diff options
Diffstat (limited to 'content/entry/exposing-zoom.md')
-rw-r--r-- | content/entry/exposing-zoom.md | 10 |
1 files changed, 5 insertions, 5 deletions
diff --git a/content/entry/exposing-zoom.md b/content/entry/exposing-zoom.md index 574a048..643a6ea 100644 --- a/content/entry/exposing-zoom.md +++ b/content/entry/exposing-zoom.md @@ -29,7 +29,7 @@ The section on attention tracking in the Privacy Policy explains that if the hos It's peculiar how Zoom website obviously tries to give the overwhelming impression that you can trust the software, yet it's against their terms of service to reverse engineer it and their own privacy policy shows they collect enormous amounts of data that isn't strictly necessary or relevant to video conferencing. Do they really need your MAC address or know which OS you're using? But not only does Zoom obtain data when you are using Zoom. They obtain data from you even when you are not using their service. -Their own privacy policy says they collect data about you from Google Analytics and Google Ads. Google analytics can run in your browser as Javascript that watches what you do and collects data on you as you browse the web. If you don't know how to block Javascript, Google Analytics could be watching you in the background on any website without you even knowing it's there. Zoom also collects data from "Data Enrichment Services", and public sources. This could be just about anything from your social media accounts to arrest records. One way this is done is through tracking cookies. +Their own privacy policy says they collect data about you from Google Analytics and Google Ads. Google analytics can run in your browser as JavaScript that watches what you do and collects data on you as you browse the web. If you don't know how to block JavaScript, Google Analytics could be watching you in the background on any website without you even knowing it's there. Zoom also collects data from "Data Enrichment Services", and public sources. This could be just about anything from your social media accounts to arrest records. One way this is done is through tracking cookies. # Cookies Policy On the Cookie Policy page[12], it starts off explaining how cookies work. Essentially, cookies are any data a site can store in the browser. They can persist across browsing sessions and unfortunately they are used to track you across the web. I want to pay special attention on the Cookie Policy page to the analytics subtype under functional cookies. "Zoom uses cookies and other identifiers to gather usage and performance data...This includes cookies from Zoom and from third-party analytics providers". Cookie Policy. (2020, January 1). Retrieved May 23, 2020 from Zoom, Zoom cookie policy website, https://zoom.us/cookie-policy[13][14]. Notice the important line about how they use third-party analytics providers. How is it possible for Zoom to ensure your data is protected if they use third party analytics providers of which they don't control the data? It's not. We know Zoom uses Google Analytics, and we know that Google's business model is centered around collecting data on its users and selling it for profit. @@ -41,7 +41,7 @@ There is a lot there. They collect interest-based data on you automatically. Tha "Some of our websites and Products include code snippets provided by social media companies that can sense if you are already logged into a given social media account so you can easily share Zoom content with other social media users via that account". Retrieved May 23, 2020 from Zoom, Zoom cookie policy website, https://zoom.us/cookie-policy[17][18]. This means sites like Facebook and Google know you are using Zoom services and what page you are on. Social media sites use tracking cookies to track what websites you visit. Social media sites shouldn't be allowed to know that. Nevertheless, they are found on Zoom's website and services, the videoconferencing platform that "cares about your privacy". # Third Parties -Zoom gives your data to third parties. On their subprocessors page[19], they list the following third parties which they give your data to: People.ai, Zendesk, Wootric, Totango, Answerforce, Rocket Science Group LLC, Five9, EPS Ventures, WKJ Consultancy, Salesforce, CyberSource, Adyen, Zuora, Amazon Web Services, Oracle America Inc, and Bandwidth. We will ignore the 3 third parties related to billing (CyberSource, Adyen, and Zuora) since if you're not paying Zoom it probably doesn't apply to you. That still leaves 13 subprocessors each with their own privacy policies and their own third parties. You can see very quickly how the amount of third parties your data is being shared with grows exponentially. 11 of the 13 relevant third parties are under US jurisdiction. Since the 2013 Snowden leaks[20], We know that the U.S. government performs massive dragnet surveillance on US-based companies without any oversight, so it's probably safe to say that the U.S. government is collecting Zoom data from either Zoom itself or Zoom subprocessors. +Zoom gives your data to third parties. On their sub-processors page[19], they list the following third parties which they give your data to: People.ai, Zendesk, Wootric, Totango, Answerforce, Rocket Science Group LLC, Five9, EPS Ventures, WKJ Consultancy, Salesforce, CyberSource, Adyen, Zuora, Amazon Web Services, Oracle America Inc, and Bandwidth. We will ignore the 3 third parties related to billing (CyberSource, Adyen, and Zuora) since if you're not paying Zoom it probably doesn't apply to you. That still leaves 13 sub-processors each with their own privacy policies and their own third parties. You can see very quickly how the amount of third parties your data is being shared with grows exponentially. 