Hacker News new | past | comments | ask | show | jobs | submit login
[dupe] Using Zoom? Here are the privacy issues you need to be aware of (protonmail.com)
393 points by teekert 6 days ago | hide | past | web | favorite | 143 comments






If these links are why this is marked as a dupe then that is wrong.

This is a very underwhelming article. It talks about an old bug and then some basic features you should be aware of... Shouldn't be on HN front-page.

I think this article from EFF is clearer and more comprehensive in general:

https://www.eff.org/deeplinks/2020/03/what-you-should-know-a...


This doesn’t seem like an evidence point to shrug off: > It talks about an old bug

Previous behavior is highly predictive of future behavior. The point about the web server was not just that is was improperly secured, but that it was done to bypass a user facing pop up in Safari. This kind of decision tells the reader something about company culture.


Dropbox also patched system files on Mac OS to improve their integration.

HN is a highly skewed audience. 99% of business users don't care, they want software that just works, and the trust is well placed in companies that sell software licenses (not your data) and fix security issues quickly.


All companies sell data at some point. Just need the cash flow to get dire.

No they do not. Most data is utterly useless outside of the original company. It's also protected by increasing privacy and security regulations. And there's no magical broker you just call up to sell it to.

How does the price of the software affect how useful the data is outside of the company?

That was whiplash-inducing goalpost-moving speed.


Where did I say it did? Can you state what data Zoom would be able to sell? to whom? and for how much?

I have 12 years of experience in adtech. I know the major data markets (ads, credit bureaus, banking, retail). People vastly overestimate the quality, usefulness, and price for "data", and don't understand any of the regulations around it.

It's only worth what you can legally do with it. That's why most companies don't sell it. They don't have anything special and it can't really be used anyway. Zoom doesn't have anything worth buying.


That’s true but I know people who sell and buy data, and it comes at different price tiers and quality.

That doesn't support the statement that "all companies sell data at some point."

I’m talking about the magical data market.

Sure, there's some shady folks trading some spreadsheets for $20. No multibillion-dollar company trades data that way.

They admitted they made a mistake and fixed it. The software itself works better than anything else on the market.

What else do you need from them? :)

I understand being wary, that never hurts, but the company is doing good things and apologized and fixed it.


I vaguely remember Zoom back when the story about their clandestine web server came to light, but quickly forgot about it when they patched the bug.

Now that it's back in the news as one of the only companies who might financially benefit from COVID-19 (their stock is up significantly, last I checked), they seem to be everywhere.

I've seen some large news orgs using WebEx, but that's probably not new for them as they need something that's really enterprise-grade and won't go down on a whim.

To that end, why has Zoom caught on so much this time around? iOS has FaceTime and Android - at least Google variants - have Hangouts. They're system apps, and everybody already has credentials sorted out.

Does anyone know Zoom's relative marketshare before this hit?


I wouldn't use Hangouts even if I'd have to pay for it. A lot of users went for this because they were already familiar with their meeting software ( over the last 5 years,I only had maybe one meeting that used Hangouts,the rest were always Zoom). I must admit it's more user friendly than MS Teams as well. In the end,it does work and does the job well enough without havit to train people for 5 hours on it. It's incredible how few companies manage to get it right on such a software.

My point about the built-in apps was there is no training required. These things do the basics, generally work without any fiddling, and are supported well beyond what an outside company can do, even if it's your core business.

Meh, maybe I'm just getting old in the my 30's and trying to use less software if I can help it.


Can you help me install FaceTime on my PC?

How do I find the dial-in phone number for a FaceTime call?


If your "PC" is a Mac, sure, go nuts.

Nit: "PC" as in Windows PC is weird, Linux exists too, before you even consider macOS.

Dial-in numbers!? Where we're going we don't need a conference "bridge" because there isn't really a server sitting in the middle between you and all the other people on the call.


Zoom is cross platform and doesn't require an account. FactTime and Hangouts are walled garden systems that aren't competing in the same market.

The estimate I see is they had 19% market share prior to this, they were already doing really well before this.

Calling what happened a "bug" is being quite charitable. Zoom set up a local web server that they failed to inform their users about. As mentioned in the article; their outrageous disregard for their users led to an actual FTC complaint.

EPIC filed a complaint. I don't see any info regarding FTC responding to it.

It was only filed in July. So we probably have to wait for some sort of response.

Companies like Zoom track and store as much data as they can by default. Once the risk of bad PR outweighs the benefits of this practice it wont stop because there is no incentive for it to stop otherwise. So it doesn't really matter if this is a bad article or not. It's bad PR and so it serves its purpose. Thanks for that link though, it is a much better article on the subject area.

