I wrote a browser extension that will transparently redirect all zoom links to user their web client:
For me, the sound becomes unintelligible as soon as someone shares his screen.
I use WindowsFirewallControl (WFC) by BiniSoft (think ZoneAlarmPro) and "Allow" very specific executables to reach the internet. In that case, the Install/Uninstall.exe would cause an alarm, and I would (of course) "Block" it.
I know this is not a solution for (ahem) elderly, but it can work for the majority of 'us'.
As someone who doesn't use Zoom, this gobsmacked me.
I wasn't even aware that was possible until now.
But while it can share a desktop view I didn't think it allowed control?!? Man, this could be a family support game changer...
requires Electron app it seems.
Was on HN, some comments suggest the Electron app bundles Chromium.(Not sure if all Electron apps do this, I know nothing about Electron..yet.)
Edit sub basement 2: Yes, Electron apps include Chromium.
"it combines the Chromium rendering engine and the Node.js runtime."
"Should local desktop control be a feature that can be enabled through web browsers for users who choose to use it with certain sites?" Eh, this is not so clear. What if by some magical turn of events Zoom decided on a drunken whim that user privacy is very important, and strongly encouraged use of web over desktop, should they just axe that feature? Back in reality, Zoom couldn't even consider that course of action until the web supports it.
Maybe do it by requiring users to install an extension that's granted remote desktop permission for a particular site. Which would at least allow the extension to be reviewed and audited.
If it breaks a lot we must have been exceptionally lucky for none of us to have problems.
https://news.ycombinator.com/item?id=11826431 (TeamViewer denies hack after PCs hijacked, PayPal accounts drained)
For simple remote support, you shouldn't be doing that anyway.
Is this a browser limitation or something? I think microsoft teams has the same issue.
We use GoToMeeting at work, and many times have 20 people with video, plus screen sharing (there's also gotowebinar which supports thousands of viewers).
With GTM I love that you can seamlessly share without disabling your video. The web browser experience is hands down better overall then everything else I've used (Zoom, MS Teams, Slack, Jitsi, WebEx). Camera views are just auto-sizing, auto-layout boxes (think: floating tiles) that fit the space you give them, and you can pick top/bottom/left/right when someone is sharing a screen.
Then things that hold GTM back: they still push their native client, and it takes two clicks every time to join with browser (it's not buried like zoom, but it's nowhere near the instant-on, zero-effort of Jitsi). The other thing driving me absolutely mad right now is they introduced a bug a few weeks ago that causes it not to remember my audio settings or name. When I host a meeting, despite telling it to "remember me" it never does -maybe this is part of the federated login my company uses, but the end result is when I click to start my meeting it tells me it's waiting for me to arrive, add takes like 4 more clicks and bouncing around login sites to get in.
Run in a browser, use extensions to get extra functionality if needed.
With lots of people, switch to multiplexing and/or automatically downscale video.
Support seamless pstn dial-in, and pop up a suggestion about this to users if their audio starts breaking up.
Don't stop my webcam when I start screen-sharing.
Support active speaker view, gallery (zoom-style), or GTM-style.
Remember all my preferences and make it so I rarely have to think about any settings. Or login.
Make it easy to give people permission to control/share/etc, and for recurring meetings, remember those changes for next time.
I prefer Jitsi’s gallery style — that lets you scroll through the participants with your actual scroll wheel — to Zoom’s — forcing you to drag your cursor back and forth across the screen’s longest axis every time you want go back a screen of participants after advancing one, or vice-versa.
That means the client must have had that data locally rather than needing to wait for the server to send it.
Maybe they'll be forced to make a usable web version by then, but I doubt it.
Teams will not show you a browser link until you download the web client.
webex will actively download a .exe (on my mac?) before showing the browser link.
When I see stuff like this, I think "market opportunity" but the status quo must be pretty profitable.
After a Windows update webex kept crashing and bringing my laptop down with it, so I started using the web app. My Downloads folder ended up with quite a few webex downloads. Now I have a script to clean them out each night.
The unintelligible foray into cryptocurrency with Lumens made very little sense to me, but apparently the coins I was gifted for free by Keybase are worth over 100 USD now. I'll probably hold on to them.
