With the covid-19 pandemic a lot of people have been doing video-conferences on a daily basis and Zoom seems to be the market leader.

I will highlight here some of the main privacy problems that recently been the focus of some journalistic scrutiny.

NOT end-to-end encrypted

End-to-end encryption means that only the people who are talking can hear and see each-other. This would be expected, but in fact this is not what happens.

Zoom has misleadingly advertised this feature, but it’s not there! This means that the IT people who work zoom can see every video call you make - freaking creepy, right?

Read more about this scandal here:

note: This does mean you’re completely exposed. It still uses the kind of encryption that your browser does when you access your banking website. Read more about the differences on a post by EFF.

Attention tracking

Zoom creates some pretty strong inter-personal privacy violations, namely Zoom knows if you are paying attention to the call and will inform the host of the call (your boss, perhaps) if you are paying attention to it or not.

Read more about this and other privacy problems on protonmail’s post:

privacy disclaimer: they know if you are paying attention or not, based on whether or not you have your call window focused. So if you are reading some documented that was mentioned it the call, it can wrongly report you as not paying attention - but the point is that this should not be acceptable

Their iOS App was sharing data with facebook

They were caught sharing data about your device with facebook even without a facebook account. Despite being shocking, it might be facebook’s fault as a similar report found that on android many applications were unknowingly to the developers sharing data with facebook simply because they added some facebook integration into their app.

The code can’t be publicly audited

You might have heard about open source software before. It’s when the source code of the software is openly available. Code that is publicly available is easier to audit for security issues.

Zoom does not share their code (perhaps for intellectual property reasons) so we have to rely on security experts to go through the reverse engineering process - which is very hard and expensive to do.

Other alternatives like the following are open source and better yet - your organization can host them.

Bellow is one example of what happens when the code can’t be publicly audited and someone digs in enough to understand what happened.

On MacOS, Zoom installs itself without your consent

When you’re installing a program on windows or mac sometimes there is an installer - those in which you typically click “Next; Next; Next”. Well, it turns out that zoom on MacOS found a shady way of installing the program without you having clicked on the last “install” button. Read more bellow.

https://www.vmray.com/cyber-security-blog/zoom-macos-installer-analysis-good-apps-behaving-badly/

If the code were open and the code changes as well, there would have been a justification for every single addition to the software and then privacy-conscious programmers could go to the code to see what was the message justifying such malicious practices.

It’s nice to know these shady practices have a negative impact on the valuation of these companies: Zoom Shares Drop As New York Attorney General Looks Into Company’s Privacy, Security Practices

There are a number of other alternatives for audio/video meetings.

I started to curate a list in: Audio/Video conferencing and virtual events tools for remote attendance

Adding the following research article to the list.

https://www.msn.com/en-in/finance/news/ny-schools-ban-zoom-adopt-microsoft-teams/ar-BB12dGjM

my reaction:

NY schools ban zoom

Wow! Nice!

Adopt Microsoft Teams

Adding a list of CVEs from 2020 regarding Zoom security vulnerabilities.

• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-11443
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-11469
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-11470
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-11500
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-11876
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-11877
• https://nvd.nist.gov/vuln/detail/CVE-2019-18822
• https://nvd.nist.gov/vuln/detail/CVE-2019-18223
• https://nvd.nist.gov/vuln/detail/CVE-2019-16273

This is interesting:

So basically they go to the conclusion that bad security is bad pr. So they bought keybase and claim the following.

We are committed to remaining transparent and open as we build our end-to-end encryption offering. We plan to publish a detailed draft cryptographic design on Friday, May 22

https://thenextweb.com/security/2020/06/03/zoom-wont-encrypt-free-calls-because-it-wants-to-comply-with-law-enforcement/

Some (not so long) time ago a lot of companies were not using HTTPS for the exact same reasons.

It’s unfortunate and very sad that there are still companies considering that by lowering security they help assisting law enforcement.

Two new security flaws:

• Zoom client application chat Giphy arbitrary file write (TALOS-2020-1055/CVE-2020-6109)
• Zoom client application chat code snippet remote code execution vulnerability (TALOS-2020-1056/CVE-2020-6110)

Update: Zoom will provide end-to-end encryption for free users. However, “Free/Basic users seeking access to E2EE will participate in a one-time process that will prompt the user for additional pieces of information, such as verifying a phone number via a text message.”

Exactly. Something feels weird deploying encryption only for some

https://www.threatspike.com/blog/zoom_cookies.html

https://arstechnica.com/tech-policy/2020/11/zoom-lied-to-users-about-end-to-end-encryption-for-years-ftc-says/