Zoom's dark pattern is to obscure that every online meeting can be joined from the browser. They really hide this in order to install software on the client machine, which has been susceptible to bugs in the past.

https://support.zoom.us/hc/en-us/articles/214629443

I've had no problems from the browser, although I think on some platforms they suggest (or require?) Chrome over Firefox.


https://support.zoom.us/hc/en-us/articles/214629443

Has more information and browser support/feature tables.

Thanks a ton for posting this. I don't use Zoom as much as I used to but I know the browser client didn't use to exist. I can't vouch for how well it works to anyone reading this, but I prefer browser clients in general if possible and will try it out to anyone from Zoom. Your email QA was helpful years ago and sent a Linux build with more debugging[0] so you could fix some issue when that was still new!

[0] I don't remember the details now, I don't think they were anything particularly exciting then. I appreciated the "Yep, we've heard about it, can you run this version and email us the logs when it happens again?" That's all I remember so I think we can assume they fixed it.



To give you an indication of how far their reach has been, the staff at our public library has an "all-hands" meeting on Thursday morning using Zoom.

I looked into the browser based version, but couldn't get it to load for some reason. Tried using Chrome and turned off Pi-Hole just in case they were blocking it.

Might have to do with my connection upstairs not being good enough - router is on the first floor on the opposite side of the house. Does anyone know what kind of bandwidth requirements there are for Zoom's clients? I don't see anything at that URL.

If all else fails, I'll probably do it from iOS, just so I can uninstall their client when we're done. No freaking way this comes anywhere near my laptop in any permanent fashion.

Update: Bandwidth reqs are here - https://support.zoom.us/hc/en-us/articles/201362023-System-R...


I've found that you have to cancel the download and then the "join meeting in browser" link shows up. Daaaaaark pattern.

The Join by Browser feature was also discussed a bit in the other thread: https://news.ycombinator.com/item?id=22657949

I've found that the call quality drops after about 20 minutes when using the Zoom web app on Chrome with participants from London/US. Also, the memory usage of the Chrome tab goes sky high. Doesn't happen with hangouts though - that actually feels quite smooth in comparison.

Anecdotally, that happened to me several times between London/US... Curious of an actual investigation into this.

I have never had a Hangouts meeting that could be described as "smooth" other than 1:1

Conversely, most every multi-party hangout I have had has gone perfectly. And I have them multiple times every day.

I concur. I use them to have meetings from London with clients in the US (3-4 participant calls), and they're actually very smooth.

I used to get mad about this too and always declined the desktop app to get the browser link. But now that I've been using Zoom constantly I realize that the native app is just a WAY better experience.

I don't like dark patterns either, I think they should have posted something really visible saying GUYS LOOK SERIOUSLY it works better in the app instead.

But I do have some sympathy. I wonder if anyone would have ever tried the app if they weren't pushed so hard to do it.


This is a good thing, this sort of functionality belongs on your desktop, not as a webpage. We need less "apps" in the browser, not more. This is part of the reason why we sit with a broken and fragmented web where browsers include everything under the sun because all these "apps" want to do stuff while being in the browser.

At least there's something resembling a review process when the browser sandbox might gain more attack surface.

At least there is a browser sandbox...


The client software never seems to work for me, and I've had to phone in before not knowing you could join from the browser

It can only be joined from Desktop, though. Not on mobile, unfortunately. :(

Most people prefer the desktop software for better UX.

I DESPISE having to install or even run desktop applications for anything that can be done in a browser.

For simple tasks yes, but just because it can be done in a browser doesn't mean it should. Native applications can provide performance optimizations that you wouldn't get in a web app. Would you rather play a realistic flight sim natively or in your browser?

I'd rather play it in a browser, even if it's much worse.

With the browser version, I can just open my browser and point to the URL and run it. Easy.

With a native app, this usually means I'd have to go buy a new computer running Windows or MacOS just to run this one stupid application, because I don't have either of those OSes at home. Of course, I'm not going to do that, which means I just don't use the app at all.


support.zoom.us/hc/en-us/articles/204206269-Installing-Zoom-on-Linux

Then you're not most people. The desktop apps are faster, more reliable and more convenient for the vast majority of business users who just want it to work.

Not when they’re just electron apps like what sadly most of these productivity apps end up being.

Sure, but that's not what Zoom is.

