Zoom at your own risk
March 31, 2020 3:39 PM   Subscribe

As the videoconferencing platform’s popularity has surged, Zoom has scrambled to address a series of data privacy and security problems: New York Attorney General Looks Into Zoom’s Privacy Practices (New York Times). FBI Warns of Teleconferencing and Online Classroom Hijacking During COVID-19 Pandemic (FBI). Zoom is Leaking Peoples' Email Addresses and Photos to Strangers (Vice). Zoom Meetings Aren’t End-To-End Encrypted, Despite Misleading Marketing (The Intercept)

Zoom Removes Code That Sends Data to Facebook (Vice): The change comes after Motherboard found the Zoom iOS app was sending analytics information to Facebook when users opened the app.

Zoom Can Track Who's Not Paying Attention In Your Video Call. Here's How. (Huffington Post): The remote conferencing service, which has lots of new users while people isolate during the coronavirus pandemic, has an "attendee attention tracking" feature.

Apple has pushed a silent Mac update to remove hidden Zoom web server (TechCrunch) (2019): Apple has released a silent update for Mac users removing a vulnerable component in Zoom, the popular video conferencing app, which allowed websites to automatically add a user to a video call without their permission.

Regarding Zoom (Daring Fireball):
This Facebook data issue is nowhere near as bad as the web server issue. But it betrays Zoom’s institutionally cavalier attitude to privacy. Their privacy policy more or less grants them carte blanche to do whatever the hell they want.

Mistakes happen. Bugs happen. I not only forgive mistakes, I enjoy forgiving mistakes. But Zoom’s callous disregard for privacy does not seem to be a mistake. As Zoom itself said about the hidden web server they secretly installed on Macs, it’s a feature not a bug.

Alas, Zoom’s video conferencing technology is best of breed, and because Zoom is easy to use and the quality is so high, it is exploding in popularity now that the whole world is working and socializing remotely. All of the following can be — and I believe are — true: Zoom is popular, useful, and by their own admission not trustworthy.

If you must use Zoom or simply want to use it, I highly recommend using it on your iPad and iPhone only. The iOS version is sandboxed and reviewed by the App Store. The Mac version of Zoom is not available through the App Store, which makes me trust it not a bit. [...] Zoom also has a web version, with fewer features than the desktop app. If you need to use Zoom from your Mac, try that — using a private browser window — before you download and install their app.
Maybe we shouldn’t use Zoom after all (TechCrunch)
posted by not_the_water (85 comments total) 51 users marked this as a favorite
 
I had somehow blanked out the ol' "Zoom put a hidden webserver on your computer that is always listening for special commands" trick. I have no idea how—that was incredibly bad.

That being said, Zoom has things that larger offerings lacked. The ability so see everyone on the team and not just a subset of them is vital in meetings larger than 4-5 people. On the other hand, the whole anybody can take over presenting at any time and just broadcast anything "feature" is broken by default and should never have been coded.
posted by fifteen schnitzengruben is my limit at 3:48 PM on March 31 [6 favorites]




It is not helpful to have a bunch of real complaints and then make one more up to add to the pile, because it calls into question the rest.

The scaremongering around how Zoom is not "end to end encrypted" is very dumb, and intentionally phrased in a way that makes users think much worse than what is actually going on. It could just as accurately be stated, "Zoom is only as secured as your connection to your bank account."

Does the technical difference matter to some people? Yes. Is this an honest way to headline it? Not remotely.
posted by tocts at 3:50 PM on March 31 [14 favorites]


"Zoom is only as secured as your connection to your bank account."

I suspect this matters for stuff like HIPAA compliance where it actually matters a lot. Good news for Zoom, the rules for telemedicine have temporarily been suspended.
posted by GuyZero at 3:56 PM on March 31 [19 favorites]


Does the technical difference matter to some people? Yes. Is this an honest way to headline it? Not remotely.

It's an honest way to headline if you're actually adhering to the term "end-to-end" encryption. Sorry that consumers are so ill informed that they don't know the difference. Maybe that's why we need laws against, I don't know, misleading advertising that conflates two different types of encryption, neither of which the general public understands, in an attempt to gain market share, while that advertisement is fraud and false advertising.

But sure, outright lying and using false terms, fuck it, its fine, because consumers are too stupid to know the difference. Who the fuck needs the consumer protection?

I matters to SOME PEOPLE because it's literally fucking false advertising used during a crisis to gain market share.
posted by deadaluspark at 3:57 PM on March 31 [36 favorites]


> The scaremongering around how Zoom is not "end to end encrypted" is very dumb, and intentionally phrased in a way that makes users think much worse than what is actually going on.

I don't think it would be brought up except, per the FPP, Zoom claims to use end-to-end encryption even though they don't. That's straight-up fraud.
posted by ardgedee at 3:58 PM on March 31 [36 favorites]


Yeah I'm really annoyed at the Intercept's editorial decisions lately. Grains of salt with Vox and the NYT too, I suppose, but I know where their agendas are.

Thanks for posting this tho. As much as I dislike Cisco, they've been around long enough to actually try to address some of this, and WebEx is in some ways a better product than Zoom - I have to assume partially because their legal team actually has some serious legacy experience.