All the chat, team, storage and crypto crap was just superfluous for me.
Unfortunatly all that extra stuff they piled on top seems to have distracted from just making the basics great.
Thats an awesome graph. Pretty hard to hide or fake activity on an opensource project.
Also it shows how quickly engineering was pulled off projects... Usually it would be a matter of "finish the PR/feature/bug you're on", which might be days or weeks. Yet here everyone is pulled off over ~3 days.
- It provides all features for free
- It is actually usable
- AFAICT, no reports of security breaches
- No privacy violations
- At one point, they actually GAVE free lumens to its users. No strings attached at all. I received ~40USD worth of XLM which I transferred to an exchange and sold it right away.
Please explain to me. again: how did they make you a sucker of you or their users?
Not specific to Keybase, but a lot of "cyber security firms" these days base their entire business on gross violations of privacy, unfortunately.
I don't really sympathize with this. You build something, get a ton of people to use it, advocate for it, get their friends to use it... I think after that, you have a responsibility to those users, and selling to a company like Zoom and then peaceing out on further work does not fulfill that responsibility.
If you're building a security- and privacy-focused product, selling it to a company that has demonstrated several times that they don't care about their users' security or privacy is unethical, regardless of how you slice it. It makes the world poorer, and the internet less safe for the people who use it. This has nothing to do with payment.
... and it will get saddled with the reputation for trustworthiness it deserves. Sell me out once, shame on me...
They made it pretty clear that security is for them not a fundamental aspect of their service but an afterthought they have to follow because they would use customers elsewise.
I.e. security is still one of the lowest prioritise for them and only a priority art all because of public pressure
Never assume malice that which can be explained by a poor engineering culture
The software and service is currently running at a scale that the vast majority of visitors to HN can barely dream of achieving.
But yeah, they prioritized ease of install for the client of their software over other considerations, so that must mean they have a "poor engineering culture", whatever that's supposed to mean.
I don't think you're being fair. It's readily apparent that Zoom understands not to make parts of their software stick around forever. The fact that they understand this is the entire reason for setting the cookie to last only 10 years. Which is clearly not as long as forever! /s
But they made the 5+ rooms $9 per month, which is way too expensive. There are not enough competitors for WebRTC conf tools, it should be quite simple and $4-5 a month (WebRTC doesn’t incur data costs on the servers since the data is peer-to-peer).
There are probably some operators that do pure p2p, but vast majority use some kind of bridge past certain number of users (& TURN might also be used for p2p). Usually this is to limit the amount of bandwidth participant needs.
Another alternatives are https://meet.jit.si & https://8x8.vc/. I cannot remember what was the current limit of participants in Jitsi (it was 75 back in June), but on 8x8.vc it's 100. In cases where you simply need a lot of viewers and limited number of participants there is also an option to livestream to Youtube.
(Disclaimer: I work at 8x8, but not directly on Meet or Jitsi)
8x8 offers more than just meetings.
You can see the feature list here: https://www.8x8.com/products/video-conferencing
Yes we bought Jitsi from Atlassian.
The Jitsi based meetings are integrated into our complete UC offering (yet we still deliver stand-alone meeting clients for customers who might want only meetings).
It’s just a feeling that this is wrong for what they contribute, but you’re right, if we share one account for a team, that would be a lower cost.
Maybe I was “anchored” by their previous pricing $4, which I thought I’d subscribe as soon as I’d have income, even though I didn’t need the paid features. But at $9, it’s a second psychological step. It feels like they stuff with features, where all we ask is often the WebRTC part.
Whereby costs $90 per Organisation for Meetings up to 12 users. We have a url for each team without a password and it works for us. Yes, 1 person manages those meeting rooms.
Add $10/month to extend to 50users.
Whereby was the best I could find to share screen of Fedora, still limited as sharing only works under Firefox not their Chrome based app or any other variant of Chrome I could get my hands on. Zoom, jutsi and others couldn’t properly share screens nor application Windows.
If it was for professional use $60 would not have mattered much, but that is not the case here.
