Zoom monitors activity on your computer(twitter.com) |
Zoom monitors activity on your computer(twitter.com) |
No wonder it's such a great little product.
A few other meeting apps have dark patterns like this. One of my favorite things about Hangouts Meet is it's web first.
Maybe it's like IRC vs all the other IM "solutions", except with an even larger difference in userbase.
Edit: looks like Zoom does use SIP too, but it's not that obvious how to use your own client: https://support.zoom.us/hc/en-us/articles/201207626-Video-La...
Recruiters sometimes ask me to turn my video on during interviews… I politely decline and move on to other opportunities.
Their app is so privacy invasive, I cannot understand why people keep using it, specially considering 2018 vulnerability [2].
Feross Aboukhadijeh talks about Zoom security problems in Stanford’s CS253 Web Security course [3][4].
[1] https://zoom.us/zoomconference
[2] https://www.tenable.com/blog/tenable-research-advisory-zoom-...
Since you mentioned Google Meet, I recently tried that with a group of 6-7 people, and it only lasted about 10 minutes before multiple participants (myself included) started having issues. It seems like it needs more time to bake, but since we're talking about Google, it's probably unlikely to ever receive that time before they kill it and reinvent it a year later.
Interesting. Thank you!!
Encryption is also off by default? why is this?
The Zoom App also collects screenshots and transcriptions of shared data. This is fine if you are Facebook or Google.
Also reading the EFF article on Zoom I feel like these are great usability features. The issue is if Zoom collects and stores the information.
"Hi, attention tracking feature is off by default - once enabled, hosts can tell if participants have the App open and active when the screen-sharing feature is in use. It does not track any aspects of your audio/video or other applications on your window."
Points to this article: https://support.zoom.us/hc/en-us/articles/115000538083-Atten...
Not exactly the gravity touted in the linked twitter thread, saying "If you manage the calls, you can monitor what programs users on the call are running as well". No proof of that...
Kinda scared by how much a single tweet can make something blow up, without a shred of evidence backing the claims up.
> If attendees of a meeting do not have the Zoom video window in focus during a call where the host is screen-sharing, after 30 seconds the host can see indicators next to each participant’s name indicating that the Zoom window is not active.
It doesn't seem too invasive, although of course it'd still be annoying if you have two monitors etc.
As far as I've been able to determine, there is no collection of "apps" or other data, just "not paying attention" time.
It seems like it trades a lot of privacy for something students will evade with no effort at all.
For example:
1. Zoom knows it’s not focused on Bob’s machine, and notifies Bob that someone has begun sharing their screen.
2. Zoom knows it’s not focused on Bob’s machine and notifies Sally of this.
Scenario 1 seems acceptable and helpful. Scenario 2 is invasive and unnecessary.
To have an open source alternative. Want videoconferencing on your own site? You can! See here for instance.
We have a harder challenge of making all the SDP offers work cross browser, but Chrome should def work.
Code: https://github.com/Qbix (If you like it, star it lol ⭐️)
Contact me if you want to learn how to use the Qbix platform. I will be teaching classes and put it online. We are following the wordpress model. My email is in https://qbix.com/about
Quick question for the networking experts here... with everyone connecting from home, what percentage are behind a LAN firewall that you need to use TURN servers? What if you avoided those servers and made peer to peer infra entirely, how many people would we lose?
(Is a complete graph of everyone sending to everyone worse than an SFU once you get too many users? Isn’t it exactly the same number of streams, just in a star topology? Can’t we just nominate a few of the browsers to do what the SFU does, namely forwarding video to the others? Is the issue only with resolution?)
About the same time this story broke I interviewed for a Paris based AppSec company and their CTO asked me to install Zoom. It was really awkward because I had to ask: "Is this a trick question??"
Seriously I wouldn't touch Zoom with a 20 foot stick!
[1] https://medium.com/bugbountywriteup/zoom-zero-day-4-million-...
