Zoom privacy concerns

UPDATE: still don’t use ZOOM until they sort out their mess.

Zoom, the videoconferencing app whose traffic has surged during the coronavirus pandemic, is under scrutiny by the office of New York’s attorney general, Letitia James, for its data privacy and security practices.

On Monday, the office sent Zoom a letter asking what, if any, new security measures the company has put in place to handle increased traffic on its network and to detect hackers, according to a copy reviewed by The New York Times.

While the letter referred to Zoom as “an essential and valuable communications platform,” it outlined several concerns, noting that the company had been slow to address security flaws such as vulnerabilities “that could enable malicious third parties to, among other things, gain surreptitious access to consumer webcams.”

…

As Zoom’s popularity has grown, the app has scrambled to address a series of data privacy and security problems, a reactive approach that has led to complaints from some consumer, privacy and children’s groups.

The company updated its privacy policy on Sunday after users reported concerns, and on Monday, Eric S. Yuan, chief executive and founder of Zoom, posted a link on Twitter to a company blog item about the policy.

In a statement for this article, the company said it took “its users’ privacy, security and trust extremely seriously,” and had been “working around the clock to ensure that hospitals, universities, schools and other businesses across the world can stay connected and operational.”

“We appreciate the New York attorney general’s engagement on these issues and are happy to provide her with the requested information,” the statement added.

Last week, after an article on the news site Motherboard reported that software inside the Zoom iPhone app was sending user data to Facebook, the company said it was removing the tracking software.

As many school districts adopted Zoom to allow teachers to host live lessons with students, some children’s privacy experts and parents said they were particularly concerned about how children’s personal details might be used. Some districts have prohibited educators from using Zoom as a distance-learning platform.

“There is so much we simply don’t know about Zoom’s privacy practices,” said John Golin, executive director of the Campaign for a Commercial-Free Childhood, a nonprofit group in Boston.

In the letter, Ms. James’s office cited reports that Zoom had shared data with Facebook, and asked for further information on “the categories of data that Zoom collects, as well as the purposes and entities to whom Zoom provides consumer data.”

The office expressed concern that the app may be circumventing state requirements protecting student data. To help educators, the company recently expanded meeting limits on free accounts. The attorney general’s office called such efforts “laudable,” but also said the company appeared to be trying to offload consent requirements to schools.

The office requested a description of Zoom’s policy for obtaining and verifying consent in primary and secondary schools as well as a description of third parties who received data related to children.

Zoom has said its service for schools complies with federal laws on educational privacy and student privacy.

The letter also asked for details about any changes the company put in place after a security researcher, Jonathan Leitschuh, exposed a flaw allowing hackers to take over Zoom webcams. The letter noted that the company did not address problem until after the Electronic Privacy Information Center, a public interest research center, filed a complaint about Zoom with the Federal Trade Commission last year.

ZOOM is a bag of worms that’s being sued in a class action for its deceitful practices, which have probably been violating GDPR too. An unethical adtech company disguised as a video conferencing solution. When the pressure to grow revenue is high from its public investors to justify its ridiculous valuation - even pre-Covid19 - their management decisions have been so shady at the expense of its users.

Don’t use ZOOM.

These are strong words engineer. For the non technical people like me, what is wrong with them. As they say on Reddit explain like I’m 5.

Harvard.

If you absolutely have to use Zoom - especially when there’re a lot of web conferences going on while people are WFH - use the web app. There’s an option to choose it after you’re prompted to download the app after clicking on an invite link. Uninstall the native app from your devices.

They use bad adtech-like design patterns.

See their privacy policy post earlier in this thread.

It’s a little storm in a teacup, esp. when you look at what’s going on with the likes of Houseparty right now.

Screenshot from 2020-03-31 19-49-081194×576 61.1 KB

Off the top of my head, there are four potential red flags present with ZOOM:

1) COPPA and a letter from New York attorney-general:

This episode from Silicon Valley best describes what COPPA is:

(Source - Harvard: Zoom needs to clean up its privacy act – Doc Searls Weblog)

“The office expressed concern that the app may be circumventing state requirements protecting student data. To help educators, the company recently expanded meeting limits on free accounts. The attorney general’s office called such efforts “laudable,” but also said the company appeared to be trying to offload consent requirements to schools.”