(Our university offers some kind of paid plan on Zoom for all students so it will be hard to beat regardless, but that is not true for everyone)
So yeah, you're right. App sandboxing please.
Any part of the space in which these copies exist being compromised will mean that your encryption is useless in the end.
I agree with the parent quote:
> I’ve found statements like these to not contribute very much towards solving any practical security problems.
It was really odd they didn't bother.
You could do similar at API entry points.
Or, if you're after writes, it would be simpler to attach an "on insert/update" trigger that just records the changes in another table. See https://www.sqlite.org/undoredo.html for an example of using triggers this way.
In the same way I'm reading your mail if I look at it to see whether it's my mail, and then put it back down when I see your name.
That is to say, not at all.
It's like Zoom goes through your temp password database to change your saved password for zoom.
Then again, planting a 10 year cookie that can only exist when edited outside the browser's sandbox is a helluva effective long term marker for a particular person. Maybe they just want to keep tabs on you. :)
Let’s accept the fact that US govt doesn’t give a shit about little privacy/security like this. EU will sometimes strike a big hammer but even that is sporadic.
Zoom has built momentum on “dark growth hacks” and they’re reaping the rewards. This is standard Silicon Valley.
The specific citation about the length of a cookie is a recommendation and not a law. The key word is 'should'.
I'm not a lawyer nor claim the ability to interpret GDPR legally, but I have seen companies that actively worked to edge case GDPR to their advantage (I was part of one). We would have lawyers and other 'GDPR experts' tell us what was possible and what wasn't then simply extend into the grey area.
Here, I reject the Halon's Razor.
The ePrivacy Directive requires strict consent (as defined in GDPR) in order to read or write data from a user's computer, including cookies, except were strictly necessary to provision the service. There's potentially wiggle room for throttling, which is in the name of one of the cookies. I have doubts about a cookie tracking whether you've ever logged in.
Otherwise, Zoom only needs to obey the laws of USA and wherever else they have offices.
Also: I'm not arguing for Zoom's sketchy practices but just saying that GDPR might be the wrong card here. The EU isn't the world police.
If the target is big enough, EU regulators will ask for help from other countries.
Zoom operates offices in a few EU countries so they'll definitely have some sort of entity(ies) setup - regulation pressure can be applied.
GDPR is only strictly enforceable in EU countries. All the other countries, it's up to whether they want to cooperate.
Example - EU cannot force China to make Tiktok/Bytedance to follow GDPR practices in China for EU citizens. They really they can only wave a big finger and claim Bytedance is out of compliance.
Sure, EU can sue Bytedance cross border in China, but it carries no weight/teeth. At which point, EU has to escalate... trade relations? sanctions? war?!
So practically - they have to ask for help.
I suppose then they have the choice of doing Google's playbook in China and just close their EU offices if they wanted, instead of complying. I mean, China wanting censorship and EU wanting GDPR aren't any different. Without arguing for or against either, China's censorship and GDPR are both local laws and foreign-based companies with no local offices don't need to comply. Foreign companies may be blocked, that's all.
Not that I'm advocating for Zoom violating privacy, but I'm not in support of EU unilaterally setting rules for the world or their right to police EU laws outside their borders. They should set up a GFW if they don't like certain things being sent into their country borders over the web, but they can't tell me what to do if I haven't set foot in their jurisdiction. (Neither can Iran, Russia, or North Korea, so why does EU get a pass to police you? If Kim Jong Un sent you a fine for $1 million would you pay it?)
True, but if you have offices and do business in their jurisdiction, then you get to follow their laws.
By accepting customers from the EU you are setting a foot here albeit economically and not physically. You are free to not serve european costumers if you do not want to deal with the GDPR.
That’s not how the world works. Non US citizens have been arrested in the US for breaking US law when they aren’t in the US. Hell the US has tried to extradite people to the US who have never been to America.
The EU can do the same thing and set up their own firewall if they wish to enforce GDPR on foreign websites.
The fact that their citizens would revolt over the idea of internet censorship, is irrelevant. The point I'm trying to make is that EU saying "you can't serve X to our citizens" and China saying "you can't serve Y to our citizens" is no different and it's upto them to enforce it within their borders if they wish. The EU doesn't get to play world police any more than China's government does.
