With the covid-19 pandemic a lot of people have been doing video-conferences on a daily basis and Zoom seems to be the market leader.
I will highlight here some of the main privacy problems that recently been the focus of some journalistic scrutiny.
NOT end-to-end encrypted
End-to-end encryption means that only the people who are talking can hear and see each-other. This would be expected, but in fact this is not what happens.
Zoom has misleadingly advertised this feature, but it’s not there! This means that the IT people who work zoom can see every video call you make - freaking creepy, right?
Read more about this scandal here:
note: This does mean you’re completely exposed. It still uses the kind of encryption that your browser does when you access your banking website. Read more about the differences on a post by EFF.
Zoom creates some pretty strong inter-personal privacy violations, namely Zoom knows if you are paying attention to the call and will inform the host of the call (your boss, perhaps) if you are paying attention to it or not.
Read more about this and other privacy problems on protonmail’s post:
privacy disclaimer: they know if you are paying attention or not, based on whether or not you have your call window focused. So if you are reading some documented that was mentioned it the call, it can wrongly report you as not paying attention - but the point is that this should not be acceptable
Their iOS App was sharing data with facebook
They were caught sharing data about your device with facebook even without a facebook account. Despite being shocking, it might be facebook’s fault as a similar report found that on android many applications were unknowingly to the developers sharing data with facebook simply because they added some facebook integration into their app.
The code can’t be publicly audited
You might have heard about open source software before. It’s when the source code of the software is openly available. Code that is publicly available is easier to audit for security issues.
Zoom does not share their code (perhaps for intellectual property reasons) so we have to rely on security experts to go through the reverse engineering process - which is very hard and expensive to do.
Other alternatives like the following are open source and better yet - your organization can host them.
Bellow is one example of what happens when the code can’t be publicly audited and someone digs in enough to understand what happened.
On MacOS, Zoom installs itself without your consent
When you’re installing a program on windows or mac sometimes there is an installer - those in which you typically click “Next; Next; Next”. Well, it turns out that zoom on MacOS found a shady way of installing the program without you having clicked on the last “install” button. Read more bellow.
If the code were open and the code changes as well, there would have been a justification for every single addition to the software and then privacy-conscious programmers could go to the code to see what was the message justifying such malicious practices.