Agreed. Alibaba asks anyone who has meetings with them to install their proprietary meeting software which is only available on Mac/Win. No thanks.

Most non-tech people just blindly drink the poison and install it.


I had installed the Zoom client on my PC as a local non-admin user, and then had to go to IT to get an admin to uninstall it.

Zoom is not alone in doing this. (Or maybe it's a Windows "feature"?)


Your IT might have set up a group policy object that disables uninstalling software (https://www.windowscentral.com/how-prevent-accidental-uninst...)

That's about removing a shortcut, not banning uninstalling user-installed apps, which would be ridiculous.

If that's what stopped parent poster from uninstaling, that's PEBCAK.


Yeah could be. I had a requested a Mac.

Do you have data? Or is this anecdotal?

I completely disagree, and I mean for all desktop software vs. web software.

Web applications are generally better, because, as a Linux user, an in-browser application means I get to actually use the thing, instead of not using it at all.


"as a Linux user"

Then you're not most people. This isn't that controversial.


I may not be most people, but for various reasons, it does seem than web apps are taking over and native apps are dying, so this is only good for me. Maybe there's more of us than you think.

Sure, but this was only in context for Zoom, not all software.

And Zoom does have a Linux version in case you're not aware: https://support.zoom.us/hc/en-us/articles/204206269-Installi...


Regarding the "attention tracking" feature...

If your boss/manager/etc is excited about this feature as a way to monitor you, odds are they already have you under surveillance in a bunch of other ways. It's unfortunate that you are in this situation, and I hope you're able to find a way out of it soon (e.g. by switching teams or finding another company that values and trusts you more).

This feature is of limited use, though. With my laptop in my lap, it's trivial to hold my phone right in front of the lower half of my screen. It will be outside the field of view of the camera, but there will be no discernible difference between me looking at my laptop screen vs my phone screen.

I'm all for fighting against companies chipping away at our privacy, but this one seems pretty far down a rather large list.

EDIT: clarification


> If your boss/manager/etc is excited about this feature as a way to monitor you, odds are they already have you under surveillance in a bunch of other ways. It's unfortunate that you are in this situation, and I hope you're able to find a way out of it soon (e.g. by switching teams or finding another company that values and trusts you more).

I can't stand people who get excited at the thought of tracking their employees. What's the benefit? Control? Ego?


I'd lean that they are probably control freaks. But there's probably more to it than that and ultimately it seems it boils down to "I'm paying you to work thus it's my right to track your every movement"

Years ago I had a boss but set up security cameras. Normally, this is completely okay because you gotta secure the building you just never know who's gonna come in and rob the place or maybe track an incident (rape, violence, etc).

This boss of mine however went home or worked from home from time to time or sometimes he would go on a vacation and he would just connect to the video stream of the security cameras.

One day I was the only one in the building as I still had to finish my shift. He gaves me a call, he didn't say he was monitoring me of course but he seemed to know what I was doing and proceeded to ask the following question: is everything okay? how's the workload etc etc. Common questions, nothing out of the ordinary.

So it seemed he just called because I wasn't receiving a lot of support calls and sometimes I would just go get coffee he probably saw me standing a lot, maybe thought I was neglecting my job.

I can be incredibly outspoken at times. A lot of the things in the call just screamed "I'm monitoring you". When the call ended I was furious. There's nothing more damaging than not trusting your employees. It breaks trust and relationships. I've never in my professional life felt so insulted that I need someone to monitor me.

If you are this type of manager/supervisor: Kindly put, shame on you. I say kindly put because the words I want to say can't be conveyed here without getting moderated. Cease and rethink your strategy, we are professionals not kids or teenagers and doing this to teenagers remember you are growing professionals, nothing like giving them the ground to grow but if they find stuff like this you are destroying everything.

To workers that are aware I can only hope you find other jobs. It's stressful enough, no need to tolerate this behavior.


You're upset that your boss looked at you while you were working, and didn't have any complaints about the behavior that you thought looked suspicious?

I didn't know getting coffee was a suspicious behavior :)

If Zoom is actually reporting that people are inactive after 30 seconds of no having the window focused, then all the people watching on a second screen while they have relevant docs pulled up on the other are getting stuck in the same category as the people playing games, and might even be getting penalized more than someone who's got Zoom open on one PC and is playing LoL on a different PC entirely.

Deeply flawed, IMO.


Your individuality is someone else’s business and career uncertainty.

I'm sure "attention tracking" is used by some companies as a (terrible) metric to tell if employees are engaged in meetings. That said, I think the primary or envisioned use case is for webinars and other externally-facing meetings, where you actually have an audience and you want to (badly) track how engaged they are with your live content.