FWIW baidu.com and tencent.com are both pretty damn GDPR incompliant and the EU isn't doing anything about it. And yes there are Chinese-speaking EU nationals that use these companies' services.
When you install software in Windows, either it installs without Administrator permissions (in which case it still has access to every single user file) or it asks for elevation to Administrator, and users blindly click Yes (in which case it has access to the entire machine).
When you install software in Unix/Linux, you're almost certainly using sudo, giving up complete control. User permissions on single user systems are almost irrelevant. It's all about blind trust. People think nothing of installing software via "curl | sudo bash", or adding random PPA repositories to apt, downloading a binary and running it as root, or deploying a docker container linked from a blog. I know the risks and I do it all the time, because convenience always wins and popular things are reasonably safe due to the "mob trust" factor.
MacOS has made some incremental steps to wall applications off from each other, requiring explicit authorization for some actions via System Preferences toggles, but really, it's just adding inconvenience for your average user, and people will generally blindly agree, in part because some of the categories are too vague or broad (small UI widgets that alter e.g. keyboard bindings or window placement require carte blanche).
Phone operating systems are better at this than most, requiring explicit permission to access e.g. contacts, but there are still limits on how protected your data is. Most of the security on phone apps comes from the vetting required by the vendor lock-in stores. Yet we still had apps able to invisibly steal global clipboard contents until earlier this year.
So, yeah, it's stupid that Zoom's uninstaller has access to browser cookies, but do you think there's a single piece of software you use that doesn't? Everything on your system has access to everything else in most cases.
Whatever it is that you are referring to, it sounds political and can't possibly have anything to do with the topic at hand. Save it for a different thread.
Looking forward to a working alternative.
They obviously focus on pushing their client because they can offer more features and better user experience. It's easier to sell their product to you. Otherwise most web clients are limited in features which means it's harder to compete for them.
But the specific complaint here, about a cookie with an expiration longer-than-12-months, seems pretty silly.
It's not stored on some remote machine - it's stored locally, transparently. The user – and their own software – can control this easily & completely. If there's a good rationale for expiring cookies earlier, a browser can easily do it directly - it needn't involve regulators, or ineffectually hoping every one of thousands of different companies/websites do something the laws of one place ask.
When I tried MS Teams, my impression was that it required a fair amount of advance configuration. This is no problem if you're meeting the same people repeatedly and they work for the same employer as you. Indeed, as the name of the software suggests, it's good for "teams". But for me, anyway, this hasn't been my typical use case.
I've never used Teams, but my girlfriend was trying to walk her mum through getting it setup for work. It was a very long phone call. When I tried Zoom with my parents it took a grand total of about 2 minutes from the moment they get the link to being in the call, most of the time spent figuring out audio.
Also, fuck Microsoft. From the complete destruction of Skype, the crappy Skype-rebranded Lync, to the shitshow that is their "Microsoft Store" and the whole xbox gaming ecosystem, if I ever have a choice between a Microsoft and non-Microsoft application that does the same thing, I'm never going with the Microsoft one.
Jitsi you just follow the link, webrtc means no download.
That's why Zoom uses all these dark patterns to get native code running as soon as possible and as privileged as possible so it can do all the work for you. See also: Mac installer disaster.
If you click no, then I think you're going to struggle to intuit how to proceed; but it's no harder than navigating UAC dialogs to install software, much easier IMO.
None of the olds in my family had a problem. YMMV I guess.
On a fast and stable machine and Internet connection this is much less of an issue, but in my experience at least, that is not the norm.
The BBC for instance regularly talks about Zoom for video conferencing. They rarely, if ever, discuss the privacy implications of Zoom or that alternatives are available* in articles not directly about Zoom's privacy failings.
* mentioning "other <commercial thing> are available" has become a widely known running joke for the BBC as their charter says they shouldn't favour one firm over another.
For instance, in East Enders when in the pub always ask for "vodka", "gin and tonic" or "larger" but never a brand name.
