
Using Zoom? Here are the privacy issues you need to be aware of - teekert
https://protonmail.com/blog/zoom-privacy-issues/
======
dang
[https://news.ycombinator.com/item?id=22657384](https://news.ycombinator.com/item?id=22657384)

[https://news.ycombinator.com/item?id=22659216](https://news.ycombinator.com/item?id=22659216)

~~~
upofadown
If these links are why this is marked as a dupe then that is wrong.

------
donohoe
This is a very underwhelming article. It talks about an old bug and then some
basic features you should be aware of... Shouldn't be on HN front-page.

I think this article from EFF is clearer and more comprehensive in general:

[https://www.eff.org/deeplinks/2020/03/what-you-should-
know-a...](https://www.eff.org/deeplinks/2020/03/what-you-should-know-about-
online-tools-during-covid-19-crisis)

~~~
thephyber
This doesn’t seem like an evidence point to shrug off: > It talks about an old
bug

Previous behavior is highly predictive of future behavior. The point about the
web server was not just that is was improperly secured, but that it was done
to bypass a user facing pop up in Safari. This kind of decision tells the
reader something about company culture.

~~~
manigandham
Dropbox also patched system files on Mac OS to improve their integration.

HN is a highly skewed audience. 99% of business users don't care, they want
software that just works, and the trust is well placed in companies that sell
software licenses (not your data) and fix security issues quickly.

~~~
lotsofpulp
All companies sell data at some point. Just need the cash flow to get dire.

~~~
manigandham
No they do not. Most data is utterly useless outside of the original company.
It's also protected by increasing privacy and security regulations. And
there's no magical broker you just call up to sell it to.

~~~
lonelappde
How does the price of the software affect how useful the data is outside of
the company?

That was whiplash-inducing goalpost-moving speed.

~~~
manigandham
Where did I say it did? Can you state what data Zoom would be able to sell? to
whom? and for how much?

I have 12 years of experience in adtech. I know the major data markets (ads,
credit bureaus, banking, retail). People vastly overestimate the quality,
usefulness, and price for "data", and don't understand any of the regulations
around it.

It's only worth what you can legally do with it. That's why most companies
don't sell it. They don't have anything special and it can't really be used
anyway. Zoom doesn't have anything worth buying.

------
philshem
Zoom's dark pattern is to obscure that every online meeting can be joined from
the browser. They really hide this in order to install software on the client
machine, which has been susceptible to bugs in the past.

[https://support.zoom.us/hc/en-
us/articles/214629443](https://support.zoom.us/hc/en-us/articles/214629443)

I've had no problems from the browser, although I think on some platforms they
suggest (or require?) Chrome over Firefox.

~~~
manigandham
Most people prefer the desktop software for better UX.

~~~
ralusek
I DESPISE having to install or even run desktop applications for anything that
can be done in a browser.

~~~
Fwirt
For simple tasks yes, but just because it _can_ be done in a browser doesn't
mean it _should_. Native applications can provide performance optimizations
that you wouldn't get in a web app. Would you rather play a realistic flight
sim natively or in your browser?

~~~
magduf
I'd rather play it in a browser, even if it's much worse.

With the browser version, I can just open my browser and point to the URL and
run it. Easy.

With a native app, this usually means I'd have to go buy a new computer
running Windows or MacOS just to run this one stupid application, because I
don't have either of those OSes at home. Of course, I'm not going to do that,
which means I just don't use the app at all.

~~~
lonelappde
support.zoom.us/hc/en-us/articles/204206269-Installing-Zoom-on-Linux

------
ilikepi
Regarding the "attention tracking" feature...

If your boss/manager/etc is excited about this feature as a way to monitor
you, odds are they already have you under surveillance in a bunch of other
ways. It's unfortunate that you are in this situation, and I hope you're able
to find a way out of it soon (e.g. by switching teams or finding another
company that values and trusts you more).

This feature is of limited use, though. With my laptop in my lap, it's trivial
to hold my phone right in front of the lower half of my screen. It will be
outside the field of view of the camera, but there will be no discernible
difference between me looking at my laptop screen vs my phone screen.

I'm all for fighting against companies chipping away at our privacy, but this
one seems pretty far down a rather large list.

EDIT: clarification

~~~
catacombs
> If your boss/manager/etc is excited about this feature as a way to monitor
> you, odds are they already have you under surveillance in a bunch of other
> ways. It's unfortunate that you are in this situation, and I hope you're
> able to find a way out of it soon (e.g. by switching teams or finding
> another company that values and trusts you more).

I can't stand people who get excited at the thought of tracking their
employees. What's the benefit? Control? Ego?