I'd be curious to see how privacy concerns break down across the legacy programs like WebEx and AdobeConnect vs. upstart Zoom.
posted by aspersioncast at 3:59 PM on March 31 [1 favorite]


Zoom internally claims to have the ability to be HIPAA compliant, FWIW - that's one thing I assume they did actually pass by legal.
posted by aspersioncast at 4:00 PM on March 31 [1 favorite]


I just assumed Zoom was recording everything I said and did onto a foreign server since its a massively expensive service being provided free to the whole world. I don't use it for anything serious and people sure as fuck shouldn't be using it in a HIPAA setting.
posted by fshgrl at 4:10 PM on March 31 [11 favorites]


My company switched from WebEx to Zoom a few months ago, and from the beginning I've wished we could switch back. I wasn't impressed with Zoom before, and now I'm even less impressed.
posted by Greg_Ace at 4:21 PM on March 31 [1 favorite]


So: what are the other options? Everyone is using Zoom right now. Is this a case of "know what you're getting into", or are there other reasonable choices in the free-to-low-cost quarantine consumer space?
posted by curious nu at 4:27 PM on March 31 [3 favorites]


"Zoom [is] a massively expensive service being provided free to the whole world."

Not exactly. People pay for licenses, which are not cheap.
posted by doctornemo at 4:29 PM on March 31 [2 favorites]


"what are the other options? Everyone is using Zoom right now."

I work in education. Zoom's popular, but others are in play:
-Blackboard Collaborate
-Adobe Connect
-Shindig
-Google Hangout
-Big Blue Button
-Bluejeans
posted by doctornemo at 4:30 PM on March 31 [5 favorites]


Skype for Business has been creaking hard for the last few weeks. Teams is supposed to be Skype’s successor anyway. The last time I checked the Teams/Outlook meeting integration was janky, but maybe the meeting client is better.

All I wanna do is zoom a zoom zoom zoom and a boom boom...
posted by Huffy Puffy at 4:36 PM on March 31 [3 favorites]


other options: Jitsi Meet which is open-source, free, and you can even self-host.
posted by namewithoutwords at 4:37 PM on March 31 [15 favorites]


I suspect this matters for stuff like HIPAA compliance where it actually matters a lot.

Or FERPA, for those among us who are using it to teach. (Admittedly, I'm only using it for optional office hours, but still.)

I have only seen Zoom in use, but my university bought a campus-wide license and is heavily encouraging us to pick it up, so Zoom it apparently is.
posted by sciatrix at 4:38 PM on March 31 [1 favorite]


We've been using zoom at our fully distributed company for about three years now and it really does work for us. We use it for interviews, for standups, for weekly all-hands with ~100 folks, and everything in-between. It has basically never failed us, you click the link, the meeting happens. It is essential infrastructure that I am not sure how to replace.

Here's how I feel about all of this:

* The end-to-end thing that dropped today makes me really mad. Every single call has a little padlock that says "end-to-end encrypted" and that is not what that means. They could easily have just said "encrypted" or whatever else your browser says when you are connected to your bank, but instead they told us that it was encrypted so that they couldn't read it. Reading about it today I believe the only videoconference option that is e2e encrypted is FaceTime, and apparently Webex can be configured to be e2e but isn't by default.

* A lot of the other stuff makes sense to me as the kind of slightly-skeevy 'growth hacking' stuff that I am totally unsurprised is not surviving public scrutiny now that they have broken out into the mainstream. And they are doing a good job of ripping it out as they become stories, which is about what I expect from our journalism-capitalism system when it comes to big companies. The whole "you can just suddenly have your video camera on by clicking a link" and the secret browser intercepting links thing (which other companies were doing too) all fit into that model for me.

People seem to like Jitsi Meet, maybe we could try that out, but man it's hard to consider when Zoom has been so reliable for us for so long. Jitsi offers the ability to self host, but actually, so does zoom if you have enough seats. So maybe I'll look into that option, then zoom won't be able to see our calls anymore.
posted by macrael at 4:44 PM on March 31 [4 favorites]


My company is using Skype but about to move to Teams. Don't know if that's better. So far have only used Zoom for non-business stuff (kid's school, church).
posted by emjaybee at 4:45 PM on March 31


We mostly use Zoom on campus. Ease of use in the current scenario trumps any other concerns but it also scales extremely well to hundreds of users. I operate under the assumption that any zoom session is as private as any other class, that is not at all. For personal stuff, we use FaceTime or Skype mostly, but Zoom is pretty good for Saturday night pub nights.
posted by sfred at 4:50 PM on March 31


I suspect this matters for stuff like HIPAA compliance where it actually matters a lot.

I've worked in healthcare software development of HIPAA compliant systems for 15+ years. What the average layperson assumes it requires is about as accurate as what the average layperson assumes a "fair use" defense means, which is to say generally not remotely accurate. Unsecured and unecrypted faxing over standard phone lines is HIPPA compliant. End-to-end encryption is not a requirement of HIPPA (though, and I'm not your lawyer here), you probably need a BAA with anyone involved that's handling the PHI/PII in a form that could be accessed).

But sure, outright lying and using false terms, fuck it, its fine

Jesus christ, this shit. Look, it can be both true that Zoom's advertising is fraudulent and also that The Intercept is a fucking clickbait factory trying to make things sound much worse than they actually are.
posted by tocts at 4:53 PM on March 31 [16 favorites]


We have a separate instance of Zoom we have to log into for HIPAA compliance. The university's page about the differences is here if you want to see what they say about it.
posted by hades at 4:56 PM on March 31 [1 favorite]


Zoom and TikTok should totally merge.
posted by Burhanistan at 4:59 PM on March 31 [1 favorite]


When I worked for a design agency, we used a lot of client conferencing software. Skype was by far the worst, GoToMeeting was... meh, and Zoom "won" because it was the one we didn't actively hate.

My current company uses Google Hangouts and it's mostly fine except for the "you can only see a handful of people on the call at a time" feature. But it also has hardware in the conference rooms that makes presenting pretty easy.

Slack also has the ability to do video conferencing, but I haven't used it in a larger group.
posted by fifteen schnitzengruben is my limit at 4:59 PM on March 31 [1 favorite]


Oh wait there's more!