They seem to have dropped that in the case of Zoom.
With Zoom I can be in a call with many people and I don't notice my CPU fans, and the video quality is better.
They have repeatedly shown that they will do whatever they want, and then act contrite later if they're caught out. They are not trustworthy, and I won't run their software on any nonsandboxed environment AT ALL. There's utterly no reason to.
Does he mean the ePrivacy regulation?
The ePrivacy regulation (not directive) is no binding law yet.
"Korn was a Nu Metal band"
"Korn were made up of musicians of very different backgrounds"
Still incorrect to my understanding of how English works.
I wonder if a company with a well known single owner (amazon/bezos, spacex/musk) is also thought of as a group Or a person subconsciously.
Two countries separated by a common language
Correct. But it has significant dev in China. Corporately, it’s American. But when describing its engineering decisions, it’s fair to call it principally Chinese.
How well does management verify that they do?
it's not absurd for a product manager to want your desktop zoom app to inherit your browser login
though as a user if I saw this behavior I would have a few wtfs. But as a user I would never ever install zoom on a laptop
my takeaway from this isn't GDPR implications, it's that desktop OSes need to get serious about permissions, especially filesystem walkabouts
Of course not, and there are many ways to do this while respecting the application boundary. In no particular order: passing a token in the launch URI, a bundled WebExtension, a local WebSocket/HTTP server, on-demand executable customization.
That was the moment Zoom received your consent to store data transmitted by cookies. Adding a few more cookies to the pile, regardless of expiration date, doesn’t change the agreement.
Rummaging round the cookie bin on uninstall is a nice find and deserves a raised eyebrow but this doesn’t really have anything to do with GDPR.
( Quick search about cookies)
The ePrivacy Directive is a directive to member states to create legislation or regulation. It doesn't have the force of law and it certainly isn't the GDPR.
The OP is right - there is nothing here that indicates that Zoom misunderstands the GDPR. Indeed the author of the post seems to misunderstand it, or include it as an attempt to grab attention.
> persistent cookies have an expiration date written into their code, but their duration can vary. According to the ePrivacy Directive, they should not last longer than 12 months, but in practice, they could remain on your device much longer if you do not take action.
The quote you keep referencing is false. The ePD says nothing about this.
In this case, I doubt that consent is freely given (which requires a true choice on the user's part), I doubt that it is specific (that the choice is granular pertaining to different cookies fulfilling different purposes), and I doubt that it is informed (that the user understands the relevance of different cookies).
Most importantly, consent given in the context of a visit of the zoom.us site cannot be specific and, at the same time, cover cookies being unexpectedly set by a local uninstall program. We are not talking about the usual session ID cookie here ("remember log in details").
Recital 43: Consent is presumed not to be freely given if it does not allow separate consent to be given to different personal data processing operations despite it being appropriate in the individual case,
Somewhat questionable in this case. Is there a way to opt out of the specific cookie? I guess not.
or if the performance of a contract, including the provision of a service, is dependent on the consent despite such consent not being necessary for such performance.
Recital 42: For consent to be informed, the data subject should be aware at least of the identity of the controller and the purposes of the processing for which the personal data are intended
Where does Zoom explain the purpose of the "everlogin" cookie?
Consent should not be regarded as freely given if the data subject has no genuine or free choice or is unable to refuse or withdraw consent without detriment.
Again, is there a way to opt out of the specific cookie?
Article 7 GDPR: The data subject shall have the right to withdraw his or her consent at any time. ... It shall be as easy to withdraw as to give consent.
It's quite easy to consent to cookies at zoom.us. Where, however, can a user revoke their consent?
When assessing whether consent is freely given, utmost account shall be taken of whether, inter alia, the performance of a contract, including the provision of a service, is conditional on consent to the processing of personal data that is not necessary for the performance of that contract.
I don't think it's possible to use Zoom without this (unnecessary) cookie being saved. Therefore, consent is most likely not applicable.
Again, ICO guidance is a great resource: Be specific and ‘granular’ so that you get separate consent for separate things. Vague or blanket consent is not enough.
Consent under GDPR simply doesn't work like "I consent to all of your cookies".