~~~
allenskd
I'd lean that they are probably control freaks. But there's probably more to
it than that and ultimately it seems it boils down to "I'm paying you to work
thus it's my right to track your every movement"

Years ago I had a boss but set up security cameras. Normally, this is
completely okay because you gotta secure the building you just never know
who's gonna come in and rob the place or maybe track an incident (rape,
violence, etc).

This boss of mine however went home or worked from home from time to time or
sometimes he would go on a vacation and he would just connect to the video
stream of the security cameras.

One day I was the only one in the building as I still had to finish my shift.
He gaves me a call, he didn't say he was monitoring me of course but he seemed
to know what I was doing and proceeded to ask the following question: is
everything okay? how's the workload etc etc. Common questions, nothing out of
the ordinary.

So it seemed he just called because I wasn't receiving a lot of support calls
and sometimes I would just go get coffee he probably saw me standing a lot,
maybe thought I was neglecting my job.

I can be incredibly outspoken at times. A lot of the things in the call just
screamed "I'm monitoring you". When the call ended I was furious. There's
nothing more damaging than not trusting your employees. It breaks trust and
relationships. I've never in my professional life felt so insulted that I need
someone to monitor me.

If you are this type of manager/supervisor: Kindly put, shame on you. I say
kindly put because the words I want to say can't be conveyed here without
getting moderated. Cease and rethink your strategy, we are professionals not
kids or teenagers and doing this to teenagers remember you are growing
professionals, nothing like giving them the ground to grow but if they find
stuff like this you are destroying everything.

To workers that are aware I can only hope you find other jobs. It's stressful
enough, no need to tolerate this behavior.

~~~
lonelappde
You're upset that your boss looked at you while you were working, and didn't
have any complaints about the behavior that you thought looked suspicious?

~~~
allenskd
I didn't know getting coffee was a suspicious behavior :)

------
jscholes
Anecdote: much of the software competing with Zoom has really bad
accessibility for disabled users, incl. those using a screen reader, screen
magnifier, keyboard-only/switch control, speech recognition, etc. This is
despite the fact that some of it has been around for 10+ years, or is backed
by large companies like Google.

I bring this up because that can also cause privacy issues. There are the
direct concerns, like not being able to access the text of their policies or
accessibly manage your preferences. But the less obvious factor is
inaccessible controls to:

\- verify whether or not you're streaming video;

\- determine whether your microphone is muted or not;

\- ... etc.

If I don't know what I'm streaming and exposing to meeting participants, I'm
losing on the privacy front. So Zoom it will have to be for now, I'm afraid.
If you think it has too many issues for you to be a viable product, and have
the option of making an alternative more inclusive, I'm open to chat.

~~~
judge2020
> much of the software competing with Zoom has really bad accessibility for
> disabled users,

Does that mean Zoom _does_ in fact perform the necessary legwork on the
accessibility front?

~~~
jscholes
> Does that mean Zoom does in fact perform the necessary legwork on the
> accessibility front?

Pretty much. They're not perfect, but they have put a ton of effort into it.
It may be because they do business with governments, so require things like
Voluntary Product Accessibility Templates (VPATs)[1]. But it is the only
platform I can actively consider using for work, as someone who relies on a
screen reader.

[1] [https://zoom.us/accessibility](https://zoom.us/accessibility)

------
montroser
There's no reason why video conferencing should require an installed app in
2020. Standard browser tech in WebRTC is completely sufficient, and well
supported at this point.

There's even the Picture-in-Picture spec coming into place, which should allow
more seamless desktop integration: [https://w3c.github.io/picture-in-
picture/](https://w3c.github.io/picture-in-picture/)

Fully browser-based alternatives to zoom:

[https://hangouts.google.com](https://hangouts.google.com)

[https://whereby.com](https://whereby.com)

[https://team.video](https://team.video)

~~~
zajio1am
> There's no reason why video conferencing should require an installed app in
> 2020.

Much better efficiency and ergonomics?

Freedom to choose independent client implementations interoperable by
standardized protocols (e.g. SIP)?

Independence of client provider and service provider?

Interoperability between different providers (i.e. different users can use
different service providers)?

~~~
montroser
If the first two points are supremely important to you, and if you have enough
resources, then yes, it's possible you may find more flexibility in an app.

On independence and interoperability though, doesn't an open WebRTC stack
spec'd by an independent standards body give us our best hope there?

------
matsemann
So not even close to what was touted yesterday. And do we really need yet
another thread on this? Is there some kind of astroturfing going on or why is
this Zoom-hate everywhere lately?

[https://news.ycombinator.com/item?id=22657384](https://news.ycombinator.com/item?id=22657384)

~~~
nkozyra
> why is this Zoom-stuff everywhere lately

Um, really? It's probably the #1 conferencing app being introduced to a world
of people not used to remote work. A lot of people are encountering it for the
first time.

~~~
hoseja
How is it #1 though? It seems to have come out of nowhere.

~~~
gwd
I've seen it individually recommended in a number of places.

Why? Well unlike (say) GoToMeeting or Webex, you can use it for free (albeit
with a time limit). Until recently it had a much more modern, easy-to-use
interface than GoToMeeting as well. Also, apparently it's one of the few
videoconferencing solutions that works reasonably well in China.

Also, it apparently scales pretty well; one of the groups in my church
apparently had nearly 100 people in a zoom.us conference last week. I didn't
participate in that one, but there was a distinct lack of "and that was a
disaster" comments.

I resisted using zoom for about two weeks, specifically due to the "start a
local web browser to work around Safari's security features" disaster; but
ultimately, you need to say "no" to every _other_ person who wants to have a
meeting with zoom, and eventually I just had to give up and install the
client.

(I've been recommending meet.jit.si since it's 1) open-source 2) unlimited
time for the free version 3) doesn't need to have a client installed.)

~~~
catacombs
> Why? Well unlike (say) GoToMeeting or Webex, you can use it for free (albeit
> with a time limit).

Not too much it's easy to use. Everyone, from boomers to tech-challenged
zoomers, can easily sign in and use it.

------
teekert
I like Jitsi, it works well in my personal setting (kids talk for hours with
the grand parents)... Other tips?

~~~
fendy3002
I also like jitsi however haven't had any chance to seriously use it. I wonder
if there is any major drawback for jitsi

~~~
STRML
Jitsi's P2P nature is great for 1:1 or small group conversations if everyone
has solid connections. From experience it starts to break down with larger
groups, and becomes pretty useless overall if one or two participants have
spotty connections.

~~~
lima
Jitsi is not P2P for group conversations - all streams are multiplexed by the
server (the videobridge).

100% agreed about spotty connections, it does not handle them very well. As
long as everyone has a decent connection and enough CPU, it handles groups of
10+ participants just fine. My company ended up switching to Google Meet for
reliability reasons, but was a year ago so it might be better now.

------
donatj
It collects "information you upload, provide, or create while using the
service" … I mean it kind of has to does it not? That's how it can give it to
other people.

~~~
inetknght
Have you heard of encryption?

~~~
h4waii
What exactly does "encryption" solve about this? It could be encrypted from
client to server and the main concerns over privacy would still stand.

What exactly are you suggesting by randomly throwing out the word
"encryption"?

~~~
inetknght
Encrypt data prior to entering Zoom's services. That shouldn't affect Zoom's
ability to deliver your (now-encrypted) data to your peers. It would affect
Zoom's ability to usefully "collect" that data for other purposes though.

~~~
willis936
How are the keys exchanged? At the end of the day zoom holds the keys. What
matters, legally, is their privacy policy. If you don’t trust that then you
have no business using a program that brokers encryption keys.

~~~
tialaramex
No, key agreement protocols were invented in the 20th century. Two parties can
agree a shared secret (such as a key) without an intermediary discovering this
secret even though the intermediary knows everything both parties said. We
have no mathematical proof that such protocols can exist (they need a trapdoor
function and there is no mathematical proof that trapdoor functions are
possible), but nevertheless they seem to work fine.

Now, working KEx does leave you still not certain who the other party is,
you're now communicating securely with someone but you aren't sure who. That's
why the Web PKI exists. But choosing to have Zoom hold all the keys is a
_choice_ and not as you've portrayed it a necessity, the system could be
designed to work just fine without doing that.

~~~
Xylakant
How do you tie a phone dial-in client into a web pki? Because that’s one of
the features that zoom offer: regional dial-in numbers that you can use with
any ordinary phone. And it’s really really useful.

~~~
tialaramex
You can tie anything into the Web PKI if that's really what you want to do,
but that's besides the point.

The point is that Zoom doesn't need to know these keys. Yes, if there's no
assurance that you're really talking to Alice and she's really talking to you
Zoom _could_ sit in the middle of some or all conversations - but right now
they _are_ in the middle of those conversations.

It doesn't change what is theoretically possible, but it changes the posture -
what is easy to do, and why.

If you really don't like the uncertainty of a MITM being possible even if
unlikely - you'd need Signal, or something like Signal's protocol which lets
you compare your shared secrets to determine if there's really nobody in the
middle.