GoToWebinar has the exact same functionality, fwiw. Not saying that makes it OK, and not saying that this feature _should_ exist in general. I'm just not really buying the whole "Zoom is evil for having this" argument that is being pushed so heavily here.


Isn't it also useless if you got multiple monitors? I connect my Macbook to my external monitors, and move the Zoom screen to my monitor instead of my laptop. Thus, I am never directly looking at my laptop screen. Any employer tracking me will always think I am never ever looking at my Zoom screen.

Correct, if you have Zoom on a secondary monitor and are working on your primary monitor, it will say that you are not paying attention. Thankfully our meeting organizer was quick to understand that most of us work with multiple monitors and decided not to pay the feature much attention.

I did a couple of online interviews in the past 3 weeks over Zoom. It was the first time I ever heard about Zoom (my current company uses hangouts).

I had no idea they were able to track all of this and all companies were adamant about using the native client for the interviews and/or sharing my screen even if I wrote code in collaborative documents. I passed the interviews but honestly finding out about this now kind of turns me off..


Anecdote: much of the software competing with Zoom has really bad accessibility for disabled users, incl. those using a screen reader, screen magnifier, keyboard-only/switch control, speech recognition, etc. This is despite the fact that some of it has been around for 10+ years, or is backed by large companies like Google.

I bring this up because that can also cause privacy issues. There are the direct concerns, like not being able to access the text of their policies or accessibly manage your preferences. But the less obvious factor is inaccessible controls to:

- verify whether or not you're streaming video;

- determine whether your microphone is muted or not;

- ... etc.

If I don't know what I'm streaming and exposing to meeting participants, I'm losing on the privacy front. So Zoom it will have to be for now, I'm afraid. If you think it has too many issues for you to be a viable product, and have the option of making an alternative more inclusive, I'm open to chat.


> much of the software competing with Zoom has really bad accessibility for disabled users,

Does that mean Zoom does in fact perform the necessary legwork on the accessibility front?


> Does that mean Zoom does in fact perform the necessary legwork on the accessibility front?

Pretty much. They're not perfect, but they have put a ton of effort into it. It may be because they do business with governments, so require things like Voluntary Product Accessibility Templates (VPATs)[1]. But it is the only platform I can actively consider using for work, as someone who relies on a screen reader.

[1] https://zoom.us/accessibility


There's no reason why video conferencing should require an installed app in 2020. Standard browser tech in WebRTC is completely sufficient, and well supported at this point.

There's even the Picture-in-Picture spec coming into place, which should allow more seamless desktop integration: https://w3c.github.io/picture-in-picture/

Fully browser-based alternatives to zoom:

https://hangouts.google.com

https://whereby.com

https://team.video


Don't forget privacy oriented https://meet.jitsi.net/

It wouldn't be an issue if the app was sandboxed. And I see no reason for a video conferencing to not be sandboxed or to implement similar privilege restrictions.

Whereby has come a long way, and I recently started using team.video as well. I like both because I can just send a link and have a meeting instantly.

> There's no reason why video conferencing should require an installed app in 2020.

Much better efficiency and ergonomics?

Freedom to choose independent client implementations interoperable by standardized protocols (e.g. SIP)?

Independence of client provider and service provider?

Interoperability between different providers (i.e. different users can use different service providers)?


If the first two points are supremely important to you, and if you have enough resources, then yes, it's possible you may find more flexibility in an app.

On independence and interoperability though, doesn't an open WebRTC stack spec'd by an independent standards body give us our best hope there?

matsemann 6 days ago [flagged]

So not even close to what was touted yesterday. And do we really need yet another thread on this? Is there some kind of astroturfing going on or why is this Zoom-hate everywhere lately?

https://news.ycombinator.com/item?id=22657384


This comment breaks the HN guidelines by insinuating astroturfing without hard evidence. Please don't do that.

It's easy to understand why a topic like this might show up twice: it's topical, and most people don't see most threads.

https://news.ycombinator.com/newsguidelines.html


> why is this Zoom-stuff everywhere lately

Um, really? It's probably the #1 conferencing app being introduced to a world of people not used to remote work. A lot of people are encountering it for the first time.


How is it #1 though? It seems to have come out of nowhere.

I've seen it individually recommended in a number of places.

Why? Well unlike (say) GoToMeeting or Webex, you can use it for free (albeit with a time limit). Until recently it had a much more modern, easy-to-use interface than GoToMeeting as well. Also, apparently it's one of the few videoconferencing solutions that works reasonably well in China.