11 of the 13 relevant third parties are under US jurisdiction. Since the 2013 Snowden leaks[20], We know that the U.S. government performs massive dragnet surveillance on US-based companies without any oversight, so it's probably safe to say that the U.S. government is collecting Zoom data from either Zoom itself or Zoom sub-processors. # Weasel Words Here, Zoom is trying to weasel out of the fact that they are selling your data: "As described in the Zoom marketing sites section, Zoom does use certain standard advertising tools on our marketing sites which, provided you have allowed it in your cookie preferences, sends personal data to the tool providers, such as Google. This is not a “sale” of your data in the sense that most of us use the word sale...It is only with the recent developments in data privacy laws that such activities may fall within the definition of a “sale”". Retrieved May 23, 2020 from Zoom, Zoom Privacy Policy website, https://zoom.us/privacy[21][22]. @@ -53,7 +53,7 @@ This is tantamount to saying "Zoom isn't really selling customer data because cu # Citizen Lab Findings I already mentioned how Zoom must provide data to the U.S. government, a member of the Five Eyes[23]. But Zoom provides data to China as well. Citizen Lab[24], an interdisciplinary laboratory at the University of Toronto, reported several troubling findings on 3 April 2020. I'll just go over the key findings and expand on them. -Zoom claimed to use AES-256 in their security whitepaper[25], however Citizenlab found that they actually use AES-128 in ECB mode. Anyone that knows about block cipher modes knows that ECB mode is not suitable for video conferencing. Citizen Lab included the classic example of the ECB penguin[26], which is why you don't use ECB mode for large files. Any audio or video conferencing over ECB would be as secure as the penguin image on the right, not very secure. Worse yet, the encryption keys were found to be generated by Zoom servers in China even when all meeting participants were outside of China. So the Chinese authorities could get the keys and decrypt Zoom communications of children in K-12 classrooms, U.S. courts using Zoom, meetings between government officials, college students, and everyday Americans as well as non-Americans and other countries that used Zoom. +Zoom claimed to use AES-256 in their security white paper[25], however Citizenlab found that they actually use AES-128 in ECB mode. Anyone that knows about block cipher modes knows that ECB mode is not suitable for video conferencing. Citizen Lab included the classic example of the ECB penguin[26], which is why you don't use ECB mode for large files. Any audio or video conferencing over ECB would be as secure as the penguin image on the right, not very secure. Worse yet, the encryption keys were found to be generated by Zoom servers in China even when all meeting participants were outside of China. So the Chinese authorities could get the keys and decrypt Zoom communications of children in K-12 classrooms, U.S. courts using Zoom, meetings between government officials, college students, and everyday Americans as well as non-Americans and other countries that used Zoom. Citizen Lab also shows Zoom advertising their use of end-to-end encryption[27]. End-to-end encryption means only the communicating parties are able to decrypt the communication. Clearly, with the encryption keys generated on the Zoom server itself, that's not possible. Zoom can decrypt your communications. Citizen Lab also claims that they found a "serious security issue" with Zoom's waiting room feature, advising users not to use waiting rooms if they care about meeting confidentiality. @@ -61,7 +61,7 @@ Citizen Lab also shows Zoom advertising their use of end-to-end encryption[27]. On 30 March 2020, Boston FBI[28] issued a warning about using Zoom. According to the warning by Setera (30 March 2020) "The FBI has received multiple reports of conferences being disrupted by pornographic and/or hate images and threatening language". This is followed by advice of what to do to prevent Zoom-bombing. But Zoom is not innocent in this because it was possible to scan for random meetings to join. It doesn't strike me as a very useful or necessary feature. Zoom is for teleconferencing. Most meetings will have a specific purpose and the participants don't want random people joining in to disrupt the meeting. So it doesn't make sense to me why this was a feature in the first place. To make matters worse, the FBI report explains Zoom didn't have passwords enabled by default for meetings until January 2020. # Zoom's Response -It wouldn't be fair for me to criticise Zoom without also pointing out steps they