------
JensRex
>"Do not use Facebook to sign in"

Aside from being good advice generally, I doubt anyone who's concerned about
the violation of privacy Zoom engages in, would have a Facebook account.

~~~
codetrotter
Your doubts might need to be re-examined.

I have a Facebook account that I originally registered when I was in high
school a little over a decade ago. The reason I've kept it is because I use
Facebook Messenger to talk to some people, and because a lot of events use
Facebook.

The main Facebook app I have not installed, because I don't need it.

The Facebook Messenger app I have installed because I use it. I trust iOS to
limit this app from being able to do anything too nasty.

I never use "log in with Facebook". I clear my cookies regularly, and I often
use a different browser for logging into Facebook from the browser I use for
most stuff.

I try my hardest to be vigilant of my privacy, even though it is a losing
battle.

The fact that someone has a Facebook account should not be taken as a sign
that they think that any of the privacy violation stuff that businesses engage
in is ok.

As for Zoom, I made a conscious decision to not install the Zoom software on
my MacBook Air because of the previous shenanigans that Zoom had been engaging
in. When a client expressed desire that we use Zoom for our meetings, I
therefore chose to install the Zoom app on iOS rather than on my MacBook Air,
because iOS limits apps from being able to do anything too bad, and after we
were done with the job I uninstalled the Zoom app from iOS as well.

~~~
roganartu
> The reason I've kept it is because I use Facebook Messenger to talk to some
> people, and because a lot of events use Facebook.

The events part is unfortunate, but just in case you didn't know you can
deactivate your Facebook account and still retain access to Messenger.

If you go through the process to deactivate your Facebook account, the last
question in the process is "do you want to keep messenger".

------
rdiddly
If you have to track people to make sure they pay attention during the
meeting, the meeting is pointless and too long. Meetings that are short and
packed with useful info nobody wants to miss, are well-attended.

Managers, try being a real leader. Or is that too hard?

------
ravenstine
Don't forget that Zoom used to have a web server installed in the background
that Apple had to send out a patch to disable. I wouldn't ever trust running
Zoom for that reason alone. I'm forced to run it at work, but never at home.

------
virgilp
> has already had a major security vulnerability.

Oh no!! Unlike any other technology on earth that is actually used by non-
trivial amounts of people?

> “Does Zoom sell Personal Data?” the policy says, “Depends what you mean by
> ‘sell.’”

That makes it sound like something malefic is happening. What privacy policy
says is that they use Google tools (e.g. Google analytics, also used for
delivering ads), and they put your data in Google analytics. This is however
_their data_, while indeed "shared with Google" it doesn't mean Google is
using it in any way, other than aggregate ("Across all our customers, <blah
blah blah>") and even that, most likely only for internal statistics.

I for one definitely don't see that as "selling data", I'd agree with Zoom
here.

~~~
dpwm
The article gave me the impression that the privacy policy literally said
"depends what you mean by 'sell'." I didn't find that. I did find:

> We do not allow marketing companies, advertisers, or anyone else to access
> Personal Data in exchange for payment. Except as described above, we do not
> allow any third parties access to any Personal Data we collect in the course
> of providing services to users. We do not allow third parties to use any
> Personal Data obtained from us for their own purposes, unless it is with
> your consent (e.g. when you download an app from the Marketplace). So in our
> humble opinion, we don’t think most of our users would see us as selling
> their information, as that practice is commonly understood.

It seems a bit more nuanced than the article would suggest.

------
Anthony-G
This is the first time I've seen an article on the front page of Hacker News
that has the phrase “here are” in the title.

I’ve noticed over the last few years this trend to add a superfluous “here is”
or “here are” to a headline. Doing so add absolutely zero information, e.g.,
from the top three current Duck Duck Go search results for “here are”:

1\. _“Here Are All the Major Concerts Canceled Due to Coronavirus”_ – could
just be “All the Major Concerts Canceled Due to Coronavirus”

2\. _“Coronavirus: Here Are 10 Misconceptions Being Spread”_ – this listicle
could simply be titled “Coronavirus: 10 Misconceptions Being Spread” or “10
Coronavirus Misconceptions Being Spread”

3\. _“Have Children? Here Are 3 Tax Credits You Need to Know”_ – this listicle
could be “Have Children? 3 Tax Credits You Need to Know”

In two of the above cases, it’s also not just the headline but the text body
also. I get the psychology behind listicles (and other clickbait phrases such
as _”you need to know”_ ) but I don’t understand the rationale for inserting
these two wholly superfluous words that neither inform the reader nor
embellish the prose.

It’s had the opposite effect on me and I now have an internal heuristic of
associating this practice with low quality information and I rarely – if ever
– click on such links. Going by the comments on this article, it seems I was
right in this case but surely, that’s the opposite of what the publishers
intend.

------
graton
The woman in this video has issues with privacy in her Zoom conference call:

[https://www.youtube.com/watch?v=0xqLjc2y6O4](https://www.youtube.com/watch?v=0xqLjc2y6O4)

Okay not the same issue this article is talking about, but do pay attention to
if your camera is on and where it is pointing :)

------
xnyhps
The macOS version installs itself before you give it permission to install:
[https://twitter.com/xnyhps/status/1149630190877696001?s=21](https://twitter.com/xnyhps/status/1149630190877696001?s=21).
It is basically malware.