Also, it apparently scales pretty well; one of the groups in my church apparently had nearly 100 people in a zoom.us conference last week. I didn't participate in that one, but there was a distinct lack of "and that was a disaster" comments.

I resisted using zoom for about two weeks, specifically due to the "start a local web browser to work around Safari's security features" disaster; but ultimately, you need to say "no" to every other person who wants to have a meeting with zoom, and eventually I just had to give up and install the client.

(I've been recommending meet.jit.si since it's 1) open-source 2) unlimited time for the free version 3) doesn't need to have a client installed.)


> Why? Well unlike (say) GoToMeeting or Webex, you can use it for free (albeit with a time limit).

Not too much it's easy to use. Everyone, from boomers to tech-challenged zoomers, can easily sign in and use it.


For at least the last two years, almost every "younger" company I've done video calls with have been using Zoom. A few on Hangouts/Meet. The older companies might still be using WebEx or GoToMeeting. But in my corner of the world, Zoom has been absolutely ubiquitous for some time.

It's like it's gone... viral.

Probably it spreads from company to company as people organized video conferences with external companies, introducing the tool to those people, who decide to try it out, etc.


It's grown significantly over the past year or two. It got a big foothold at universities and has been gaining steam. It came at a time when Skype was pretty terrible to use, and the only other major player was Cisco WebEx, which was also pretty bad. Now all these universities are doing classes online, and they're using Zoom because that's what they have.

My biggest complaint is that, for new users, it seems to choose either the wrong speakers or the wrong microphone about 80% of the time. Once that's fixed, it mostly works well. The interface is a bit clunky, but I can usually get it to do what I want without too much trouble.

Source: I've been a mostly happy user of Zoom at a university for two years.


Zoom IPO'd on April 18, 2019, and was winning market share in the Enterprise video conference space at least a year or two before that. They had a much more reliable product with common-sense features like calling-in via phone line to connect to your meeting, as well as a turn-key solution to rigging a room for video-conferencing.

As far as I know other competitors would be Skype (Microsoft) and WebEx, neither of which seemed nearly as polished.


I have experience with both Zoom and WebEx. Zoom (on Mac) has a lot of what I consider to be "bad behaviors" UI-wise, especially around window management. And it's ugly in the way mobile apps that get ported to the desktop are. But it gets the job done, and WebEx is definitely worse in these and other ways. So... /me shrugs

It is probably nr 1 because it still has very clear audio and video while the performance of Skype for Business and Microsoft Teams is dramatic at this moment. And the last two are supposed to be the standard tools in the very large organization that I work for.

Lou: You know, I went to the McDonald's in Shelbyville on Friday night.

Wiggum: The McWhat?

Lou: Uh, the McDonald's restaurant. I've never heard of it either, but they have over 2,000 locations in this state alone.

Eddie: Must've sprung up overnight


Exactly how I feel right now.

It was big before too

I like Jitsi, it works well in my personal setting (kids talk for hours with the grand parents)... Other tips?

Another thing that's great about Jitsi is how easy it is to self-host it.

If you are using a system with the apt package manager (such Debian or Ubuntu), you basically only have to run two commands: https://github.com/jitsi/jitsi-meet/blob/master/doc/quick-in...


Well, it is indeed easy to self-host it if you happen to already have a https-reachable server running Debian on a common CPU instruction set.

Which I had, yet for maintenance reasons a container-based solution had my preference: https://github.com/jitsi/docker-jitsi-meet


I also like jitsi however haven't had any chance to seriously use it. I wonder if there is any major drawback for jitsi

Jitsi's P2P nature is great for 1:1 or small group conversations if everyone has solid connections. From experience it starts to break down with larger groups, and becomes pretty useless overall if one or two participants have spotty connections.

Jitsi is not P2P for group conversations - all streams are multiplexed by the server (the videobridge).

100% agreed about spotty connections, it does not handle them very well. As long as everyone has a decent connection and enough CPU, it handles groups of 10+ participants just fine. My company ended up switching to Google Meet for reliability reasons, but was a year ago so it might be better now.


firefox support isn't all the way there yet.

https://github.com/jitsi/jitsi-meet/issues/4758


Yeah, it's a shame, had to install the Chromium snap only for this (Ubuntu 19.10). But then it did work very well (don't forget to enable the "record and play sound" permission for the snap.)

Does Jitsi have the option for admins to mute or expel guests?

