
Zoom monitors activity on your computer - kangax
https://twitter.com/Ouren/status/1241398181205889024
======
discreditable
When someone sends you a zoom invite, cancel the download, then click the
having problems link to download again. Cancel it again. It will show you a
link to join by browser.

A few other meeting apps have dark patterns like this. One of my favorite
things about Hangouts Meet is it's web first.

~~~
userbinator
What I find irritating is this proliferation of meeting apps like these, all
using their own proprietary variations of protocols and consuming huge amounts
of system resources, when there has been a standard protocol for it that's
been around since the late 90s, with a variety of different clients available:
SIP. One could be sent a SIP URI for a meeting and it would work in any
client.

Maybe it's like IRC vs all the other IM "solutions", except with an even
larger difference in userbase.

Edit: looks like Zoom _does_ use SIP too, but it's not that obvious how to use
your own client: [https://support.zoom.us/hc/en-us/articles/201207626-Video-
La...](https://support.zoom.us/hc/en-us/articles/201207626-Video-Layout-
for-H-323-SIP)

~~~
barbs
Excuse my ignorance but is there a good implementation out there that uses
this protocol? Jitsi perhaps?

~~~
cassianoleal
I have used Jitsi. Last week I did a few pairing sessions where the both of us
were sharing our screens and still had our webcams on in the corner and it was
awesome.

We tried to do a standup with (I think) 8 people and it was terrible - people
would randomly not get any audio for stretches of time, video would get choppy
or lost completely, it was not pleasant.

I will keep using it for pairing since I haven't found another tool that gives
me that kind of flexibility and it was in fact very good. I believe the whole
experience is limited by the connection quality of the worst participant.

~~~
hjek
I've been using Jitsi Meet a lot as well.

It has terrible Firefox support but works decent if _all_ participants are
using Chromium / Chrome[0]. Asking other people to install Chromium makes me
feel dirty but I don't know any other login-free cross-platform open source
easy-to-use video conferencing apps than Jitsi Meet.

[0]: [https://github.com/jitsi/jitsi-
meet/issues/4](https://github.com/jitsi/jitsi-meet/issues/4)

~~~
cassianoleal
That could have been the issue, I haven't asked to be honest.

It does tell you that Firefox is not supported when you log in though, so I'd
have expected people to say something but hey ho...

~~~
whoislewys
Hopefully WebRTC becomes more thoroughly implemented cross-browser Chromium
has waaaay better support since WebRTC is primarily maintained by a team at
Google.

~~~
madwhitehatter
The question is, why doesn't Zoom use WebRTC in favor of the plug-in. WebRTC
uses the SRTP Cryptosuite which is pretty secure and can be made very secure
[https://wiki.freepbx.org/display/DIMG/SRTP+Cryptosuite](https://wiki.freepbx.org/display/DIMG/SRTP+Cryptosuite)

Zoom is unencrypted by default? So you have to physically turn encryption on.
Also, it is very unclear if your data is encrypted at rest. "End to end
encryption" does not necessarily mean "end-to-end encryption" as has been
shown many times before

------
digitalboss
via Zoom Support Reply:
[https://twitter.com/zoom_us/status/1241768006327336963](https://twitter.com/zoom_us/status/1241768006327336963)

"Hi, attention tracking feature is off by default - once enabled, hosts can
tell if participants have the App open and active when the screen-sharing
feature is in use. It does not track any aspects of your audio/video or other
applications on your window."

Points to this article: [https://support.zoom.us/hc/en-
us/articles/115000538083-Atten...](https://support.zoom.us/hc/en-
us/articles/115000538083-Attendee-attention-tracking)

~~~
matsemann
The twitter thread in the OP says " _collects data on the programs running_ "
without backing anything up. Seems like FUD from the face of it. Yes, the
privacy may not be perfect (according to EFF admins can see time spent by
others in the organization on meetings etc.), and zoom can notify the meeting
organizer about participants not having the window in focus. But that's it?

Not exactly the gravity touted in the linked twitter thread, saying " _If you
manage the calls, you can monitor what programs users on the call are running
as well_ ". No proof of that...

Kinda scared by how much a single tweet can make something blow up, without a
shred of evidence backing the claims up.

~~~
IggleSniggle
The more interesting aspect to me from the EFF article was that admins can
also see your geolocation, who you are meeting with and when, etc. Basically,
if Zoom is your platform for communicating, your Zoom admin knows a LOT of
metadata about your people that they might not be aware is knowable.

------
Mathnerd314
EFF seems to be the source: [https://www.eff.org/deeplinks/2020/03/what-you-
should-know-a...](https://www.eff.org/deeplinks/2020/03/what-you-should-know-
about-online-tools-during-covid-19-crisis)

> If attendees of a meeting do not have the Zoom video window in focus during
> a call where the host is screen-sharing, after 30 seconds the host can see
> indicators next to each participant’s name indicating that the Zoom window
> is not active.

It doesn't seem too invasive, although of course it'd still be annoying if you
have two monitors etc.

~~~
eddyg
This feature is primarily used in educational-type settings so instructors can
tell that students aren't paying attention to something else.

As far as I've been able to determine, there is no collection of "apps" or
other data, just "not paying attention" time.

~~~
asdff
So what if the student has their notes app pulled up? That's a legitimate
reason to trigger the alert. The student could also just be playing xbox or
something unbeknownst to the professor and still appear alert on the webcam.

It seems like it trades a lot of privacy for something students will evade
with no effort at all.

~~~
IggleSniggle
Exactly. At least the student whose window is not in focus is _at their
computer_

------
EGreg
That’s why we have been building
[https://qbix.com/platform](https://qbix.com/platform)

To have an open source alternative. Want videoconferencing on your own site?
You can! See here for instance.

[https://yang2020.app/meeting](https://yang2020.app/meeting)

We have a harder challenge of making all the SDP offers work cross browser,
but Chrome should def work.

Code: [https://github.com/Qbix](https://github.com/Qbix) (If you like it, star
it lol ⭐️)

Contact me if you want to learn how to use the Qbix platform. I will be
teaching classes and put it online. We are following the wordpress model. My
email is in [https://qbix.com/about](https://qbix.com/about)

 _Quick question for the networking experts here... with everyone connecting
from home, what percentage are behind a LAN firewall that you need to use TURN
servers? What if you avoided those servers and made peer to peer infra
entirely, how many people would we lose?_

 _(Is a complete graph of everyone sending to everyone worse than an SFU once
you get too many users? Isn’t it exactly the same number of streams, just in a
star topology? Can’t we just nominate a few of the browsers to do what the SFU
does, namely forwarding video to the others? Is the issue only with
resolution?)_

~~~
kelnos
_with everyone connecting from home, what percentage are behind a LAN
firewall_

From home? Essentially 100%.

 _that you need to use TURN servers?_

That's less clear. I'm not sure how many home firewalls are impenetrable by
STUN as well. I worked on Twilio's WebRTC-based audio product back in
2012-2014. In the beginning we only supported STUN. We did get _some_ customer
support requests about initial connection failures (which I mostly attributed
to STUN failures), but never kept track of stats on what the success/fail
ratio was. We eventually added TURN support (after I left that product team),
but based on how long it took us to do that, my guess would be STUN was
effective for most setups. Also consider that many (most?) of our users were
probably behind restrictive corporate firewalls, and I'd expect home firewalls
to be more lenient.

------
DyslexicAtheist
this isn't the first time zoom got caught red-handed[1]. Last year they were
called out for installing a local web server in order to disable security
controls to get around the deprecated NPAPI[2] ... this is literally what
malware does.

About the same time this story broke I interviewed for a Paris based AppSec
company and their CTO asked me to install Zoom. It was really awkward because
I had to ask: "Is this a trick question??"

Seriously I wouldn't touch Zoom with a 20 foot stick!

[1] [https://medium.com/bugbountywriteup/zoom-zero-
day-4-million-...](https://medium.com/bugbountywriteup/zoom-zero-
day-4-million-webcams-maybe-an-rce-just-get-them-to-visit-your-website-
ac75c83f4ef5)

[2] [https://en.wikipedia.org/wiki/NPAPI](https://en.wikipedia.org/wiki/NPAPI)

------
threatofrain
From [https://zoom.us/privacy](https://zoom.us/privacy):

> Whether you have Zoom account or not, we may collect Personal Data from or
> about you when you use or otherwise interact with our Products. We may
> gather the following categories of Personal Data about you:

> \- Information commonly used to identify you, such as your name, user name,
> physical address, email address, phone numbers, and other similar
> identifiers

> \- Information about your job, such as your title and employer

> \- Credit/debit card or other payment information

> \- Facebook profile information (when you use Facebook to log-in to our
> Products or to create an account for our Products)

> \- General information about your product and service preferences

> \- Information about your device, network, and internet connection, such as
> your IP address(es), MAC address, other device ID (UDID), device type,
> operating system type and version, and client version

> \- Information about your usage of or other interaction with our Products
> (“Usage Information”)

> \- Other information you upload, provide, or create while using the service
> ("Customer Content"), as further detailed in the “Customer Content” section
> below

~~~
manigandham
This is standard language to cover everything in normal use. Billing details
is obvious. Profile info is provided when you signup and use the service. The
system info is used to run and optimize the calls.

Zoom isn't actively scraping your info, and there's 0 evidence of anything in
the Tweet.

~~~
jjoonathan
Lawyerspeak: "It's just boilerplate."

Translation: "Yeah, that's one of the parts where we really screw you, but you
don't have a choice, lol."

~~~
manigandham
You have a choice to not use Zoom.

~~~
jjoonathan
Sure! Except it was mandated by your boss. Or you have a choice between a
bunch of offerings with the exact same screwball terms. This might not
actually be true for videoconferencing now that it's getting somewhat
democratized and competitive.

Point is: "just boilerplate" is just rationalization. An honest person would
never present it as comforting and a knowledgeable person would never find it
comforting. Of course, the world is full of dishonest people, so it gets used
all the time. Hence "lawyerspeak."

~~~
blacksmith_tb
True, though you could dial in from a phone (even a landline), unless you were
being asked to not only attend but also share your screen.

------
lghh
Downside of what may be a societal long term shift to work from home is even
LESS privacy. I find that ironic, but not surprising.

~~~
DyslexicAtheist
If Zoom would be a Chinese company they'd immediately be branded threat-actor!
A company that bypasses security controls on the host[1] has no place in a
corporate network, covid19 crisis or not.

[1] see news from ca July 2019

~~~
kube-system
Yes, governance is of material importance to privacy.

------
anonu
That's messed up. Our zoom usage at the company has skyrocketed these past few
weeks. I was marveling at how smooth and seamless the process was. Though I
was a bit peeved zoom always steers you to the installed app instead of
keeping it in the browser. Now I know why...

------
jfolkins
Super timely. Even on my linux box I noticed yesterday that zoom, even though
I had "closed" the application, was still running `ps -ef | grep zoom` so I
killed it.

After reading this, I've deleted it too. Super weird.

~~~
hackeerTwo
True, I used zoom about a month ago and it's still running a process in the
background.

~~~
tripzilch
Um, why haven't you killed it?

------
barbs
Does [https://jitsi.org/](https://jitsi.org/) solve these problems?

------
scarface74
Is anyone surprised?

[https://www.zdnet.com/article/zoom-defends-use-of-local-
web-...](https://www.zdnet.com/article/zoom-defends-use-of-local-web-server-
on-macs-after-security-report/)

~~~
valuearb
Didn't Apple shut that down?

~~~
scarface74
Yes. And people on HN complained that it is yet another example of Apple
“locking down” the Mac for killing an app that secretly installed a backdoor
and let an app reinstall itself.

------
madwhitehatter
[https://www.forbes.com/sites/kateoflahertyuk/2020/03/25/zoom...](https://www.forbes.com/sites/kateoflahertyuk/2020/03/25/zooms-
a-lifeline-during-covid-19-this-is-why-its-also-a-privacy-risk/#195e68d328ba)

Still seeing loads of red flags in mainstream media. This is not a Secure
business tool

------
change_yourself
Truly, I was passing an online interview on programming position, and almost
in the end of the process I had remembered that I could be asked on the design
patterns, I opened browser, came to the site with patterns' descriptions
and... the interviewer's last questions was: "I think that's all... But I have
yet one question on the design patterns."

------
lostmsu
I made a simple sandboxed WebView wrapper for Windows, that should address the
privacy issue and remove the annoying need to deal with constant "download the
app" nagging:
[https://losttech.software/Downloads/FuZoom/](https://losttech.software/Downloads/FuZoom/)

------
skc
Now is probably the worst possible time to reveal this news.

Because right now, people have much more pressing matters and need to
communicate.

~~~
thinkingemote
Now is the time to be on our guard, much more than in times of peace and
quiet.

------
thorum
Thanks for the heads up, just uninstalled.

------
jvanveen
Working on a webbased foss sip/WebRTC/p2p conferencing solution(WIP):
[https://github.com/garage11/ca11](https://github.com/garage11/ca11)

------
yadongwen
Is it related to screen sharing? They allow sharing a specific window. Without
knowing about other processes you may not share the window. You have to
specifically allow it in System Preference on Mac though.

------
fulldecent2
I don't use Zoom. But I'll assume it's the same as Google Meet and so now I'll
complain about Google Meet.

1\. When the call quality is less than 100%, it is difficult to attribute this
blame to the other person, my equipment, my connection, or the service
provider. A heartbeat signal could fix this.

2\. When somebody else is presenting, I can't point on THEIR screen. I have
fumble through "higher, higher, too high, it's on the bar, do you see the
bar?, yes, click on that one, you're right it doesn't really look like a
pencil does it?"

------
EastSmith
Pretty low move by Zoom. Again. There is nothing in their interface letting
users know they've been monitored. Nothing.

------
griphook
Does anybody have a good alternative to zoom that does not do this?

~~~
_ink_
An open source alternative might be Jitsi Meet [https://jitsi.org/jitsi-
meet/](https://jitsi.org/jitsi-meet/). I haven't tried it though.

------
magwa101
Yeah, hello, delete it.

------
yuva123
Hello all I am taking cless via zoom meeting someone come and type fuck you
how can find who is he can you help me in this how can find id and ip address

------
smitty1e
Goes without saying that there is massive "pattern of life" info emitted by
what you attend and with whom.

No wonder it's such a great little product.

