
Zoom still don't understand GDPR - andrewnicolalde
https://www.threatspike.com/blog/zoom_cookies.html
======
1vuio0pswjnm7
I love how when you go to enter a Zoom meeting, they bury the no-install, run-
in-browser link in small type in a footer. And then, if you manage to see the
link and use the browser, they withhold "Gallery View", forcing you to deal
with the extremely annoying "Active Speaker View".

~~~
gruez
> And then, if you manage to see the link and use the browser, they withhold
> "Gallery View", forcing you to deal with the extremely annoying "Active
> Speaker View".

Is this a browser limitation or something? I think microsoft teams has the
same issue.

~~~
p1necone
Browsers do generally have a limit on simultaneous outgoing connections per
domain[1] - it could be related to that. (This is also why e.g. TFS breaks
down when you open too many tabs).

[1]
[https://docs.pushtechnology.com/cloud/latest/manual/html/des...](https://docs.pushtechnology.com/cloud/latest/manual/html/designguide/solution/support/connection_limitations.html)

~~~
kelnos
I doubt that has anything to do with it. Zoom almost certainly handles
composing the image for gallery view server-side; you're not maintaining a
separate connection for each participant.

~~~
jessaustin
It's possible that the server just forwards a selection of packets from each
participant (hopefully dropping some from those who aren't speaking or moving)
and the client stitches them into the view.

~~~
kelnos
Sure, that would be the SFU doing it's job, but my point is that you aren't
maintaining a connection per participant, but one connection with Zoom itself
where you get all the video data. It's true that could be in the form of a
single video stream of the entire gallery, or separate streams of only the
participants visible to you.

------
DenseComet
It's unfortunate that they bought and destroyed Keybase [1] in a bid to
improve their security and even still there seems to be no improvement. Guess
even the best folks can't make an impact if company culture prevents it.

[1] [https://github.com/keybase/client/graphs/commit-
activity](https://github.com/keybase/client/graphs/commit-activity)

~~~
andrewnicolalde
Same, they were my preferred platform for secure messaging, which is bizarre
when you think about the fact that this wasn't even their original purpose. I
guess this was indicative of the general lack of a single defined direction
the product was going in near the time of the Zoom acquisition. What a shame.
Hopefully someone makes something similar.

~~~
juped
What was the draw of Keybase? I wasn't interested when it was a "post all your
website usernames here, but with crypto somehow" site, and by the time I
looked in on it later, it was an unreadable startup homepage and had some kind
of cryptocurrency scam attached to it. If it had a good messaging featureset
that should be cloned, former Keybase users should speak up!

~~~
andrewnicolalde
It had excellent chat functionality that worked well, and this was at a time
in which the Signal client for Android was still quite buggy (hundreds of _Bad
encrypted message_ messages flooding group chats, messages delivered hours
late and all at once, poor performance etc.) My group naturally gravitated
towards Keybase as our secure messaging platform. The other killer feature was
KBFS, which was a sort of shared encrypted filesystem with which you could
sync files securely across all of your devices, share files publicly or with
specific users or sets of users or groups in cryptographically protected ways.

The unintelligible foray into cryptocurrency with Lumens made very little
sense to me, but apparently the coins I was gifted for free by Keybase are
worth over 100 USD now. I'll probably hold on to them.

~~~
timerol
FYI, if you want to liquidate those, AnchorUSD makes it really easy to
transfer them out to a US bank account.

~~~
andrewnicolalde
Thanks for the heads up :)

------
saagarjha
C'mon, what does it take for Zoom to understand that when people uninstall
software they don't want parts of it to stick around forever?

~~~
qppo
Usually this happens because the person who wrote the file or daemon didn't
write the uninstaller and no one gives a hoot about it at review.

Never assume malice that which can be explained by a poor engineering culture