have taken to address the platform's many problems. First, I want to focus on their April 1st blog post[29]. Eric S. Yuan claims (April 1, 2020) "Thousands of enterprises around the world have done exhaustive security reviews of our user, network, and data center layers and confidently selected Zoom for complete deployment". I would like a full list of these enterprises so I know not to trust their "security reviews". Frankly, 128-bit AES in ECB mode is an embarrassing rookie mistake. It basically only happens when you don't know what you're doing. Just looking at Zoom's track record of horrible security and privacy that I've outlined above, I don't see how thousands of "exhaustive security reviews" could miss so much. +It wouldn't be fair for me to criticize Zoom without also pointing out steps they have taken to address the platform's many problems. First, I want to focus on their April 1st blog post[29]. Eric S. Yuan claims (April 1, 2020) "Thousands of enterprises around the world have done exhaustive security reviews of our user, network, and data center layers and confidently selected Zoom for complete deployment". I would like a full list of these enterprises so I know not to trust their "security reviews". Frankly, 128-bit AES in ECB mode is an embarrassing rookie mistake. It basically only happens when you don't know what you're doing. Just looking at Zoom's track record of horrible security and privacy that I've outlined above, I don't see how thousands of "exhaustive security reviews" could miss so much. In that blog post, Yuan mentions the increased outreach and video tutorials. But security mistakes caused by user error are not really in the scope of this post. One of the first things the post mentions is that on March 27th, the Facebook SDK[30] was removed from the Zoom app on iOS. It's astounding to me that Yuan can claim in the same blog post detailing the removal of the Facebook SDK that (March 27, 2020) "Our customers’ privacy is incredibly important to us". This is insane. If customer privacy was important then the Facebook SDK would never ever have been in the Zoom app. Facebook is an absolute surveillance monster. The SDK spies on people that don't even use Facebook. Apps that really care about privacy don't touch anything Facebook or Google with a ten foot pole. Some information sent by the Facebook SDK was: Application bundle identifier, application instance ID, application version, device carrier, iOS advertiser ID (gross), iOS device CPU cores, iOS disk space available (why???), iOS device disk space remaining, iOS device display dimensions, iOS device model, iOS language, iOS timezone, and iOS version. This doesn't happen by accident. At some point, a developer for Zoom wrote some code for the iOS app to make it send that device information to Facebook on purpose. For a teleconferencing app, the Facebook SDK is absolutely unnecessary. Zoom only remove the SDK after being called out[31]. for it. This is an example of being reactive to security and privacy issues, not proactive. @@ -79,7 +79,7 @@ Zoom is a proprietary[38] platform. This means it is essentially a black box. As When no one except you or your organization can see the source code, there are incentives to insert malicious pieces of code that benefit you at the user's expense. Jitsi does not have the same incentive structure because it's free software[41]. Anyone with the know-how can look over the code and see if something fishy is going on. This will never be true of Zoom. Zoom has no reason to ever give away their source code and make their program trusted free software. Part of the reason I dropped out of my classes at my university was because Zoom because being forced on us students and [I refused to use it]({{< relref "the-tipping-point-rejecting-windows-zoom-lockdown-browser-and-the-lockdown-monitor.md" >}}). ## Call to Action -I'm not saying you, the reader, should go as far as I did. I'm just saying if we, as a society, want to live in a world where we are given more privacy and security in our digital lives, then we have to say no to platforms like Zoom. If we don't, we will move ever closer to some kind of dystopian surveillance hell, assuming we aren't already there. Ask yourself this question: If you don't reject these untrusted proprietary platforms with a horrible track record, then who will? How many people do you know that would reject Zoom if their boss or professor told them to use it? The demand for our digital rights back has to start somewhere, before it's too late. +I'm not saying you, the reader, should go as far as I did. I'm just saying if we, as a society, want to live in a world where we are given more privacy and security in our digital lives, then we have to say no to platforms like Zoom. If we don't, we will move ever closer to some kind of dystopian surveillance hell, assuming we aren't already there. Ask yourself this question: If you don't reject these untrustworthy proprietary platforms with a horrible track record, then who will? How many people do you know that would reject Zoom if their boss or professor told them to use it? The demand for our digital rights back has to start somewhere, before it's too late. Link(s): |