus security experts, and found the app to be buggy, insecure, and thwarting people's reintegration into society. Here's one troubling testimonial:

“I’d wake up crying,” she says. Sometimes, when she tried to authenticate her location or check in the app would tell her it didn’t recognize her voice. “I’d feel so tired, and I thought if I didn’t answer, I was going to go back to prison.” Soon, she says, she was “begging my parole officer to put an ankle monitor on me.”

FORTUNE RECON

Tesla earnings: 4 things to watch for on Wednesday by David Z. Morris

To reopen the economy, there are 5 guidelines we need to follow by W. Bowman Cutter, Joseph E. Kasputys, Joseph J. Minarik, and Lori Esposito Murray

How A.I. may make sense of 50,000 coronavirus research papers by Jonathan Vanian

The venture capitalist at the center of the coronavirus fight by Lucinda Shen

Alphabet’s and Facebook’s upcoming earnings are expected to be bad. The question is how bad? by Danielle Abril

ONE MORE THING

Perspective is everything. Photographers for a Danish TV station, TV2, snapped deceptive pictures of Copenhageners from different angles using two types of camera lenses. Depending on the shot, the subjects either appear as though they're practicing social distancing, or smooshed together, as though flagrantly defying orders to stay apart.

You don't need a deepfake A.I. techniques to fool people with images. Says Ólafur Steinar Gestsson, one of the lensmen, "When we read a text, we have learned to be critical of the sender and the content. We should feel the same way with pictures."