~~~
wanderer2323
Always assume that the malicious outcome is the intended outcome. Somewhere at
zoom a tech lead looked at the features planned, saw 'uninstaller' and
deprioritized it to P4. That was the malice, even though they did not cacke
and wore a top hat with a monocle while doing it.

~~~
sethammons
I’ve never worked somewhere where the tech lead would make that call; product
would make the call after the team or tech lead gave estimates on different
trade offs.

------
laurent92
Why do you guys not use [https://whereby.com](https://whereby.com) (formerly
appear.in), it’s free for 4 people, in-browser only, no-login, WebRTC, allows
sharing the screen alongside faces.

But they made the 5+ rooms $9 per month, which is way too expensive. There are
not enough competitors for WebRTC conf tools, it should be quite simple and
$4-5 a month (WebRTC doesn’t incur data costs on the servers since the data is
peer-to-peer).

~~~
buzer
> WebRTC doesn’t incur data costs on the servers since the data is peer-to-
> peer

There are probably some operators that do pure p2p, but vast majority use some
kind of bridge past certain number of users (& TURN might also be used for
p2p). Usually this is to limit the amount of bandwidth participant needs.

Another alternatives are [https://meet.jit.si](https://meet.jit.si) &
[https://8x8.vc/](https://8x8.vc/). I cannot remember what was the current
limit of participants in Jitsi (it was 75 back in June), but on 8x8.vc it's
100. In cases where you simply need a lot of viewers and limited number of
participants there is also an option to livestream to Youtube.

(Disclaimer: I work at 8x8, but not directly on Meet or Jitsi)

~~~
sebmellen
8x8 has intrigued me, but I'm a bit confused as to what happened. Did 8x8 buy
the Jitsi brand from Atlassian? And what's the benefit of 8x8 vs Jitsi pure? I
might be a customer if 8x8 is a compelling alternative to Zoom without some of
the downsides of Jitsi (generally less reliable).

~~~
k3liutZu
Disclaimer: I work at 8x8 (not specifically on meetings, but related)

8x8 offers more than just meetings.

You can see the feature list here: [https://www.8x8.com/products/video-
conferencing](https://www.8x8.com/products/video-conferencing)

Yes we bought Jitsi from Atlassian.

The Jitsi based meetings are integrated into our complete UC offering (yet we
still deliver stand-alone meeting clients for customers who might want only
meetings).

------
morpheuskafka
This is what we need app sandboxing for. No reason third-party apps should be
able to read the browser's cookie database.

~~~
andrewnicolalde
As an aside, the Chrome cookies database on Windows is protected using the
Windows Data Protection API[1], which ties encryption keys to a specific user.
In the case of the Chrome cookie database, each cookie's payload/value is
encrypted using a cryptographic key generated by the DPAPI which is only
accessible to that Windows user. Of course, (and as is the case with most
situations like this), this does absolutely nothing to protect users against
malicious or intrusive programs running with the permissions of that user.

So yeah, you're right. App sandboxing please.

[1]
[https://en.wikipedia.org/wiki/Data_Protection_API](https://en.wikipedia.org/wiki/Data_Protection_API)

~~~
grenoire
I thought the rule was: If you can see it plaintext on the screen, it's not
safe.

~~~
andrewnicolalde
Could you elaborate on that? Of course no computer is completely secure
against all forms of attack, but I’ve found statements like these to not
contribute very much towards solving any practical security problems.

~~~
wongarsu
On windows any program can read the contents of any window on the current
desktop (with some exceptions, like UAC prompts and other windows that dim
your entire screen). This has legimate use cases for screen readers or
dictation, but of course it can also be abused. Same for X11. On more modern
operating systems like Android the user needs to take very explicit action to
allow an app to do that.

~~~
andrewnicolalde
Wow, I had no idea this was also the case on Windows! I was aware of this on
X11 and switched to a Wayland compositor as a result. Is this true for macOS?
I know for sure that on more recent versions of macOS, applications which want
to capture the entire screen require special user-approved permissions, but
can they selectively read other windows?

------
s_dev
It is difficult to get a man to understand something when his salary depends
upon his not understanding it. -- Upton Sinclair

------
edoceo
Brief: adds cookies to Chrome on the UNinstall process. Includes a funny
"everlogin" one that lasts 10yr

~~~
ricardo81
Worth mentioning that the uninstaller sets the cookie by adapting your cookies
file after reading contents of the file entirely unrelated to Zoom.

~~~
ppezaris
Worth mentioning that the author speculates that this happens not for a
nefarious reason, but in a binary tree search to locate your zoom cookie.