> Whether you have Zoom account or not, we may collect Personal Data from or about you when you use or otherwise interact with our Products. We may gather the following categories of Personal Data about you:
> - Information commonly used to identify you, such as your name, user name, physical address, email address, phone numbers, and other similar identifiers
> - Information about your job, such as your title and employer
> - Credit/debit card or other payment information
> - Facebook profile information (when you use Facebook to log-in to our Products or to create an account for our Products)
> - General information about your product and service preferences
> - Information about your device, network, and internet connection, such as your IP address(es), MAC address, other device ID (UDID), device type, operating system type and version, and client version
> - Information about your usage of or other interaction with our Products (“Usage Information”)
> - Other information you upload, provide, or create while using the service ("Customer Content"), as further detailed in the “Customer Content” section below
[1] see news from ca July 2019
I certainly avoid mixing activities (I don't have access to a company computer at home, but I don't use the work computer or network for personal stuff).
After reading this, I've deleted it too. Super weird.
ETA: Checking the dpkg file listing shows that everything goes into /opt/zoom except a /usr/bin/zoom symlink to /opt/zoom/ZoomLauncher.
https://www.zdnet.com/article/zoom-defends-use-of-local-web-...
Still seeing loads of red flags in mainstream media. This is not a Secure business tool
Because right now, people have much more pressing matters and need to communicate.
1. When the call quality is less than 100%, it is difficult to attribute this blame to the other person, my equipment, my connection, or the service provider. A heartbeat signal could fix this.
2. When somebody else is presenting, I can't point on THEIR screen. I have fumble through "higher, higher, too high, it's on the bar, do you see the bar?, yes, click on that one, you're right it doesn't really look like a pencil does it?"
The documentation is a bit lacking, but it's actually a very capable system for unifying voice, video and chat communications – and a whole lot more.
From home? Essentially 100%.
that you need to use TURN servers?
That's less clear. I'm not sure how many home firewalls are impenetrable by STUN as well. I worked on Twilio's WebRTC-based audio product back in 2012-2014. In the beginning we only supported STUN. We did get some customer support requests about initial connection failures (which I mostly attributed to STUN failures), but never kept track of stats on what the success/fail ratio was. We eventually added TURN support (after I left that product team), but based on how long it took us to do that, my guess would be STUN was effective for most setups. Also consider that many (most?) of our users were probably behind restrictive corporate firewalls, and I'd expect home firewalls to be more lenient.
IIRC this is basically what skype did back when it was P2P, those clients were called supernodes and would route calls for clients that could not be directly P2P. To be a supernode you needed to be internet-routable and have good bandwidth.
Supernodes could be used for hole punching or to relay calls (as you talk about).
See more here: https://en.wikipedia.org/wiki/Skype_protocol
[0] https://twitter.com/zoom_us/status/1241768006327336963
[1] https://www.schneier.com/blog/archives/2019/07/zoom_vulnerab...
- General information about your product and service preferences
- Information about your device, network, and internet connection ...
- Information about your usage of or other interaction with our Products
- Other information you upload, provide, or create while using the service
Does Zoom sell Personal Data?
No part of that paragraph makes me feel better, and it ends with this...
" If you opt out of “sale” of your info, your Personal Data that may have been used for these activities will no longer be shared with third parties."
My problem with this isn't the info they collect, it's how they would collect it, which this privacy policy doesn't seem to clarify.
As it stands, this policy technically gives them the right to crawl through all my personal files or even listen using the microphone to search for and collect this information.
I'm not saying they are doing this, but the policy is not reassuring. I wish there was enforced legislation (so GDPR is excluded, as regulators don't give a fuck) to curb this. There should be a legal requirement describing exactly the information collected, how is it collected, transmitted, sorted and which third-parties it is given to, if any.
Zoom isn't actively scraping your info, and there's 0 evidence of anything in the Tweet.
Translation: "Yeah, that's one of the parts where we really screw you, but you don't have a choice, lol."
There is an incentive to do so and they have taken measures to legally protect themselves if they do. That's grounds enough for alarm, even without evidence of them actually doing it.
That being said, I don't see anything surprising on the list.
> such as your name, user name, physical address, email address, phone numbers, and other similar identifiers
That sounds like billing information
https://support.zoom.us/hc/en-us/articles/115000538083-Atten...
Seriously, you've given this information to any service you've ever signed up for and / or ran.
This has been my only experience with Meet, but first impressions do tend to carry a certain weight. It's entirely possible this was an unfortunate coincidence, and that the service is typically as reliable as other solutions. My limited personal experience with Meet, and previously with Hangouts, does not support this however.