Yes, admins can mute and kick. And if you allow anonymous channel creation, the first to enter a channel automatically has admin right. I don't know if kicked participants (especially unauthenticated) can re-join at once, after a delay or any other rule.

That's encouraging, but on Jitsi Meet all guests seem to be able to kick out others. Is the option to appoint admins specific to self-hosted instances?

It collects "information you upload, provide, or create while using the service" … I mean it kind of has to does it not? That's how it can give it to other people.

The local web browser bug was so bad (the vuln remains after zoom is uninstalled) that Apple took the unusual step of releasing a silent update for macOS that uninstalled third party software.

Have you heard of encryption?

What exactly does "encryption" solve about this? It could be encrypted from client to server and the main concerns over privacy would still stand.

What exactly are you suggesting by randomly throwing out the word "encryption"?


Encrypt data prior to entering Zoom's services. That shouldn't affect Zoom's ability to deliver your (now-encrypted) data to your peers. It would affect Zoom's ability to usefully "collect" that data for other purposes though.

The entire selling point of zoom over a peer-to-peer solution is that it's not peer to peer, but rather every client connects to the server that mediates the connection. It needs to decrypt the stream.

Peer to peer connections would quickly become impossible when you have meetings with more than a handful of people connected. Meetings/Webinars with hundreds of participants would be impossible with P2P technology.

Adding proper videoconferencing hardware would be tough using P2P since all that supports is usually some sort of SIP standard.

Zoom does collect some data by virtue of providing the service - it knows the IP addresses of all clients connecting, it does know all the data you enter when you create an account. It knows the OS that the client runs on. And their privacy policy reflects that.


How are the keys exchanged? At the end of the day zoom holds the keys. What matters, legally, is their privacy policy. If you don’t trust that then you have no business using a program that brokers encryption keys.

No, key agreement protocols were invented in the 20th century. Two parties can agree a shared secret (such as a key) without an intermediary discovering this secret even though the intermediary knows everything both parties said. We have no mathematical proof that such protocols can exist (they need a trapdoor function and there is no mathematical proof that trapdoor functions are possible), but nevertheless they seem to work fine.

Now, working KEx does leave you still not certain who the other party is, you're now communicating securely with someone but you aren't sure who. That's why the Web PKI exists. But choosing to have Zoom hold all the keys is a choice and not as you've portrayed it a necessity, the system could be designed to work just fine without doing that.


How do you tie a phone dial-in client into a web pki? Because that’s one of the features that zoom offer: regional dial-in numbers that you can use with any ordinary phone. And it’s really really useful.

You can tie anything into the Web PKI if that's really what you want to do, but that's besides the point.

The point is that Zoom doesn't need to know these keys. Yes, if there's no assurance that you're really talking to Alice and she's really talking to you Zoom could sit in the middle of some or all conversations - but right now they are in the middle of those conversations.

It doesn't change what is theoretically possible, but it changes the posture - what is easy to do, and why.

If you really don't like the uncertainty of a MITM being possible even if unlikely - you'd need Signal, or something like Signal's protocol which lets you compare your shared secrets to determine if there's really nobody in the middle.



>"Do not use Facebook to sign in"

Aside from being good advice generally, I doubt anyone who's concerned about the violation of privacy Zoom engages in, would have a Facebook account.


Your doubts might need to be re-examined.

I have a Facebook account that I originally registered when I was in high school a little over a decade ago. The reason I've kept it is because I use Facebook Messenger to talk to some people, and because a lot of events use Facebook.

The main Facebook app I have not installed, because I don't need it.

The Facebook Messenger app I have installed because I use it. I trust iOS to limit this app from being able to do anything too nasty.

I never use "log in with Facebook". I clear my cookies regularly, and I often use a different browser for logging into Facebook from the browser I use for most stuff.

I try my hardest to be vigilant of my privacy, even though it is a losing battle.

The fact that someone has a Facebook account should not be taken as a sign that they think that any of the privacy violation stuff that businesses engage in is ok.

As for Zoom, I made a conscious decision to not install the Zoom software on my MacBook Air because of the previous shenanigans that Zoom had been engaging in. When a client expressed desire that we use Zoom for our meetings, I therefore chose to install the Zoom app on iOS rather than on my MacBook Air, because iOS limits apps from being able to do anything too bad, and after we were done with the job I uninstalled the Zoom app from iOS as well.


> The reason I've kept it is because I use Facebook Messenger to talk to some people, and because a lot of events use Facebook.