@c1truz_ : Ever wondered how the Zoom macOS installer does it’s job without you ever clicking install?

Turns out they (ab)use preinstallation scripts, manually unpack the app using a bundled 7zip and install it to /Applications if the current user is in the admin group (no root needed)...This is not strictly malicious but very shady and definitely leaves a bitter aftertaste. The application is installed without the user giving his final consent and a highly misleading prompt is used to gain root privileges. The same tricks that are being used by macOS malware.
posted by JoeZydeco at 5:04 PM on March 31 [17 favorites]


Jesus christ, this shit. Look, it can be both true that Zoom's advertising is fraudulent and also that The Intercept is a fucking clickbait factory trying to make things sound much worse than they actually are.

I seriously don't understand your perspective. The Intercept article was very measured and explained clearly the distinction between end-to-end encryption and what Zoom actually provides.
posted by value of information at 5:08 PM on March 31 [14 favorites]


I don't think anyone is dismissing the Intercept qua the periodical, although I definitely question their editorial decisions lately, as stated. We're (I am, at least) questioning this particular article as irresponsible journalism. The article is overall unconvincing, because big chunks of it are speculative hot takes. It is full of weasel words and rhetoric and whataboutism and half-assed hints.

There are absolutely real, valid critiques of Zoom, tons of them, and there is no reason whatsoever to trust this company. We shouldn't. But that Intercept article frankly offers a pretty poor explanation of why. I would very much appreciate a better explanation, because I'd really like something to send to people I think should be concerned about this.
posted by aspersioncast at 5:30 PM on March 31 [2 favorites]


We're (I am, at least) questioning this particular article as irresponsible journalism. The article is overall unconvincing, because big chunks of it are speculative hot takes. It is full of weasel words and rhetoric and whataboutism and half-assed hints.

But that Intercept article frankly offers a pretty poor explanation of why. I would very much appreciate a better explanation, because I'd really like something to send to people I think should be concerned about this.


What important parts of the explanation do you think are missing or speculative? I thought it did a good job communicating the following points:

- Zoom markets their video call encryption as end-to-end encryption. However, they admit that it is not end-to-end encryption when asked.
- The meaning of this is that the operators of the Zoom servers have access to your video and audio, although nobody else in between should have access.
- It would be technically possible to build a videoconferencing system without this property, but harder, which is probably why they didn't do it.
- Zoom text chat, on the other hand, credibly might be end-to-end encrypted.
- The primary consequence of this is that even if you trust Zoom, your video and audio is subject to interception by governments forcing Zoom to hand it over, and Zoom is not very forthcoming about their process related to this. Historically, governments do this a lot on other services.
- Zoom, for their part, says it isn't interested in selling your data and has some unspecified ways to try to prevent their employees from accessing it without cause.

Those seem like more or less what I would want to communicate to someone who wondered how secure their Zoom calls were.
posted by value of information at 5:42 PM on March 31 [18 favorites]


Oh, surely Zoom must be supremely secure! After all, the UK government is having cabinet meetings on it. holy fuck not a joke
posted by phooky at 6:01 PM on March 31 [11 favorites]


Man, Houseparty is being pitched hard in the media including the Guardian but check out this:
Information Submitted Via Services. You agree that Life on Air is free to use the content of any communications submitted by you via the Services, including any ideas, inventions, concepts, techniques, or know-how disclosed therein, for any purpose including developing, manufacturing, and/or marketing goods or Services. We will not release your name or otherwise publicize the fact that you submitted materials or other information to us unless: (a) you grant us permission to do so; (b) we first send notice to you that the materials or other information you submit to a particular part of a Service will be published or otherwise used with your name on it; or (c) we are required to do so by law.
Your privacy is the new gold. I do wonder if corporations are wondering about their conference calls being intercepted or mined by the vendor for their own insider trading.
posted by jadepearl at 6:10 PM on March 31 [8 favorites]


I do wonder if corporations are wondering about their conference calls being intercepted or mined by the vendor for their own insider trading.

At my place of business, using Zoom for anything work related would be what we call a "career limiting event". Might as well be screaming about the secret shit we're working on while getting coffee at the local Starbucks. Well, back when we could go into the local Starbucks, sniff

But no seriously, I would expect to get fired.
posted by sideshow at 7:13 PM on March 31 [9 favorites]


I am trying to set up a webinar style group meeting (presenters do all the talking but participants can chat questions) for a few dozen to a few hundred participants. Do I have any option besides zoom?
posted by latkes at 7:15 PM on March 31


My current company uses Google Hangouts and it's mostly fine except for the "you can only see a handful of people on the call at a time" feature. But it also has hardware in the conference rooms that makes presenting pretty easy.

Today my company's security team announced they'd approved the Google Meet Grid View browser plugin which is incredibly handy for getting that zoom-like view of the whole group.

I do wonder if corporations are wondering about their conference calls being intercepted or mined by the vendor for their own insider trading.

Oh absolutely yes, at least the smart ones. It makes me glad I'm not part of the aforementioned security team for my employer.
posted by traveler_ at 7:17 PM on March 31 [3 favorites]



I am trying to set up a webinar style group meeting (presenters do all the talking but participants can chat questions) for a few dozen to a few hundred participants. Do I have any option besides zoom?


Is the video part important? If not, Discord might work well -- IIRC it handles hundreds of people in voice chat without any particular difficulty, and its text chat is fine. If you dislike running random crap provided by companies with mysterious business models, Mumble is the best free software voice chat that you can host yourself. It's quite possible that running it yourself on an AWS instance for a few hundred people would be feasible without breaking the bank.