Worrying about Zoom here (and I'm not sure the tweet is accurate) seems to ignore all context of the product and business.
That privacy policy is a clear indication that Zoom is only concerned about protecting themselves at all costs. They may not be acting maliciously, but they clearly aren't dedicated to acting ethically either.
I'm not saying it's an emergency, but a privacy policy like that should at least set off some warning flags for a privacy-concious user.
> They make their money from subscriptions. Your personal data is rather useless to them...
I don't care if the data os valuable to them as long as it's valuable to someone.
> ...and now a liability under data regulations.
The liability is worth it if the price is right.
"as long as it's valuable to someone"
This is so vague as to be meaningless. What about your browser, ISP, OS, phone, and the million other services that you use? Context matters.
"The liability is worth it if the price is right."
Are you claiming that a company selling enterprise video tech for 100s of millions and operating under all the latest data regulations is somehow trying to squeeze out a few pennies by selling some worthless data while risking massive lawsuits?
We tried to do a standup with (I think) 8 people and it was terrible - people would randomly not get any audio for stretches of time, video would get choppy or lost completely, it was not pleasant.
I will keep using it for pairing since I haven't found another tool that gives me that kind of flexibility and it was in fact very good. I believe the whole experience is limited by the connection quality of the worst participant.
It has terrible Firefox support but works decent if all participants are using Chromium / Chrome[0]. Asking other people to install Chromium makes me feel dirty but I don't know any other login-free cross-platform open source easy-to-use video conferencing apps than Jitsi Meet.
It does tell you that Firefox is not supported when you log in though, so I'd have expected people to say something but hey ho...
The churn between companies like Google and Microsoft (each offering, and deprecating multiple solutions) doesn't help.
Jitsi Meet (browser client) uses WebRTC, and is really nice!
Slack has chat history that makes it difficult to switch. What does Zoom have?
Many large companies have lots of extremely valuable non-technical users who can just barely figure out how to follow step-by-step instructions to setup calls with even the most point-and-click interface. The switching cost there is extremely high.
https://www.sec.gov/Archives/edgar/data/1585521/000119312519...
The top of page 21 in the first set of SEC documents:
Quote " Many governments have enacted laws requiring companies to provide notice of data security incidents involving certain types of personal data. In addition, some of our customers require us to notify them of data security breaches. Security compromises experienced by our competitors, by our customers or by us may lead to public disclosures, which may lead to widespread negative publicity. In addition, we have a high concentration of research and development personnel in China, which could expose us to market scrutiny regarding the integrity of our solution or data security features. Any security compromise in our industry, whether actual or perceived, could harm our reputation, erode confidence in the effectiveness of our security measures, negatively affect our ability to attract new customers and hosts, cause existing customers to elect not to renew their subscriptions or subject us to third-party lawsuits, regulatory fines or other action or liability, which could harm our business. "
Point is: "just boilerplate" is just rationalization. An honest person would never present it as comforting and a knowledgeable person would never find it comforting. Of course, the world is full of dishonest people, so it gets used all the time. Hence "lawyerspeak."
It's standard policy to cover any potential personal data that they might receive. What is your concern exactly? That they shouldn't spell it out? That would be illegal under current data regulations.
How is it supposed to work at all without your IP address?
Zoom is unencrypted by default? So you have to physically turn encryption on. Also, it is very unclear if your data is encrypted at rest. "End to end encryption" does not necessarily mean "end-to-end encryption" as has been shown many times before
It covers all Personal Data that you affirmatively provide during your interactions with us, information that we automatically collect when you interact with our Products, and information that we collect about you from third parties
Whether you have Zoom account or not, we may collect Personal Data from or about you when you use or otherwise interact with our Products.
It's not unreasonable. I'm not sure what your claim is here, because you'll find this language in every single online business. You realize Zoom sells enterprise video conferencing right? They have no use for your data otherwise.
> information that we collect about you from third parties
Then they are missing a lot.
>They also don't store your files.
Nobody can prove that. Assume the worst, especially with a company like Zoom.
Remember it was about:
>They have to name every possible thing they can potentially receive
And files certainly fall into that.
Otherwise every server on the internet can be sent data by you at anytime which effectively makes listing things pointless.
That's the point.
Any random file is not considered PII. It doesn't automatically identify you and it's still your responsibility if you send your private files everywhere.