~~~
ilikepi
Very interesting. I don't have any experience making .pkg installers nor with
verifying code signing on macOS, but I agree in general, the `preinstall`
script does a lot of work one would expect the installer itself to do. This is
all supporting evidence for my personal preference to never run the Zoom
installer, but rather to extract the application bundle by hand.[1]

Please consider writing up your findings in more detail.

[1]:
[https://news.ycombinator.com/item?id=20391828](https://news.ycombinator.com/item?id=20391828)

------
madwhitehatter
[https://metro.co.uk/2020/03/25/concern-zoom-video-
conferenci...](https://metro.co.uk/2020/03/25/concern-zoom-video-conferencing-
mod-bans-security-
fears-12455327/amp/?ito=article.desktop.share.top.twitter&__twitter_impression=true)

------
lostmsu
I made a simple sandboxed WebView wrapper for Windows, that should address the
privacy issue and remove the annoying need to deal with constant "download the
app" nagging:
[https://losttech.software/Downloads/FuZoom/](https://losttech.software/Downloads/FuZoom/)

------
Igelau
Let's all pledge to keep a little notepad window open that we click into
during Zoom meetings. Pollute attention tracking with false positives. Bonus
points if you stare directly into the camera while you do this.

------
internalfx
Or just use whereby.com

No plugin needed.

------
chvid
"... it will collect and keep data on what type of device you are using, and
your IP address ..."

Oh dear ...

------
hnrodey
Any know if Teams has any dark patterns such as this? I haven't heard of
anything.

------
kryogen1c
curious amount of negativity in here. what exactly is the concern? zoom is a
corporate product. your electronic business activities are probably governed
by lawyer-approved documents you signed like an AUP/NDA/consent to be
monitored, so why are you concerned about privacy?

dont want attention tracking? thats a feature, not a "privacy" bug (you expect
personal privacy and freedom during business meetings?). bosses love this kind
of metric, and not without reason. maybe if your meeting "attention" rate is
low, theres an issue a boss could solve to make the business and employee's
lives better. also you can just turn your camera off in zoom.

> According to the company’s privacy policy, Zoom collects reams of data on
> you, including your name, physical address, email address, phone number, job
> title, employer.

this is nonsense. how would installing zoom, as a meeting participant or host,
collect your phone number and physical address? im sure their privacy policy
says this, but that is very different than the zoom client actively scavenging
computers for personal information. THAT would be a story

>it will collect and keep data on what type of device you are using, and your
IP address

so... like almost every single piece of the internet? most personal IP
addresses rotate, and who cares about your corporate ip? this has to be the
lowest value and most common data point there is. not great, but not alarming.

>Do not use Facebook to sign in

hard to see a legitimate use-case for this. the corporate account features of
zoom means everyone gets an account with their corporate email address, so why
did they ever integrate with facebook? seems likely about scavenging data, but
maybe theyre just trying to be trendy.

all in all, seems like a hit-piece. hit-pieces arent necessarily wrong, but
they are always agenda-based. maybe the agenda is something i agree with, but
i dont know richie koch or what protonmail's stake in the game is in order to
take this at face value without any actual details and sources.

~~~
decebalus1
> your electronic business activities are probably governed by lawyer-approved
> documents you signed like an AUP/NDA/consent to be monitored, so why are you
> concerned about privacy?

I did online interviews through Zoom. I did not sign any NDA and was not
presented with a privacy policy from the companies using Zoom about the data
they collected during the interview.

------
greatjack613
Honestly the points are valid but the solutions stated suck.

Use a new version of zoom?????? Seriously, I mean well duh.

Use a different device to check email??

Very disappointed with the conclusion, I was expecting some way to go into
settings and disable all of the tracking garbage.

------
madwhitehatter
The U.K. MOD has BANNED zoom what do they know

------
TeluguFilms
Yes It works..