~~~
banana_giraffe
Further, it's a SQLite database. It's not like it's hard to check this
behavior, or instrument the database file to see exactly what it's doing.

It was really odd they didn't bother.

[https://imgur.com/a/jBaW7RL](https://imgur.com/a/jBaW7RL)

~~~
nostoc
What tools would you use to instrument a sqlite file in order to monitor
reads?

~~~
TeMPOraL
When Julia Evans wanted to learn what SQLite does, she just stuffed some
printf calls into the code and rebuilt it :).

[https://jvns.ca/blog/2014/09/27/how-does-sqlite-work-
part-1-...](https://jvns.ca/blog/2014/09/27/how-does-sqlite-work-
part-1-pages/)

You could do similar at API entry points.

Or, if you're after writes, it would be simpler to attach an "on
insert/update" trigger that just records the changes in another table. See
[https://www.sqlite.org/undoredo.html](https://www.sqlite.org/undoredo.html)
for an example of using triggers this way.

------
jjluoma
At least zoom has privacy statement / policy page available on their web site
unlike threatspike.com

~~~
rndgermandude
Fair point. threadspike's homepage talks about how they store data in a -
according to them - secure fashion in a secure data center in London. What
this tells me is that they collect data and store data. Moreover, their
article tells me that they do have access to a lot of information, or else
they couldn't have known about the zoom behavior if their stuff didn't phone
home such information.

------
nojvek
Have you seen Zoom’s stock price? Wall Street don’t give a shit about security
unless the company goes under due to a massive fine.

Let’s accept the fact that US govt doesn’t give a shit about little
privacy/security like this. EU will sometimes strike a big hammer but even
that is sporadic.

Zoom has built momentum on “dark growth hacks” and they’re reaping the
rewards. This is standard Silicon Valley.

------
nedsma
Zoom is a joke on Linux. You enter a meeting, it goes automatically into full
screen mode and when you put in windowed mode, the window can get lost. Then
you need to reconnect the session.

------
irjustin
I argue Zoom does understand GDPR and the ePrivacy Directive from a legal
perspective.

The specific citation about the length of a cookie is a recommendation and not
a law[0]. The key word is 'should'.

I'm not a lawyer nor claim the ability to interpret GDPR legally, but I have
seen companies that actively worked to edge case GDPR to their advantage (I
was part of one). We would have lawyers and other 'GDPR experts' tell us what
was possible and what wasn't then simply extend into the grey area.

Here, I reject the Halon's Razor[1].

[0]
[https://gdpr.eu/cookies/#:~:text=All%20persistent%20cookies%...](https://gdpr.eu/cookies/#:~:text=All%20persistent%20cookies%20have%20an,you%20do%20not%20take%20action).

[1]
[https://en.wikipedia.org/wiki/Hanlon%27s_razor](https://en.wikipedia.org/wiki/Hanlon%27s_razor)

~~~
dheera
I imagine GDPR doesn't apply to Zoom, as a non-EU company. Much like China
bans what it doesn't want, the onus is on the EU to set up a GFW of their own
and ban Zoom (and other GDPR-non-compliant foreign websites) if they disagree
with it.

Otherwise, Zoom only needs to obey the laws of USA and wherever else they have
offices.

Disclaimer: IANAL

Also: I'm not arguing for Zoom's sketchy practices but just saying that GDPR
might be the wrong card here. The EU isn't the world police.

~~~
irjustin
Any company that has an operating entity in an EU country must comply or risk
being fined by regulators.

If the target is big enough, EU regulators will ask for help from other
countries.

Zoom operates offices in a few EU countries[0] so they'll definitely have some
sort of entity(ies) setup - regulation pressure can be applied.

[0] [https://zoom.us/contact](https://zoom.us/contact)

~~~
dheera
You're right, I checked and Zoom does have offices in Paris and Amsterdam.