The events part is unfortunate, but just in case you didn't know you can deactivate your Facebook account and still retain access to Messenger.

If you go through the process to deactivate your Facebook account, the last question in the process is "do you want to keep messenger".


>The reason I've kept it is because I use Facebook Messenger to talk to some people, and because a lot of events use Facebook.

The events thing I can see because Facebook has become the de facto way to organize events and has become the de facto websites for a lot of small businesses and organizations. But the thing about not being able to give up Messenger always confuses me when it comes up. (Please note that I'm not specifically picking on you, I just see this same sentiment a lot and this was a convenient comment to reply to).

Presumably anyone that has a Facebook account has an email address or a phone number, since it's not possible to create an account without one, so anyone on Facebook should be available via email or text message (since 'phone number' nowadays almost always means 'cell phone number').

But maybe the people that you're talking to don't want to give you their email address or phone number for whatever reason. That seems weird that someone who is ostensibly my friend would withhold that information, but I'm sure that there are valid reasons for that to happen.

Then you can give them your preferred alternate contact method: Jitsi, IRC, email semaphore, smoke signals, USPS mail, whatever. Then the rebuttal is usually something along the lines of, "Well, I can't force them to use the communication method I want to use", which is also weird because that's exactly what they're doing to you by refusing to use anything but Messenger.

And, yes, I understand that a problem can arise where one friend is only available via ICQ, one via IRC, one via Skype, one via Signal, etc., and you don't want dozens of apps clogging up your phone/computer/whatever, which is why I recommend my friends email or text or even call me whenever they want to chat.

There is also the case that is brought up that the person that has to use Messenger to talk to people because they're literally not reachable any other way, which I understand is possible in certain countries where Internet access is severely restricted or nonexistent and the only reliable access to the outside world is via Facebook/Messenger on a cell phone. I get that, too, and that actually does make some sense. But for everyone else, I don't get it.


I think the point is that the extent of their privacy violation is using google analytics... Which is fairly benign compared to the bombastic headlines over the last few days.

> The reason I've kept it is because I use Facebook Messenger to talk to some people, and because a lot of events use Facebook.

Nowadays, "some" people isn't worth Facebook harvesting your data. If you really want to keep in touch with those people, you can find a way.


I'm concerned about all violations of privacy relevant to me, and yet I have a Facebook account.

Wanting to be informed about privacy concerns is a world apart from being so single-mindedly concerned that you'll refuse to engage with a company who's bad in that regard, whatever the cost.


There's a difference between not having a FB account, and having one but not using it to sign in to 3rd party sites. Using FB/Google accounts to sign into anything other than FB/Google has been "Danger Will Robinson" since the first day I saw it. Too bad those warnings are not not normal to 99% of internet users.

If you have to track people to make sure they pay attention during the meeting, the meeting is pointless and too long. Meetings that are short and packed with useful info nobody wants to miss, are well-attended.

Managers, try being a real leader. Or is that too hard?


Don't forget that Zoom used to have a web server installed in the background that Apple had to send out a patch to disable. I wouldn't ever trust running Zoom for that reason alone. I'm forced to run it at work, but never at home.

> has already had a major security vulnerability.

Oh no!! Unlike any other technology on earth that is actually used by non-trivial amounts of people?

> “Does Zoom sell Personal Data?” the policy says, “Depends what you mean by ‘sell.’”

That makes it sound like something malefic is happening. What privacy policy says is that they use Google tools (e.g. Google analytics, also used for delivering ads), and they put your data in Google analytics. This is however _their data_, while indeed "shared with Google" it doesn't mean Google is using it in any way, other than aggregate ("Across all our customers, <blah blah blah>") and even that, most likely only for internal statistics.

I for one definitely don't see that as "selling data", I'd agree with Zoom here.


The article gave me the impression that the privacy policy literally said "depends what you mean by 'sell'." I didn't find that. I did find:

> We do not allow marketing companies, advertisers, or anyone else to access Personal Data in exchange for payment. Except as described above, we do not allow any third parties access to any Personal Data we collect in the course of providing services to users. We do not allow third parties to use any Personal Data obtained from us for their own purposes, unless it is with your consent (e.g. when you download an app from the Marketplace). So in our humble opinion, we don’t think most of our users would see us as selling their information, as that practice is commonly understood.

It seems a bit more nuanced than the article would suggest.


This is the first time I've seen an article on the front page of Hacker News that has the phrase “here are” in the title.