• ZOOM may be offloading the responsibility under COPPA, etc to schools and teachers (who are working from home) if they decide to hold lessons over ZOOM - without explicitly warning neither parties about it:

Screenshot from 2020-03-31 19-46-491884×582 122 KB

(Source - https://zoom.us/docs/en-us/childrens-privacy.html)

Screenshot from 2020-03-31 19-51-351324×1434 188 KB

2) US litigation overhang:

• Failure to disclose explicitly its relationship with adtech companies through iOS/Android SDKs and various scripts and cookies that run in browsers.

• Like this professor said in the Harvard blog:

Screenshot from 2020-03-31 19-40-071134×532 83.4 KB

(Source: Zoom needs to clean up its privacy act – Doc Searls Weblog)

3) Potential future investigations in Europe and the UK (GDPR, ICO):

• See (2).

4) Valuation driven by hype

• These metrics were a bit silly after the IPO pre-Covid-19 and now:

Screenshot from 2020-03-31 20-00-231066×1038 102 KB

(Source - Zoom Video Communications, Inc. (ZM) Valuation Measures & Financial Statistics)

Zoom is used by the UK government, all tech used by cabinet needs to be approved by the security services.

With all due respect, I’ll trust the security service to check a system provider more than a media site!

We’ll see what happens to the price, I think it’s still very cheap which is why I have ZM and WORK in my portfolio!

Good luck everyone.

Their tech stack is unlikely to be the same under the hood. They and you can disable API calls and scripts on the background through hardware (routers etc) and software (firewall, script blocking) tweaks - most people won’t be doing that though.

On ZOOM for govt - Birmingham Mail says:

Screenshot from 2020-03-31 20-47-241644×144 17.6 KB

Screenshot from 2020-03-31 20-47-421636×514 69.4 KB

Also:

Screenshot from 2020-03-31 20-41-161074×1476 524 KB

On ZOOM’s (lack of) encryption:

Screenshot from 2020-03-31 20-43-151390×1410 196 KB

On ZOOM for employees/employers - Telegraph:

Screenshot from 2020-03-31 20-46-071526×468 57.8 KB

Screenshot from 2020-03-31 20-46-201384×692 86 KB

They are referring to what one can check for themselves.

zoom.us tells you you have to agree with its cookie policy, which opts you into a bunch of things, including “required” stuff like facebook.zoom.us:

Screenshot from 2020-03-31 21-00-072452×1352 173 KB

Its native apps are even worse - but they won’t warn what the Software Development Kits (SDKs) from third parties are doing on the background. If you’re an app dev, you’re more likely than not to use these: Top SDKs Installed in iOS & Android Apps and Games · SDK Intelligence by Appfigures - it saves a lot of time.

If ZOOM was a free social net or an adtech or a news media site that generates revenue through content distribution, it wouldn’t be as surprising.

ZOOM is a video conferencing company.

The amount of telemetry they collect is astounding and - despite claiming on its /privacy page that they don’t sell data - they actively share it, including with its adtech partners such as [you’ve never of any of them, probably]:

Screenshot from 2020-03-31 20-59-362488×1374 199 KB

(not the entire list from zoom.us)

These are the reasons why the security researchers, professors and the media are picking up on it, as ZOOM’s popularity rises.

Invite only event maybe for the Community users but not on Zoom. Pretty sure they’ve been breaking GDPR and will be investigated by the ICO soon.

Update: https://blogs.harvard.edu/doc/2020/03/27/zoom/

Yes zoom keep copies of all meetings. It’s a bit unnecessary to say the least.

I hear you, I still don’t think its anything abnormal, its standard new tech stuff really. I’d love to have them starting serving ads on the free version (as they give too much away from the free package) and having this kind of customer data helps with personalised ads.

Personally, as companies learn that working from home can so money and make employees happy, I can see the stock going from strength post Corona.

Interesting article on the founder here;

Personally, I’m hoping for $200 by end of the year, but I’ll guess we will see!

Good luck all!

I really object to this line of argument. Other people doing it doesn’t make it any less wrong. For example: Bread used to be adulterated with all manner of shit, it was standard bread maker stuff. They were still (eventually) made to stop it.

What disappoints me is so few people look for safe alternative. Why do they keep using WhatsApp when they could use Signal. (Which is also technically a DPA breach given you can’t opt out of your data being shared with Facebook, iirc)

I saw Sadiq Khan using Skype when he was talking to the people building the nightingale emergency hospital… Looked like it was fille Ed on a potato too.

I digress, because the government use it is not a good enough reason. As their access will be completely segregated to general zoom users… Its like all the people that use discord and don’t read their terms of service… They store everything including a lot of your device information and packet data.