I suppose then they have the choice of doing Google's playbook in China and
just close their EU offices if they wanted, instead of complying. I mean,
China wanting censorship and EU wanting GDPR aren't any different. Without
arguing for or against either, China's censorship and GDPR are both local laws
and foreign-based companies with no local offices don't need to comply.
Foreign companies may be blocked, that's all.

Not that I'm advocating for Zoom violating privacy, but I'm not in support of
EU unilaterally setting rules for the world or their right to police EU laws
outside their borders. They should set up a GFW if they don't like certain
things being sent into their country borders over the web, but they can't tell
me what to do if I haven't set foot in their jurisdiction. (Neither can Iran,
Russia, or North Korea, so why does EU get a pass to police you? If Kim Jong
Un sent you a fine for $1 million would you pay it?)

~~~
yjftsjthsd-h
> but they can't tell me what to do if I'm not in their jurisdiction.

True, but if you have offices and do business in their jurisdiction, then you
get to follow their laws.

------
chromedev
Google Meet features seem so much better suited for government and education,
especially if using G Suite on top of it. It is like the same price of Zoom
but includes a lot of other great features, including unlimited storage using
Google Drive.

------
JumpCrisscross
Does anyone expect any consequences? It’s not like any EU member would ban
Zoom in the middle of the pandemic.

~~~
wlll
The first step wouldn't be banning, it would be helping Zoom to be compliant,
then if they were uncooperative, a fine.

------
johnchristopher
Why is an uninstaller allow to access a browser's files on the first place and
then modify it? There's a name for that category of software.

~~~
caymanjim
While it's annoying that this is the case, pretty much all software on all
commonly-used operating systems has complete access to everything.

When you install software in Windows, either it installs without Administrator
permissions (in which case it still has access to every single user file) or
it asks for elevation to Administrator, and users blindly click Yes (in which
case it has access to the entire machine).

When you install software in Unix/Linux, you're almost certainly using sudo,
giving up complete control. User permissions on single user systems are almost
irrelevant. It's all about blind trust. People think nothing of installing
software via "curl | sudo bash", or adding random PPA repositories to apt,
downloading a binary and running it as root, or deploying a docker container
linked from a blog. I know the risks and I do it all the time, because
convenience always wins and popular things are reasonably safe due to the "mob
trust" factor.

MacOS has made some incremental steps to wall applications off from each
other, requiring explicit authorization for some actions via System
Preferences toggles, but really, it's just adding inconvenience for your
average user, and people will generally blindly agree, in part because some of
the categories are too vague or broad (small UI widgets that alter e.g.
keyboard bindings or window placement require carte blanche).

Phone operating systems are better at this than most, requiring explicit
permission to access e.g. contacts, but there are still limits on how
protected your data is. Most of the security on phone apps comes from the
vetting required by the vendor lock-in stores. Yet we still had apps able to
invisibly steal global clipboard contents until earlier this year.

So, yeah, it's stupid that Zoom's uninstaller has access to browser cookies,
but do you think there's a single piece of software you use that doesn't?
Everything on your system has access to everything else in most cases.

------
andrewnicolalde
Disclaimer: I used to work at ThreatSpike Labs but left before this article
was written and before any of the findings on this article were discovered.

~~~
ComputerGuru
HN is cool with self-posting, so in all cases you’re in the clear.

~~~
wnoise
Yes, but they (we) still like disclosure.

------
m3kw9
It seem Zoom is so big that a small bone to pick on can yield clicks for them.

~~~
robomc
a desktop uninstaller messing with chrome cookies isn't a small bone imo

------
IvanSologub
Read between the lines: a company established on the territory of a state
where there is no concept of "private property" does not understand that it is
impossible to collect personal data.

~~~
franga2000
Who what now? Zoom? California? Because of that one squatting case?

Whatever it is that you are referring to, it sounds political and can't
possibly have anything to do with the topic at hand. Save it for a different
thread.

------
daffy
If you have run the native programme (for me it keeps breaking up in the
browser), run it from a dedicated unpriviledged user, without installing it on
the system. (Run ./opt/zoom/ZoomLauncher.) If you have to log in (I couldn't
change the input device without logging in), when your browser tries to open
the not installed programme, copy the link and give it as a command-line
argument to ZoomLauncher.

Looking forward to a working alternative.

------
azepoi
I really don't like how Zoom forces the download of an executable, how doesn't
this trip the antimalware? What a bad practice.

~~~
stunt
It's annoying when you don't have the client and you want to jump into a
meeting. or you don't want to install client for different reasons.

They obviously focus on pushing their client because they can offer more
features and better user experience. It's easier to sell their product to you.
Otherwise most web clients are limited in features which means it's harder to
compete for them.

------
setzer22
I find the name of the _NPS_0487a3ac_throttle_ cookie suspicious enough, but
the article does not comment on it. Is this a common practice? Throttling the
website for users who uninstalled your application?

------
gojomo
I'm sure Zoom would be doing privacy-iffy things even if in full compliance
with the GDPRAnd the possibility they might be surveying other cookies, and
uploading them elsewhere, would be a giant concern if verified.

But the specific complaint here, about a cookie with an expiration longer-
than-12-months, seems pretty silly.

It's not stored on some remote machine - it's stored locally, transparently.
The user – and their own software – can control this easily & completely. If
there's a good rationale for expiring cookies earlier, a browser can easily do
it directly - it needn't involve regulators, or ineffectually hoping every one
of thousands of different companies/websites do something the laws of one
place ask.

------
whereistimbo
Why people still uses zoom? Something like Google Meet or Microsoft Teams are
better.

~~~
impendia
Because it's frictionless. It's very easy to set up a Zoom meeting with anyone
in the world.

When I tried MS Teams, my impression was that it required a fair amount of
advance configuration. This is no problem if you're meeting the same people
repeatedly and they work for the same employer as you. Indeed, as the name of
the software suggests, it's good for "teams". But for me, anyway, this hasn't
been my typical use case.

~~~
pbhjpbhj
Zoom seems pretty high-friction vs jit.si . It forces (kinda, tricks I
suppose) install of a client exe for example and IIRC requires registration.

Jitsi you just follow the link, webrtc means no download.

~~~
franga2000
The high friction with Jitsi is browser permissions. You need to interact with
both the webpage and the browser's chrome to set up and switch media devices,
which can get confusing even for someone with deep knowledge of the browser
APIs, let alone for someone who couldn't tell a UAC prompt from a MsgBox().

That's why Zoom uses all these dark patterns to get native code running as
soon as possible and as privileged as possible so it can do all the work for
you. See also: Mac installer disaster.

~~~
pbhjpbhj
Browser just says "give permission to use mic and camera" and you click yes.

If you click no, then I think you're going to struggle to intuit how to
proceed; but it's no harder than navigating UAC dialogs to install software,
much easier IMO.

None of the olds in my family had a problem. YMMV I guess.

~~~
franga2000
Except that the permission popup is very difficult to spot and disappears if
you touch anything other than it, after which it's pretty hard to find again.
It also asks you to select an input device and if you pick wrong, you might
have to track it down again to fix that.

On a fast and stable machine and Internet connection this is much less of an
issue, but in my experience at least, that is not the norm.

~~~
pbhjpbhj
Cool, thanks for expanding on that.

------
chrisjudice09
This is excellent work by threatspike and we should commend/support efforts
like this that help keep us informed of the sneaky and intrusive actions of
certain pieces of software

------
ubermonkey
My bet is that Zoom _understand_ the GDPR just fine, and don't care.

They have repeatedly shown that they will do whatever they want, and then act
contrite later if they're caught out. They are not trustworthy, and I won't
run their software on any nonsandboxed environment AT ALL. There's utterly no
reason to.

------
tomschwiha
The author is referring to the ePrivacy directive - its not the same as the
GDPR.

Does he mean the ePrivacy regulation?

The ePrivacy regulation (not directive) is no binding law yet.

