Zoom is bad and you should feel bad

Apparently all of you are diving headlong into the nightmare that is video conferencing, and "Zoom" seems to be the poison of choice these days, so you should know that it's terrible:

Violet Blue:

If, like an overwhelming number of people right now, you're having to use Zoom while working remotely, you should know that the app is a privacy nightmare -- which makes the company pretty evil to be doing invasions and overreach (nonconsensual data grabs) during a horrible pandemic. For example, last year EPIC made an official complaint to the FTC about Zoom's egregious privacy invasions. The problems with this company are not new. ... just read what [Proton Mail wrote about Zoom's privacy and security dumpster fire].

Zoom's privacy page states: "Whether you have Zoom account or not, we may collect Personal Data from or about you when you use or otherwise interact with our Products." This includes, but is not limited to, your physical address, phone number, your job title, credit and debit card information, your Facebook account, your IP address, your OS and device details, and more."

Further, the app allows your boss to spy on you far beyond what's okay in an office setting. From EFF: [...] "Admins have the ability to join any call at any time on their organization's instance of Zoom, without in-the-moment consent or warning for the attendees of the call."

Zoom iOS App Sends Data to Facebook Even if You Don't Have a Facebook Account:

"That's shocking. There is nothing in the privacy policy that addresses that," Pat Walshe, an activist from Privacy Matters who has analyzed Zoom's privacy policy.

The Zoom app notifies Facebook when the user opens the app, details on the user's device such as the model, the time zone and city they are connecting from, which phone carrier they are using, and a unique advertiser identifier created by the user's device which companies can use to target a user with advertisements.


Update: Oh, it's even worse:

Zoom Meetings Aren't End-To-End Encrypted, Despite Misleading Marketing:

The meeting is secured with end-to-end encryption, at least according to Zoom's website, its security white paper, and the user interface within the app. But despite this misleading marketing, the service actually does not support end-to-end encryption for video and audio content, at least as the term is commonly understood. Instead it offers what is usually called transport encryption. [...]

Without end-to-end encryption, Zoom has the technical ability to spy on private video meetings and could be compelled to hand over recordings of meetings to governments or law enforcement in response to legal requests. While other companies like Google, Facebook, and Microsoft publish transparency reports that describe exactly how many government requests for user data they receive from which countries and how many of those they comply with, Zoom does not publish a transparency report.


Update 2: Schneier has a roundup, where he says, among other things, "using ECB (electronic codebook) mode indicates that there is no one at the company who knows anything about cryptography."

Previously, previously, previously, previously, previously, previously, previously.

Tags: , , , ,

17 Responses:

  1. Patrick LeClair says:

    Thanks for this. Shared with my instructors. We are about to move instruction online, and I've been urging people to abandon the idea of live video classes in favor of pre-recorded lectures. Live chat later for discussion. Even without the horrible privacy issues you point out, live video raises too many questions about equity. How do I know if my students can afford a good enough connection, or which ones have nothing but a phone for access, and for that matter how many time zones away they are? It was a terrible idea to begin with.

    • Tha_14 says:

      It's just another stupid way to count attendance, from what I understand at least. I completely agree with you though.

  2. Anay says:

    Jami, Jitsi et al. Alternatives do exist.

    • Nick Lamb says:

      Our "virtual pub" was Jitsi yesterday after having been Zoom previously. It's a bit rough in places, and it really seems to prefer Chrome over Firefox but it does have the very obvious benefit that it isn't trying to get your PII and/or empty your wallet. Magic-wormhole style out-of-band key sharing drives everything, so you can tell people who understand what's going on "Gerbil Eventual Cheese Explosion" or you can just paste the URL into an existing Signal conversation or whatever and everybody with the same key ends up in the same meeting.

  3. Biff says:

    There are quite a few K-12 schools in my region that are using Zoom. I believe that not only have Zoom made a big push into education, but they've lifted the 40 minute meeting limit from free accounts for schools. The districts around here intend to use it for teacher/student check ins.

    • jwz says:

      No, it's not good news. A press release saying "we deeply regret getting caught, and we are very sorry that you were upset by what you learned" should never be tallied in the "good news" column.

      • Kyzer says:

        It's somewhat good news that they're addressing privacy concerns. Their press release could've been "whatchu gonna do about it?"

        I don't think they "got caught", that implies they were intentionally exfiltrating your data to Facebook until some meddling kids with mitmproxy and Wireshark foiled their wicked scheme.

        Rather, I think they're cowboys who don't care about privacy unless their customers do too. They give their developers zero incentive to think through security and privacy implications. They imported Facebook's hostile-by-default SDK until there was an outcry that might affect sales, and now they've isolated Facebook, which they could always have done in the first place but it would've been more effort and they didn't know they needed to give a shit until the public told them.

        • jwz says:

          Louder for those at the back:

          INTENT DOESN'T FUCKING MATTER, BEHAVIOR DOES.

          It's not "good news".

          • Carlos says:

            Especially because "intent" in these cases is just what the companies purport their motivations to be. i.e., it's just more fucking PR.

            jwz is right. Ignore intent; behaviour is all that matters.

  4. nooj says:

    Zoom also automatically transcribes all video, speaker by speaker. It's pretty good at it too.

    I'm sure that text is perfectly harmless and isn't being analyzed by anyone.

  5. Jonny says:

    So, uh, what do we use? Google's lifeless zombie Hangouts kinda-sorta works, but it is awful if you have more than three people, and I'm not sure using Google is a huge upgrade in terms of privacy.

    I feel like video chatting across the internet should have been solved problem a decade ago. I am kind of shocked to learn how garbage it all is by being forced to use it often.

    • Knut says:

      First thing to do is really consider not having a video chat and to use other (asynchronous) modes of communication.
      If you still end up wanting to do a video chat, after giving it a long thought, there are at least 2 options that seem usable at the moment:

      MS Teams and Jitsi.

      MS Teams is of course also collecting data, but for companies that already use the Microsoft stuff like Office 365, Skype, Outlook and so on, Teams will not change much for the worse. It's collecting the data to MS who already have it from the other apps.

      Jitsi on the other hand is a nice Free Open Source meeting platform, that is built for privacy. If there is a hackerspace you trust, you can probably use their instance. If you want to run your own, it is quite easy to set up compared with other current tools.

      • jwz says:

        This is a good thread on why video chat is really not what you want anyway, if you're trying to actually accomplish anything. You know how you can tell that a meeting should have been an email? If it was even possible to have it as a video chat.

      • Nick Lamb says:

        Doing this stuff securely is hard. Zoom is notable for responding by just not putting in any effort at all. Why work hard when you can just lie? And if at the time you're reading this Zoom isn't bankrupt and its executives aren't in jail then it worked.

        For example people are angry that Zoom does ECB because that's a schoolboy error, but to even get to that mistake they need to skip over the part where all the stream metadata is cleartext.

        Take audio. A Zoom meeting is SILK at 16kHz but usually SILK is VBR. So this means even if you had world-beating encryption just knowing the amount of SILK data over a period of time can fingerprint what was said. If you're looking for mentions of some key phrase like "Project Copenhagen" you can build a model that examines just metadata for audio streams and flags possible matches. This is exactly the sort of thing that makes the difference between "In theory a state actor could do this but why bother?" and "It's all data for the model, harvest everything".

        If you do a Signal voice call it's Opus CBR, so that means when you're silently listening to the other participant you are still chucking the same number of bytes per second over the link anyway - and so an eavesdropper can learn nothing except the duration of the call. But as well as inherently being more expensive for your users (useless data) this also makes the software more effort to implement, and Zoom didn't bother.

        A passive on-path observer (no co-operation with Zoom, no detectable manipulation of the network just maybe they have a router in Los Angeles or something) can definitely see how many participants are in the Zoom meeting, and when each of them is speaking. They can probably identify people whose video feed is largely non-changing, but they probably can't passively identify what's actually in the feed unless they're working from a short multiple choice list. All this before any "cryptography" comes into the picture at all.

        • tfb says:

          Why work hard when you can just lie?

          I want this on a t-shirt. Or even 'Zoom: why work hard when you can just lie?' I'd order one if it wasn't that I'd feel bad about the delivery people.

      • Jonny says:

        I'm using video chat to help keep my friends and family from going nuts in isolation. While I'm an introvert and find the situation almost pleasant if I ignore the mass death and economic ruination happening, not everyone was blessed with the psychology to sit around in isolation for weeks or months. Large group video chat is definitely what I want and need for the mental care of friends and family, and asynchronous communication is not going to cut it. If I can't get a bunch of randoms in with minimal technical setup, it just isn't going to work.

        I'll give Jitsi a poke, but it sounds like it is a technical level or two above what my friends and family are going to be able to tolerate. I'd like to be principled on the matter, but if its between cutting off folks who really can't be cut off, or using Zoom, warts and all, we are going to use Zoom.

        If all the options are bad, people are just going to take the least bad option that works... which I guess is Zoom?

  • Previously