If the video part is important, I'm not sure what to recommend. (Discord can do a kind of screen sharing, so that might work.)
posted by value of information at 7:22 PM on March 31 [1 favorite]


Department of ed here just emailed school Prins to say NOT to use zoom.
posted by freethefeet at 7:23 PM on March 31 [2 favorites]


(I know this is a minor derail but probably of interest to others who are pissed at zoom right now...) Would participants have to download an app to use discord? (googling now....)
posted by latkes at 7:23 PM on March 31


Would participants have to download an app to use discord?

No, they would have to create a Discord account but the website and app work identically.
posted by value of information at 7:24 PM on March 31


Latkes, WebEx is pretty much the standard for running webinars. It isn't as slick as Zoom but it is rock solid and has all of the power of Cisco behind it.

FWIW, in my professional life, if a vendor or other organization wanted to use Discord to setup a video conference or training session I would consider that a strike against them. It is a decent enough tool for what it is, but it is steeped in video game culture and lacking a lot of features that a professional trainer or presenter is going to want. It definitely isn't part of the image I would want to project. Maaayyyybbbe for something informal, but even then I wouldn't want to use it for presenting since it just doesn't really have anything in that feature set beyond the ability to stream video from the presenter and have voice/text chat. Just one example: there is no way to manage an invitee list nor handle rsvps and meeting reminders.
posted by forbiddencabinet at 7:51 PM on March 31 [3 favorites]


Riot.IM has similar features to Discord, allows for self-hosting, is open source, and offers E2E encryption in the application itself (video/audio support started as a widget coded by the people behind Jitsi Meet). Just note, I think it supports E2E for video/voice group chat, but it might be limited to one-on-one voice/video like Jitsi Meet is for E2E. (In other words, yes, E2E for video/audio is really hard and often results in terrible quality.)

Just throwing it out there since Discord isn't exactly any better when it comes to E2E. Basically any service that doesn't offer full end-to-end encryption could be reading your chats. Does that mean they will? No, but they have the option, if they decide to be scummy.

I don't see how this is such a new, surprising idea. I had a friend working in GIS and was at a company that was trying to map ocean floors 10 years ago, and they explicitly were disallowed to use Google products because Google was king in terms of maps, and the CEO didn't want Google to see what they were working on and then start working on something similar. This, once again, was 10 years ago.

"Might as well be screaming about the secret shit we're working on while getting coffee at the local Starbucks."

This, a million times. If you are not using end-to-end, you are putting your faith entirely in the trustworthiness of the third party which you are using. This is especially concerning if you are working in a competing industry and are using your "competitor" to even get started, because you have opened yourself up to corporate espionage.

Requirements (IMHO):

Open Source (client and server)
Audited E2E
Cross-platform (like really cross-platform, Windows, Linux, macOS, iOS, Android, web)
No Venture Capital Funding

The options used to be Riot.IM and Wire, but then Wire got bought by some suspect companies, and now whether or not the new owners will be looking to find ways to monetize people's data seems up in the air.

If it makes people feel any better, more recently the French government chose Riot.IM/Matrix.org as the code-base for their own secure messaging service.
posted by deadaluspark at 7:54 PM on March 31 [8 favorites]


The whole internet loves Zoom, a lovely app that facilitates videoconferencing! *5 seconds later* We regret to inform you Zoom is malware.
posted by tonycpsu at 8:39 PM on March 31 [27 favorites]


We use join.me, which has more focus on screen sharing than video conferencing.

Some partners insist on webex and I find it very clunky. I have a crappy pc microphone so I like to use my phone to call in and somehow muting my pc microphone also mutes my phone. Whereas others find that they can talk both thru their pc and their phone, which causes insane feedback. Spent 15 min of a one hour call today working through these things....

Anyway we don’t have these issues in join.me and I don’t want to videocon anyway....
posted by Tandem Affinity at 9:18 PM on March 31


> It could just as accurately be stated, "Zoom is only as secured as your connection to your bank account."

No, it isn't. When you connect to your bank via TLS, the connection is end-to-end encrypted. The two ends of the connection are you and the bank. Your data passes through various third parties (your ISP, your bank's ISP, various backbone providers), but it is impossible for those third parties to eavesdrop on the data, even if they are malicious or suborned by governments or infiltrated by organized crime. End-to-end encryption is what makes it impossible.

When you call me on Zoom, the two ends of the connection are your computer and my computer. The data passes through various third parties, including Zoom. If the connection were encrypted end-to-end, then it would be impossible for Zoom to eavesdrop on our conversation. But it is not, and Zoom can listen in on your conversation. They could promise not to, but there's no encryption stopping them. It could be done by a rogue employee, or in response to a government subpoena, or just to gather data to sell to ad-tech companies.

This is the fundamental point of end-to-end encryption. It's not some minor nit-picking.
posted by mbrubeck at 9:19 PM on March 31 [41 favorites]


My institution - and many similar ones around Australia - use Zoom. It is the only platform recommended and supported. It's integrated in our email (Exchange/Outlook), our LMS (Canvas), and the infrastructure is provided and supported by AARNET. Now, I could spend a shedload of time configuring Riot.im or Discord or whatever on my own hardware and try to coach my students to use it effectively in addition to pivoting all the content that was previously delivered in-person via practical workshops to online remote learning, and then I could get fired for bypassing university systems.

Your one-size fits all solution is not mine, and many of us are not the decision makers in our organizations. We are trying to work around the limitations as best we can.
posted by prismatic7 at 9:52 PM on March 31 [3 favorites]


Welp, there's another thing at work that has massive problems and yet I have to use it anyway.
*shrug*
Same old, same old, I guess.
posted by jenfullmoon at 10:10 PM on March 31 [9 favorites]


Your one-size fits all solution is not mine, and many of us are not the decision makers in our organizations. We are trying to work around the limitations as best we can.

I don't think anyone here is trying to sell something as a one-size-fits-all solution. Some of us have been researching this sort of thing literally for years because its of interest to us, not because of a pandemic that suddenly made Work From Home the Default. I think most of us realize that if you are part of a large organization, you probably have very little control over what you get to use. Lots of talk about Webex in here, and for good reason, it's backed by Cisco, no shit it's the default choice for a lot of folks. I'm not talking about Webex because that's not where my knowledge lies, but I'm happy others are.

There have been great suggestions by all throughout the thread, and I hope that they can help the people who find them useful. Obviously not everybody is looking at the same use-case scenario, so I don't see why it's bad for everyone to toss in their two cents about what works for them and why.

Everyone should use what works for their scenario, and for most people, that's going to be sucking it up and using something you don't want to and have no control over so you can keep and do your job effectively. Sorry I didn't make that explicitly clear in my suggestions before.
posted by deadaluspark at 10:10 PM on March 31 [3 favorites]


Zoom, for their part, says it isn't interested in selling your data

While even if that is true today the evil bit can be toggled at any time and if those are their actual words it's pretty telling that they say they aren't interested in SELLING your data. I'd be worried they are storing some or all of the data for internal purposes. At a minimum connection data (who connected to who, when the conference started and when it stopped) is likely to be stored, possibly aggregated, just so they can manage servers.
posted by Mitheral at 10:27 PM on March 31 [4 favorites]


Meanwhile, Boris Johnson tweets a screenshot of the UK cabinet Zoom meeting, including its meeting ID (but not password unfortunately).
posted by qxntpqbbbqxl at 10:47 PM on March 31 [6 favorites]


This is the fundamental point of end-to-end encryption. It's not some minor nit-picking.

Well what I think this misses is that it gives the impression that E2E is the norm, and that Zoom is negligent for not using it, when in fact E2E is the exception, and that almost all of the other communications tools people use are not E2E. The false advertising is bad, of course.
posted by Pyry at 11:29 PM on March 31 [2 favorites]


I've run a few sessions through Jitsi Meet on the public servers, so here's my advice:
  1. Keep to the best-supported clients only. This means no Safari users, and sadly also no Firefox users for the time being. Keep it to the iOS or Android apps, plus Chrome/Chromium for desktop users.
  2. Make good use of the "mute everyone else" feature to chair a meeting. Have the chair select who has the floor, and accept comments and questions through chat or hand-raising.
  3. For large numbers (such as a class of 40 people) it's good for people to switch off cameras as well as mics while someone is speaking. Jitsi don't have fat stacks of Facebook cash to spend on server infrastructure, so it's nice to be kind to their servers. Or you could run your own!
  4. If you're opening a session to the public, it's best to do it 1990s rave-style: publish a separate "getting set up" meet URL, and keep someone on there to help people test out their mics and make sure they're running supported clients. Only once you're satisfied do you private message them the link to the real meeting.
posted by rum-soaked space hobo at 1:36 AM on April 1 [8 favorites]


I just take it as given that Zoom are running speech-to-text on everything, correlating names with social networks with business networks, and doing lots and lots of analysis, and then profit. The trove of data they're collecting is monstrously valuable, and no doubt they'll put it to monstrous use. I suspect they're probably deep funded by a state actor in a brilliant move of surveillance.
posted by seanmpuckett at 4:47 AM on April 1 [5 favorites]


Prior to people adopting it due to the pandemic, Zoom positioned itself as a business solution (at least according to its commercials support acknowledgement promotions on NPR). I've conducted job interviews via Zoom myself. They didn't discuss anything particularly confidential, but I wonder how much confidential company information has already been compromised?
posted by Gelatin at 4:56 AM on April 1


For tele-medicine videoconferencing options I know of at least two options that are designed for HIPPA compliance:
  • VSEE was founded by 2 doctors and seems to take its HIPPA compliance very seriously. In my tests, it worked largely as expected, although the UI was a bit clunky. No free tier, however.($49/month).
  • The unfortunately named Doxy.me does have a free tier. I haven't used it personally. When my (therapist) wife tried it, she was not impressed. They also seem to take security seriously, i.e. they say all the right things on their website, although they are light on the technical details.
posted by jeremias at 5:15 AM on April 1 [1 favorite]


Zoom internally claims to have the ability to be HIPAA compliant, FWIW

What does "have the ability to be HIPAA compliant" mean? I work in a HIPAA-adjacent regulated industry, and one is either compliant or is not. If one is not, telling the auditor you "have the ability to be" compliant won't get you anywhere -- indeed, it shows you could have chosen to be but didn't. What gives?
posted by Gelatin at 6:38 AM on April 1 [2 favorites]


-Adobe Connect
If ms scruss's experience teaching on Connect for a local college is a typical experience, Adobe Disconnect might be a better name. The server seems really good at claiming that working (at one end) meeting room URLs don't exist at the other. Also it really really wants you to still use Flash if you access via the web.
posted by scruss at 7:46 AM on April 1


What does "have the ability to be HIPAA compliant" mean?

I'd assume it depends on how the service is deployed. Maybe using dedicated servers for the healthcare organization within their own IT infrastructure. However, they seem to use terms like end-to-end encryption rather loosely.
posted by zeikka at 7:47 AM on April 1


I work in a HIPAA-adjacent regulated industry, and one is either compliant or is not.

That's not actually true.

HIPAA is complicated, and quite a lot of it revolves around not just that a given technology meets the technical requirements, but that appropriate agreements / auditing / etc are in place. It is entirely a reasonable statement to say, for example, that just using a random consumer grade Zoom account to do telemedicine is not HIPAA compliant, but using a Zoom account for telemedicine that was established after having gone through the due diligence of establishing a BAA, working with your legal + Zoom legal on that, and ensuring Zoom is providing the appropriate access controls / security / auditing / etc could be HIPAA compliant.

(I mean, it probably is HIPAA compliant, but again I'm not a lawyer nor your lawyer, so I won't say it absolutely is, though they certainly claim it's doable and the government would be fining the shit out of them if not).
posted by tocts at 8:08 AM on April 1 [2 favorites]


Meanwhile:

I just take it as given that Zoom are running speech-to-text on everything, correlating names with social networks with business networks, and doing lots and lots of analysis, and then profit.

and:

They didn't discuss anything particularly confidential, but I wonder how much confidential company information has already been compromised?

Are you spending the same amount of time worrying about Microsoft, Google, Slack, etc? Because, big surprise here, most of the chat / communication / video conference software used for business and medicine is not end-to-end encrypted.
posted by tocts at 8:18 AM on April 1 [4 favorites]


But wait, there's more!

Patrick Wardle, a former NSA hacker and now principal security researcher at Jamf, found two new bugs that can be used to take over a Zoom user’s Mac, including tapping into the webcam and microphone.

The two bugs, Wardle said, can be launched by a local attacker — that’s where someone has physical control of a vulnerable computer. Once exploited, the attacker can gain and maintain persistent access to the innards of a victim’s computer, allowing them to install malware or spyware.
posted by JoeZydeco at 8:22 AM on April 1 [1 favorite]


> Are you spending the same amount of time worrying about Microsoft, Google, Slack, etc?

If I could wave a magic wand and make a single rhetorical device disappear, it would be this "how are you talking about X when Y is worse" sophistry.
posted by tonycpsu at 8:27 AM on April 1 [12 favorites]


Except I'm not saying Y is worse. I'm saying, Zoom's encryption is more or less the same as every other video conference application that the average person is using today, barring a couple exceptions. Zoom is doing shitty things. Their encryption is not one of them (though their futzing of "chat is end-to-end encryption" into "we support end-to-end encryption" is shady and deserves calling out).

You want to press on Zoom for all the legitimately bad things they did, have at it, but continuing to harp on Zoom for doing things nobody has a problem with their competitors doing is disingenuous at best.
posted by tocts at 8:31 AM on April 1 [4 favorites]


tocts: Are you spending the same amount of time worrying about Microsoft, Google, Slack, etc?

Yes. Now what?
posted by Too-Ticky at 8:33 AM on April 1 [11 favorites]


> I'm saying, Zoom's encryption is more or less the same as every other video conference application that the average person is using today, barring a couple exceptions.

Were those competitors advertising their service as supporting end-to-end encryption? That's what the issue is here. Lying about it and hoping someone won't notice.
posted by tonycpsu at 8:33 AM on April 1 [10 favorites]


Are you spending the same amount of time worrying about Microsoft, Google, Slack, etc?

I mean, DrMsEld just transitioned over to testing Zoom for group telehealth (after purchasing their HIPAA flavored license and getting the BAA setup) for her practice that is struggling with the impacts of the pandemic on their ability to serve their patients and I can say that 100% I am spending less time worrying about Microsoft, Google, Slack, etc because they are not the provider advertised as HIPAA compliance-friendly that may end up being used in house here at her office.

I'm all about consistency with concerns regarding holding providers that say X to a high standard because if you aren't doing that then you are being hypocritical but that doesn't mean that zeroing in on a provider that is saying X but maybe not delivering because of Y and Z reasons or issues is unfair.

I'm following this thread with much interest as I may advise them to failback to their current telehealth provider despite it's much less friendly handling of group setting needs (as opposed to 1 on 1 sessions which are already well in hand for the most part).
posted by RolandOfEld at 8:41 AM on April 1 [3 favorites]


Those other competitors were not advertising themselves as end-to-end encrypted, no. Zoom is shitty for having done so. They should face consequences for that.

And yet: I would be shocked if even 1% of businesses even knew what "end-to-end encryption" means, or whether it had any part in their decision of Zoom over Teams over Slack over ... .

And meanwhile in this thread, we have people speculating that it can't just be that Zoom has fraudulent marketing, but actually because they're using the same kind of encryption as Microsoft, Google, Slack, etc, they must be an agent of a foreign government, stealing all your data and NLP'ing it for nefarious purposes, etc.

At this point, honestly, I'm stepping out. My point is very simply that it can be both true that Zoom is shitty and that people are actively blowing one part out of proportion, in a way that is intended to make people who don't know the technical details believe even worse than what they've actually done wrong.
posted by tocts at 8:44 AM on April 1 [3 favorites]


but actually because they're using the same kind of encryption as Microsoft, Google, Slack, etc, they must be an agent of a foreign government, stealing all your data and NLP'ing it for nefarious purposes, etc.

Literally no one is saying that. It's painfully obvious at this point that you've decided you don't like the interpretation and are going to just keep going on your little tirade so it's probably good that you're choosing to sit it out from here.

There's a huge difference between saying that because of the nature of how they use encryption, it's totally possible for that information to end up in places you don't actually want it ending up. Does it mean that is going to happen? No, but it means the possibility is there. For example, if Google never looks at my Hangouts chats, but is eventually compelled by my government to release all my chats to them, that isn't even something nefarious the company is doing, they are being legally compelled to give over my information simply because they have access to it. If they did not have access to it, they could not produce it, simple as that.

You're effectively arguing that fuck regulation, fuck educating people about encryption, what we're doing is scare-mongering instead of trying to inform people.

You keep complaining that most businesses don't even know what encryption is. Yeah, and this is probably the most important moment in their business life to learn what it is. So maybe you should stop acting like people talking about it and informing others is tantamount to scare tactics.

It's like saying my plumber shouldn't tell me that the pressure tank in my basement could fail and explode at any time, because funnily enough some things do, because I don't know enough about it and that would freak me out. That I shouldn't be informed because 1. I'm already not informed and 2. It's complex and sounds scary so why inform me?

That's how I've read your argument this whole way. Screw informing consumers because they're already uninformed. It's a shitty elitist attitude.
posted by deadaluspark at 9:16 AM on April 1 [6 favorites]


I mean fuck educating people about encryption, let's just leave them in the dark while our congress bans encryption through the EARN-IT Act. /s

Knowledge about this issue in the hands of the general populace is more important than ever so can we cut the shit about it being scare mongering.

"The EARN IT Act would create a "National Commission on Online Child Sexual Exploitation Prevention" tasked with developing "best practices" for owners of Internet platforms to "prevent, reduce, and respond" to child exploitation. But far from mere recommendations, those "best practices" would be approved by Congress as legal requirements: if a platform failed to adhere to them, it would lose essential legal protections for free speech.

"It's easy to predict how Attorney General William Barr would use that power: to break encryption. He's said over and over that he thinks the "best practice" is to force encrypted messaging systems to give law enforcement access to our private conversations. The Graham-Blumenthal bill would finally give Barr the power to demand that tech companies obey him or face serious repercussions, including both civil and criminal liability. Such a demand would put encryption providers like WhatsApp and Signal in an awful conundrum: either face the possibility of losing everything in a single lawsuit or knowingly undermine their users' security, making all of us more vulnerable to online criminals."

posted by deadaluspark at 9:27 AM on April 1 [7 favorites]


[Folks, reminder to please keep the focus, away from "here's me uncharitably putting words in your mouth" which makes the thread be about other commenters, and toward just talking about the external world situation (e.g. the facts about what Zoom is or isn't doing).]
posted by LobsterMitten (staff) at 10:32 AM on April 1 [4 favorites]


I also recently had it pointed out to me that, when Zoom did their IPO, one of their important sales points was just how much of their work is done in China (March 2019). A point I am not sure they would be communicating a lot right now when people are looking at them skeptically.
posted by Martijn at 10:32 AM on April 1 [2 favorites]


I figure that right now (at least since Nov 2016), the US is essentially an occupied territory of Russia and China when it comes to the internet, if not computers in general. If avoiding their hands in communications and sensitive information is going to be a priority, the resistance is going to have to be a lot more rigorous. This is microphones in the town square material, way beyond wearing orange and passing software tips at Starbucks and Reddit.
posted by rhizome at 11:14 AM on April 1 [2 favorites]


I was on a purely social Zoom call last week, and held up and talked about the Heineken Zero I was drinking. This is not something I believe I have written or mentioned anywhere else in earshot of my computer. Next day... Heineken Zero ads for me on YouTube. I know that so much of this stuff can still be coincidental, but ick.
posted by sockshaveholes at 12:29 PM on April 1 [6 favorites]


Heineken Zero ads for me on YouTube. I know that so much of this stuff can still be coincidental, but ick.

So something funny happened to me the other day. I was going through an old pile of D&D stuff and I pulled out a copy of Dragon #100, thumbed through it and one of the articles was "All about the druid/ranger." I put the magazine back and went about my day.

The next day I was browsing my Google Assistant news feed (the swipe-right-from-home thing on Android phones) and I shit you not, there was a link to an imgur image dump titled "Druid/ranger images".

Did I google it? No. Did I even say it out loud? No.

Do I search for different D&D stuff every day? Yes. Did I subsequently get a bunch of imgur collections of images for different D&D multiclass combos in the news feed? Yes.

You see hundreds of ads a day online. Sooner or later there's going to be a coincidence.
posted by GuyZero at 1:37 PM on April 1 [5 favorites]


Patrick Wardle, a former NSA hacker and now principal security researcher at Jamf,

Considering there is no indication that Patrick Wardle notified Zoom before disclosing these; fuck him and Jamf.
posted by MikeKD at 6:25 PM on April 1 [2 favorites]




For me Zoom will always remind me of the children's show from my youth, and every damn time I read the word I hear the theme song.
posted by terrapin at 8:42 AM on April 2


From today's Guardian: ‘Zoom is malware’: why experts worry about the video conferencing platform
On Monday, New York’s attorney general, Letitia James, sent a letter to the company asking it to outline the measures it had taken to address security concerns and accommodate the rise in users.

In the letter, James said Zoom had been slow to address security vulnerabilities “that could enable malicious third parties to, among other things, gain surreptitious access to consumer webcams”.

No end-to-end encryption
Zoom has falsely advertised itself as using end-to-end encryption, a system that secures communication so that it can only be read by the users involved, a report from the Intercept found. Zoom confirmed in a blogpost on Wednesday that end-to-end encryption was not currently possible on the platform and apologized for the “confusion” it caused by “incorrectly” suggesting the opposite.
But clearly this is just "scaremongering" and a product of the publication's "agenda".
posted by Ahmad Khani at 12:18 PM on April 2 [6 favorites]


So a friend and I co-run a knitting group/mailing list and some folks requested a Zoom meeting. My friend was all, "I dunno about that because of the security issues," and I said "well, everyone working at this entire organization now has to use it, I think that's out the door now."
posted by jenfullmoon at 7:06 PM on April 2 [1 favorite]


Update: My school is officially using Zoom for their shift to all-online classes.

Just because I have opinions doesn't mean I'm not going to be expected to use this kind of crap, too.
posted by deadaluspark at 10:53 PM on April 2 [1 favorite]


Thousands of Zoom video calls left exposed on open Web (WaPo)
Thousands of personal Zoom videos have been left viewable on the open Web, highlighting the privacy risks to millions of Americans as they shift many of their personal interactions to video calls in an age of social distancing.

Videos viewed by The Washington Post included one-on-one therapy sessions; a training orientation for workers doing telehealth calls that included people’s names and phone numbers; small-business meetings that included private company financial statements; and elementary school classes, in which children’s faces, voices and personal details were exposed.

[...] The discovery that the videos are available on the open Web adds to a string of Zoom privacy concerns that have come to public attention as the service has become the preferred alternative for American work, school and social life.
posted by katra at 11:11 PM on April 3 [3 favorites]


‘Zoombombing’ Becomes a Dangerous Organized Effort (NYT / reprint)
In recent weeks, as schools, businesses, support groups and millions of individuals have adopted Zoom as a meeting platform in an increasingly remote world, reports of “Zoombombing” or “Zoom raiding” by uninvited participants have become frequent.

[...] An analysis by The New York Times found 153 Instagram accounts, dozens of Twitter accounts and private chats, and several active message boards on Reddit and 4Chan where thousands of people had gathered to organize Zoom harassment campaigns, sharing meeting passwords and plans for sowing chaos in public and private meetings. (Since this article’s publication, Reddit has shut down the message boards where Zoom raids were discussed.)

[...] Zoom has offered guidance on making conferences more secure by changing call settings and offering tutorials, but many users have been unsatisfied with the company’s response to specific incidents of harassment.
posted by katra at 10:25 AM on April 4 [2 favorites]


It's not just classes that this is happening to, either--my friend's synagogue services were zoom-bombed last night for the second time. Which: fuck.
posted by sciatrix at 12:13 PM on April 4 [1 favorite]


Apparently there's a place to configure a password when creating a meeting in Zoom, are these attacks happening despite that? I can see if synagogue/church/etc. sessions prefer to be wide-open, but that may not be realistic at this point in the game.
posted by rhizome at 1:10 PM on April 4 [1 favorite]


Apparently there's a place to configure a password when creating a meeting in Zoom, are these attacks happening despite that?

The NYT article notes:
On dozens of Twitter accounts and online forums, people are drawn into private group chats on Discord, an app that has been popular in far-right circles. There, people share Zoom codes, raid video conferences simultaneously and designate point values for certain types of harassment in order to drive competition.

[...] Alcoholics Anonymous, which has largely transitioned to open online meetings using Zoom, has become a frequent target. “Have fun with these AA codes,” one Discord user wrote in a post that linked to nearly 600 A.A. meetings in California. Another uploaded a 28-page document with links to support groups for trans and nonbinary youth.
posted by katra at 2:05 PM on April 4 [3 favorites]




Zoom will enable waiting rooms by default to stop Zoombombing (Techcrunch, Apr. 3, 2020, via Slashdot)
Starting April 5th, it will require passwords to enter calls via Meeting ID, as these may be guessed or reused. Meanwhile, it will change virtual waiting rooms to be on by default so hosts have to manually admit attendees.
posted by katra at 8:53 PM on April 5


The University of Toronto's Citizen Lab just issued a report on Zoom. The Citizen Lab "is an interdisciplinary laboratory based at the Munk School of Global Affairs & Public Policy, University of Toronto, focusing on research, development, and high-level strategic policy and legal engagement at the intersection of information and communication technologies, human rights, and global security."
What are the security issues your research found?

In our report published on April 3, we found that Zoom uses non-industry-standard encryption for securing meetings, and that there are discrepancies between security claims in Zoom documentation and how the platform actually works.

Zoom documentation claims that the app uses “AES-256” encryption for meetings where possible. However, in our testing, a single AES-128 key was used in ECB mode by all meeting participants to encrypt and decrypt audio and video. The use of ECB mode is not recommended because patterns present in the plaintext are preserved during encryption. What this finding means is that the encryption in Zoom does not seem to have been well-designed or implemented.

The AES-128 keys, which we verified were sufficient to decrypt Zoom packets intercepted in Internet traffic, appeared to be generated by Zoom servers, and in some cases, were delivered to participants in a Zoom meeting through servers in China, even when all meeting participants, and the Zoom subscriber’s company, were outside of China. This finding is significant because Zoom is a company that primarily serves customers in North America and sending encryption keys via servers in China may potentially open Zoom up to requests from authorities in China to disclose the encryption keys. While this scenario is plausible, we do not have evidence that authorities in China or any other state have actually obtained meeting encryption keys.
From Citizen Lab:
FAQ on Security Issues
April 3 report.
April 8 followup report on even more issues.

Certainly puts to rest the nonsense earlier in this thread, from some participants who refuse to acknowledge the many risks in Zoom, instead dismissing these concerns as part of some "agenda". Truly a textbook example of projection.
posted by Ahmad Khani at 7:00 AM on April 16 [2 favorites]


we found that Zoom uses non-industry-standard encryption for securing meetings

Of course they are. Why the hell use an industry standard library for a mission critical component that doesn't fail in an obvious way when you can roll your own implementation that is sure to contain zero day exploits.

The identified vulnerabilities pretty much follow from the that and the only debate is whether this is incompetence or malice.

Every time I hear about someone trying to implement their own encryption I'm reminded about how the NSA's input strengthened DES against an attack no one knew about for two decades. Those are the guys you are claiming to be smarter than.
posted by Mitheral at 8:27 AM on April 16


« Older British Optical Association Museum at the College...   |   It is like a grey squirrel balanced on a branch... Newer »


This thread has been archived and is closed to new comments