------
Kiro
Maybe it's obvious but how does this break GDPR?

~~~
stunt
You shouldn't set a cookie without expiry date especially after user opt-out.
This particular example isn't really a big issue. But, perhaps you wouldn't
read it if the title was too accurate.

------
aminozuur
*doesn't

~~~
andrewnicolalde
It caught me off guard too. The company is UK-based so it's probably a British
colloquialism.

~~~
tluyben2
As far as I can find online, it's american street language; I only know it
from US shows and Eminem (and other rap) songs. Maybe here it's used to
indicate that "zoom be stupid".

~~~
andrewnicolalde
Perhaps. I'm American but live in the UK, and I have observed how people in
the UK use "don't" as opposed to "doesn't" when the thing being referred to is
an organisation, I suppose with the idea of it being an organisation comprised
of many people (i.e. "they don't") as opposed to an inanimate non-human entity
("it doesn't").

Still incorrect to my understanding of how English works.

~~~
iso947
Perhaps it’s built into a different perception of what a company is. In
America, I get the feeling people think more of companies (large companies) as
human beings with rights (but no responsibilities), and that’s far less than
the general view in the UK where the view is often they are parasites with
valueless shareholders.

I wonder if a company with a well known single owner (amazon/bezos,
spacex/musk) is also thought of as a group Or a person subconsciously.

Two countries separated by a common language

~~~
foldr
No, it's just that American English in general is much less free with the use
of plural agreement with collective singular nouns. So e.g. "My team are" is
much less acceptable in American English than in British English.

------
xtat
Zoom is terrible, but when you deep dive into GDPR it's pretty clear that
nobody understands it.

------
TedDoesntTalk
As an American company, are they subject to GDPR regulations?

~~~
yjftsjthsd-h
They have European users and offices.

~~~
stunt
The fact that they operate and have revenue in the EU is enough. They are
still subject to GDPR even without offices.

------
awinter-py
wow as with everything that's come out about them it feels like they're trying
to get the job done but with limited platform support and badly

it's not absurd for a product manager to want your desktop zoom app to inherit
your browser login

though as a user if I saw this behavior I would have a few wtfs. But as a user
I would _never ever_ install zoom on a laptop

my takeaway from this isn't GDPR implications, it's that desktop OSes need to
get serious about permissions, especially filesystem walkabouts

~~~
franga2000
> it's not absurd for a product manager to want your desktop zoom app to
> inherit your browser login

Of course not, and there are many ways to do this while respecting the
application boundary. In no particular order: passing a token in the launch
URI, a bundled WebExtension, a local WebSocket/HTTP server, on-demand
executable customization.

------
robflaherty
“Zoom cookies are firstly written when the user connects to the website
zoom.us and accepts the cookies options.”

That was the moment Zoom received your consent to store data transmitted by
cookies. Adding a few more cookies to the pile, regardless of expiration date,
doesn’t change the agreement.

Rummaging round the cookie bin on uninstall is a nice find and deserves a
raised eyebrow but this doesn’t really have anything to do with GDPR.

~~~
NicoJuicy
> According to the ePrivacy Directive, they should not last longer than 12
> months.

( Quick search about cookies)

~~~
robflaherty
The ePD text says nothing about a 12 month cookie expiration and also ePD !=
GDPR

~~~
NicoJuicy
> While GDPR only applies to the processing of personal data, ePrivacy
> regulates electronic communication even if it concerns non-personal data.
> Also, in the case of cookies, the ePrivacy generally takes precedence.

[https://gdpr.eu/cookies/#:~:text=All%20persistent%20cookies%...](https://gdpr.eu/cookies/#:~:text=All%20persistent%20cookies%20have%20an,you%20do%20not%20take%20action).

> persistent cookies have an expiration date written into their code, but
> their duration can vary. According to the ePrivacy Directive, they should
> not last longer than 12 months, but in practice, they could remain on your
> device much longer if you do not take action.

~~~
robflaherty
> According to the ePrivacy Directive, they should not last longer than 12
> months

The quote you keep referencing is false. The ePD says nothing about this.