I’ve noticed over the last few years this trend to add a superfluous “here is” or “here are” to a headline. Doing so add absolutely zero information, e.g., from the top three current Duck Duck Go search results for “here are”:

1. “Here Are All the Major Concerts Canceled Due to Coronavirus” – could just be “All the Major Concerts Canceled Due to Coronavirus”

2. “Coronavirus: Here Are 10 Misconceptions Being Spread” – this listicle could simply be titled “Coronavirus: 10 Misconceptions Being Spread” or “10 Coronavirus Misconceptions Being Spread”

3. “Have Children? Here Are 3 Tax Credits You Need to Know” – this listicle could be “Have Children? 3 Tax Credits You Need to Know”

In two of the above cases, it’s also not just the headline but the text body also. I get the psychology behind listicles (and other clickbait phrases such as ”you need to know”) but I don’t understand the rationale for inserting these two wholly superfluous words that neither inform the reader nor embellish the prose.

It’s had the opposite effect on me and I now have an internal heuristic of associating this practice with low quality information and I rarely – if ever – click on such links. Going by the comments on this article, it seems I was right in this case but surely, that’s the opposite of what the publishers intend.


The woman in this video has issues with privacy in her Zoom conference call:

https://www.youtube.com/watch?v=0xqLjc2y6O4

Okay not the same issue this article is talking about, but do pay attention to if your camera is on and where it is pointing :)


The macOS version installs itself before you give it permission to install: https://twitter.com/xnyhps/status/1149630190877696001?s=21. It is basically malware.

Very interesting. I don't have any experience making .pkg installers nor with verifying code signing on macOS, but I agree in general, the `preinstall` script does a lot of work one would expect the installer itself to do. This is all supporting evidence for my personal preference to never run the Zoom installer, but rather to extract the application bundle by hand.[1]

Please consider writing up your findings in more detail.

[1]: https://news.ycombinator.com/item?id=20391828



I made a simple sandboxed WebView wrapper for Windows, that should address the privacy issue and remove the annoying need to deal with constant "download the app" nagging: https://losttech.software/Downloads/FuZoom/

Let's all pledge to keep a little notepad window open that we click into during Zoom meetings. Pollute attention tracking with false positives. Bonus points if you stare directly into the camera while you do this.

Or just use whereby.com

No plugin needed.


"... it will collect and keep data on what type of device you are using, and your IP address ..."

Oh dear ...


Any know if Teams has any dark patterns such as this? I haven't heard of anything.

The U.K. MOD has BANNED zoom what do they know

curious amount of negativity in here. what exactly is the concern? zoom is a corporate product. your electronic business activities are probably governed by lawyer-approved documents you signed like an AUP/NDA/consent to be monitored, so why are you concerned about privacy?

dont want attention tracking? thats a feature, not a "privacy" bug (you expect personal privacy and freedom during business meetings?). bosses love this kind of metric, and not without reason. maybe if your meeting "attention" rate is low, theres an issue a boss could solve to make the business and employee's lives better. also you can just turn your camera off in zoom.

> According to the company’s privacy policy, Zoom collects reams of data on you, including your name, physical address, email address, phone number, job title, employer.

this is nonsense. how would installing zoom, as a meeting participant or host, collect your phone number and physical address? im sure their privacy policy says this, but that is very different than the zoom client actively scavenging computers for personal information. THAT would be a story

>it will collect and keep data on what type of device you are using, and your IP address

so... like almost every single piece of the internet? most personal IP addresses rotate, and who cares about your corporate ip? this has to be the lowest value and most common data point there is. not great, but not alarming.

>Do not use Facebook to sign in

hard to see a legitimate use-case for this. the corporate account features of zoom means everyone gets an account with their corporate email address, so why did they ever integrate with facebook? seems likely about scavenging data, but maybe theyre just trying to be trendy.

all in all, seems like a hit-piece. hit-pieces arent necessarily wrong, but they are always agenda-based. maybe the agenda is something i agree with, but i dont know richie koch or what protonmail's stake in the game is in order to take this at face value without any actual details and sources.


> your electronic business activities are probably governed by lawyer-approved documents you signed like an AUP/NDA/consent to be monitored, so why are you concerned about privacy?

I did online interviews through Zoom. I did not sign any NDA and was not presented with a privacy policy from the companies using Zoom about the data they collected during the interview.


Honestly the points are valid but the solutions stated suck.

Use a new version of zoom?????? Seriously, I mean well duh.

Use a different device to check email??

Very disappointed with the conclusion, I was expecting some way to go into settings and disable all of the tracking garbage.


Yes It works..



Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact

Search: