Hacker News new | past | comments | ask | show | jobs | submit login
Zoom still don't understand GDPR (threatspike.com)
451 points by andrewnicolalde 56 days ago | hide | past | favorite | 251 comments



I love how when you go to enter a Zoom meeting, they bury the no-install, run-in-browser link in small type in a footer. And then, if you manage to see the link and use the browser, they withhold "Gallery View", forcing you to deal with the extremely annoying "Active Speaker View".


> they bury the no-install, run-in-browser link

I wrote a browser extension that will transparently redirect all zoom links to user their web client:

https://github.com/arkadiyt/zoom-redirector


love this extension. we recommend it for everyone at work as the zoom client is banned.


What do you then do about the horrible performance of zoom in chrome?

For me, the sound becomes unintelligible as soon as someone shares his screen.


Try a different browser. On Mac, Safari is much more resource efficient than Chrome for example. On Windows I'm not sure, but it can't hurt t give FF a try.


N=1, but it works great in Firefox on Linux and doesn't use noticeably more resources that what I usually see with video calls.


Last I checked FF was not even supported :)


It has been supported for at least a month, probably two. I didn't (have to) use Zoom before that, thankfully.


Looks supported now


Haven't had this problem. And in general, we try to get people to use whereby (also the web version), which we've been very happy with.


You recommend using the extension to circumvent your employer banning your use of Zoom, while at work?


He said they banned the zoom client, not the zoom service.


It's wild to me how many companies are happy for everyone to have that client installed, despite usually having otherwise completely onerous security policies in other areas.


That's brilliant, thank you for making me aware of this!


I thought they removed the in-browser link? Does your extension still work?


Likewise, I could swear that the first couple of times I had to use Zoom there was a clean/clear/large font option to "use web", and after some time they must have removed it (or changd the font to white and set it to 3).

I use WindowsFirewallControl (WFC) by BiniSoft (think ZoneAlarmPro) and "Allow" very specific executables to reach the internet. In that case, the Install/Uninstall.exe would cause an alarm, and I would (of course) "Block" it.

I know this is not a solution for (ahem) elderly, but it can work for the majority of 'us'.


The in-browser link is hidden till you click the button to launch the zoom client app. Then, the link appears.


> The in-browser link is hidden till you click the button to launch the zoom client app. Then, the link appears.

As someone who doesn't use Zoom, this gobsmacked me.


According to a different comment it is hidden by default.


Thank you.


Btw Zoom account manager can enable this "Join from your browser" link, to show it to all participants. It's hidden by default. This is what I did in our org:

https://support.zoom.us/hc/en-us/articles/115005666383-Show-...


> I love how when you go to enter a Zoom meeting, they bury the no-install, run-in-browser link in small type in a footer.

I wasn't even aware that was possible until now.


In my experience, that link only appears after you actively deny the opening of an external application (xdg-open alerts pop up), after 3 tries it will _finally_ appear. Quite infuriating.


Have you tried disabling Javascript? The "Join from your browser" URL follows a predictable format, only a slight variation from the meeting link. If you have a meeting link that someone sent you, you can create the web client URL yourself.


True. But there is an option to show it by default. Though it is not easy to find. And only the manager of the host account can do it.

https://support.zoom.us/hc/en-us/articles/115005666383-Show-...


I paste meeting ID (eg 99999) on this address:

https://zoom.us/wc/join/99999


The web version also won't allow the host to request control from what I can tell. I use it daily for remote support because new webex sucks and no one knows what jitsi is.


I love Jitsi and have a server VM at home for my personal use.

But while it can share a desktop view I didn't think it allowed control?!? Man, this could be a family support game changer...

Edit:

requires Electron app it seems. https://github.com/jitsi/jitsi-meet-electron/releases

Was on HN, some comments suggest the Electron app bundles Chromium.(Not sure if all Electron apps do this, I know nothing about Electron..yet.) https://news.ycombinator.com/item?id=22830846

Edit sub basement 2: Yes, Electron apps include Chromium. "it combines the Chromium rendering engine and the Node.js runtime."

https://en.wikipedia.org/wiki/Electron_(software_framework)


All Electron apps are Chromium-based.


Sorry, just figured that out for myself and edited my parent comment again. Thanks!


Do you really think controlling your local desktop is an API feature that web browsers should provide to web apps?


Stated "Should local desktop control API be widely available to web apps and be commonly used?", the answer is surely no.

"Should local desktop control be a feature that can be enabled through web browsers for users who choose to use it with certain sites?" Eh, this is not so clear. What if by some magical turn of events Zoom decided on a drunken whim that user privacy is very important, and strongly encouraged use of web over desktop, should they just axe that feature? Back in reality, Zoom couldn't even consider that course of action until the web supports it.

Maybe do it by requiring users to install an extension that's granted remote desktop permission for a particular site. Which would at least allow the extension to be reviewed and audited.


Chrome Remote Desktop does it (requires a browser extension though I think).


And the browser extension runs a native .exe file behind the scenes...


Chicken-and-egg etc. People will know what Jitsi is when you use it with them. It's so simple, why not have them use it? Why do they have to know it already?


When Teams breaks, it's Teams's fault. When Jitsi breaks, it's your fault.


Been using jit.si for months with extended family (up to ~7 connections), not broken yet.


Same, approximately. I got one literal grandma to use Jitsi, and all of my literal grandparents to use BigBlueButton, and the latter actually took effort. Jitsi is significantly easier to use than Zoom et al., requiring no account or anything but a browser even to host a meeting, and having an extremely intuitive UI compared to eg. Zoom, with eg. the "Raise Hand" button being a hand icon right on the bottom bar next to mute, etc. where there’s just empty space in Zoom, instead of buried under a "Participants" button. BigBlueButton is slightly less simple (eg. you need to log in to host, at least by clicking “Login with Google” or with Twitter or Microsoft) but both have worked flawlessly over dozens of meetings and been understandable to my grandparents.


Then you are lucky. It breaks frequently (but randomly) and when it does, it's almost impossible to debug unless you have access to the broken machine (and that is unlikely given that you're probably at home and so are they).


Breaks how? I've used it on about 6 devices personally, roughly a couple of times a week and all our extended family have used it on one or two devices - Win10, iPad (I gather), Android, and Linux.

If it breaks a lot we must have been exceptionally lucky for none of us to have problems.


"It works on my machine" was generally the feedback I got from the server maintainers as well. It's true that only a few people had problems, but those people were the kind of people that needed to be listened to when they said "Jitsi doesn't work so we need something else". The problems in Jitsi were impenetrable for me and anyone else that looked into them, so saying no wasn't an option.


For remote support, you may want to look into a more purpose-built system, such as TeamViewer or LogMeIn Rescue.


If youre ok trusting smaller companies, AeroAdmin is a working alternative. https://www.aeroadmin.com/


Last time I spoke with TeamViewer, they still wouldn't admit they were hacked.

https://news.ycombinator.com/item?id=11826431 (TeamViewer denies hack after PCs hijacked, PayPal accounts drained)


Yep, switched my parents off TeamViewer after that and have blacklisted it personally.


That hack would have required the persistent login features to be installed on the target computers.

For simple remote support, you shouldn't be doing that anyway.


MS Teams has the same behaviour in web client. Is it browser-level restriction?


Google Meet has tiled view on web.


(And Jitsi Meet and BigBlueButton, and according to another comment here Discord, and in my limited experience with Cisco WebEX web at least ≤7 people can be simultaneously visible there)


> And then, if you manage to see the link and use the browser, they withhold "Gallery View", forcing you to deal with the extremely annoying "Active Speaker View".

Is this a browser limitation or something? I think microsoft teams has the same issue.


Jitsi supports multiple videos, I've had at least 6 people before.

We use GoToMeeting at work, and many times have 20 people with video, plus screen sharing (there's also gotowebinar which supports thousands of viewers).

With GTM I love that you can seamlessly share without disabling your video. The web browser experience is hands down better overall then everything else I've used (Zoom, MS Teams, Slack, Jitsi, WebEx). Camera views are just auto-sizing, auto-layout boxes (think: floating tiles) that fit the space you give them, and you can pick top/bottom/left/right when someone is sharing a screen.

Then things that hold GTM back: they still push their native client, and it takes two clicks every time to join with browser (it's not buried like zoom, but it's nowhere near the instant-on, zero-effort of Jitsi). The other thing driving me absolutely mad right now is they introduced a bug a few weeks ago that causes it not to remember my audio settings or name. When I host a meeting, despite telling it to "remember me" it never does -maybe this is part of the federated login my company uses, but the end result is when I click to start my meeting it tells me it's waiting for me to arrive, add takes like 4 more clicks and bouncing around login sites to get in.

My ideal:

Run in a browser, use extensions to get extra functionality if needed.

With lots of people, switch to multiplexing and/or automatically downscale video.

Support seamless pstn dial-in, and pop up a suggestion about this to users if their audio starts breaking up.

Don't stop my webcam when I start screen-sharing.

Support active speaker view, gallery (zoom-style), or GTM-style.

Remember all my preferences and make it so I rarely have to think about any settings. Or login.

Make it easy to give people permission to control/share/etc, and for recurring meetings, remember those changes for next time.


> Support active speaker view, gallery (zoom-style), or GTM-style

I prefer Jitsi’s gallery style — that lets you scroll through the participants with your actual scroll wheel — to Zoom’s — forcing you to drag your cursor back and forth across the screen’s longest axis every time you want go back a screen of participants after advancing one, or vice-versa.


I don't think so, Google Meet has gallery view and that's browser only.


I’d guess as much as they love us installing their software, it’s also just really hard to solve these types of problems when you’re restricted to the browser.


Discord also has a gallery view for web, so it’s definitely technically possible


Browsers do generally have a limit on simultaneous outgoing connections per domain[1] - it could be related to that. (This is also why e.g. TFS breaks down when you open too many tabs).

[1] https://docs.pushtechnology.com/cloud/latest/manual/html/des...


I doubt that has anything to do with it. Zoom almost certainly handles composing the image for gallery view server-side; you're not maintaining a separate connection for each participant.


I thought i read somewhere that they don’t, which is what makes them more performant.


It's possible that the server just forwards a selection of packets from each participant (hopefully dropping some from those who aren't speaking or moving) and the client stitches them into the view.


Sure, that would be the SFU doing it's job, but my point is that you aren't maintaining a connection per participant, but one connection with Zoom itself where you get all the video data. It's true that could be in the form of a single video stream of the entire gallery, or separate streams of only the participants visible to you.


Google Meet does send each video participants video stream seperately. You can tell this by disconnecting internet and then clicking a (now frozen) participant - they become fullscreen but low-res.

That means the client must have had that data locally rather than needing to wait for the server to send it.


Do you happen to know why TFS causes this? Does it leave connections open in each tab? Otherwise it should not matter how many tabs we have open I think.


They do have a Chrome App that will run zoom in Chrome with gallery view, but they hide that even more thoroughly unless you're on ChromeOS: https://chrome.google.com/webstore/detail/zoom/hmbjbjdpkobdj...


To be fair, Chrome apps are ending next year. https://blog.chromium.org/2020/08/changes-to-chrome-app-supp...

Maybe they'll be forced to make a usable web version by then, but I doubt it.


Nah, just one less thing to worry about by letting it go by the wayside.


I wonder if that's a technical limitation - it's the same for Microsoft Teams. When used through a browser, you can only see one person at the time. To see everyone you have to install the app locally.


Web version wouldn't work at all for me. I had to install the app.


Meeting hosts can make a setting change that makes that link visible by default, so you don't have to cancel xdg-open twice (only once)


can't


Can't what?


Holy shit - you can run Zoom in the browser???


Yes, of course. People wouldn't be crazy enough to install the binary blob of this extremely sketchy company, would they!?


My zoom shows up recording audio in the audo mixer even after leaving meetings.


My elementary school students’ Chromebooks’ Zooms keep the webcam light on when they click the Zoom button to turn it off.

https://my.fsf.org/give-students-userfreedom


every teleconferencing app does this.

Teams will not show you a browser link until you download the web client.

webex will actively download a .exe (on my mac?) before showing the browser link.

When I see stuff like this, I think "market opportunity" but the status quo must be pretty profitable.


webex (1).exe

webex (2).exe

webex (3).exe

...

After a Windows update webex kept crashing and bringing my laptop down with it, so I started using the web app. My Downloads folder ended up with quite a few webex downloads. Now I have a script to clean them out each night.


Can’t you just block downloads for domain in browser?


I always thought it depends on the call host.


It makes sense for them as a business to convert visitors to users to customers - nothing wrong with that for me.


Sadly, we live in a world where our expecations are a bit screwed. We're used to so many things being free, ranging from music streaming to programming libraries to nearly every service. We've become acustom to the world where so many things are free to use that people get annoyed when products make the free things not as enjoyable as the paid service. Or sometimes even when someone provides a paid service.


Whether or not your company pays for Zoom, you still get the same severely limited web version and a strong push to use apps.


It's unfortunate that they bought and destroyed Keybase [1] in a bid to improve their security and even still there seems to be no improvement. Guess even the best folks can't make an impact if company culture prevents it.

[1] https://github.com/keybase/client/graphs/commit-activity


Same, they were my preferred platform for secure messaging, which is bizarre when you think about the fact that this wasn't even their original purpose. I guess this was indicative of the general lack of a single defined direction the product was going in near the time of the Zoom acquisition. What a shame. Hopefully someone makes something similar.


What was the draw of Keybase? I wasn't interested when it was a "post all your website usernames here, but with crypto somehow" site, and by the time I looked in on it later, it was an unreadable startup homepage and had some kind of cryptocurrency scam attached to it. If it had a good messaging featureset that should be cloned, former Keybase users should speak up!


It had excellent chat functionality that worked well, and this was at a time in which the Signal client for Android was still quite buggy (hundreds of Bad encrypted message messages flooding group chats, messages delivered hours late and all at once, poor performance etc.) My group naturally gravitated towards Keybase as our secure messaging platform. The other killer feature was KBFS, which was a sort of shared encrypted filesystem with which you could sync files securely across all of your devices, share files publicly or with specific users or sets of users or groups in cryptographically protected ways.

The unintelligible foray into cryptocurrency with Lumens made very little sense to me, but apparently the coins I was gifted for free by Keybase are worth over 100 USD now. I'll probably hold on to them.


FYI, if you want to liquidate those, AnchorUSD makes it really easy to transfer them out to a US bank account.


Thanks for the heads up :)


For me Keybase was a place to collect my public internet profiles in one place, with cryptographic auth that it's actually me.

All the chat, team, storage and crypto crap was just superfluous for me.


As someone who occasionally needed to share secrets (auth keys etc) with colleagues, or encrypt the odd file, it was really useful, it made all those things a lot easier.

Unfortunatly all that extra stuff they piled on top seems to have distracted from just making the basics great.


I use the keybase git repo to store my dotfiles. It's quite nice but I'm moving to my own git server instead.


What killed me was I was ready to pay for any features like storage. They just never bothered. I wish they hadnt bought it out and instead just hired their team as consultants... This is a darn shame.


> https://github.com/keybase/client/graphs/commit-activity

Thats an awesome graph. Pretty hard to hide or fake activity on an opensource project.

Also it shows how quickly engineering was pulled off projects... Usually it would be a matter of "finish the PR/feature/bug you're on", which might be days or weeks. Yet here everyone is pulled off over ~3 days.


The activity declined over the course of almost 2 months.


Ahhhh, "Our incredible journey" aka "So long suckers! See you at the yacht club sometime!"


- The code is open source

- It provides all features for free

- It is actually usable

- AFAICT, no reports of security breaches

- No privacy violations

- At one point, they actually GAVE free lumens to its users. No strings attached at all. I received ~40USD worth of XLM which I transferred to an exchange and sold it right away.

Please explain to me. again: how did they make you a sucker of you or their users?


Is server side open source?


Right, I meant the client - where it would be easier to claim malice or ill-intent from the company.


> ...in a bid to improve their security

Not specific to Keybase, but a lot of "cyber security firms" these days base their entire business on gross violations of privacy, unfortunately.


What?


They're not wrong. A large amount of the basically exist off gross privacy violations. Fingerprinting, gross PII sharing and overstorage, port scanning users' computers and LAN from their browser behind the FW/NAT for "security purposes",


Maybe we're thinking of cyber security as different things, I'm mostly thinking about application security and enterprise security? What are you talking about?


anti-scraping, l7 ddos/bot/spider prevention, "anti fraud", fingerprinting devices on login, port scanning devices on login, this is pretty common in application and enterprise


Yeah this was so sad, but I'm happy the guys that made it got paid. Even they would have known this was the end for Keybase. Hopefully when their non-compete clauses end the developers will make another product the same.


> Yeah this was so sad, but I'm happy the guys that made it got paid.

I don't really sympathize with this. You build something, get a ton of people to use it, advocate for it, get their friends to use it... I think after that, you have a responsibility to those users, and selling to a company like Zoom and then peaceing out on further work does not fulfill that responsibility.


I couldn't disagree more. Most users didn't even pay, for goodness' sake.


If you decide to base your business model on unpaid users, that doesn't absolve you of responsibility for them. You're still getting something from them, whether it's user numbers that impress prospective investors, or usage data that you can sell to third parties, or whatever.

If you're building a security- and privacy-focused product, selling it to a company that has demonstrated several times that they don't care about their users' security or privacy is unethical, regardless of how you slice it. It makes the world poorer, and the internet less safe for the people who use it. This has nothing to do with payment.


Was there a choice to pay??


ok that's my bad - i thought they had an paid enterprise plan. So actually _nobody_ paid. That makes me believe even more strongly that the founders do not owe users anything.


It's a shame you feel that way; personally I feel that avoiding responsibility for your actions toward others is one of the big ills in our society. Suggesting that there's only responsibility if money changes hands merely makes me sadder.


The choice is entirely with the consumer to decide to use non free software. Don’t be shocked when you are hurt


< Hopefully when their non-compete clauses end the developers will make another product the same.

... and it will get saddled with the reputation for trustworthiness it deserves. Sell me out once, shame on me...


The Problem of that they don't want to be secure in the sense you used.

They made it pretty clear that security is for them not a fundamental aspect of their service but an afterthought they have to follow because they would use customers elsewise.

I.e. security is still one of the lowest prioritise for them and only a priority art all because of public pressure


Speaking of Keybase, I'm looking for an alternative to their encrypted Git repositories.

Any suggestions?


C'mon, what does it take for Zoom to understand that when people uninstall software they don't want parts of it to stick around forever?


Usually this happens because the person who wrote the file or daemon didn't write the uninstaller and no one gives a hoot about it at review.

Never assume malice that which can be explained by a poor engineering culture


Always assume that the malicious outcome is the intended outcome. Somewhere at zoom a tech lead looked at the features planned, saw 'uninstaller' and deprioritized it to P4. That was the malice, even though they did not cacke and wore a top hat with a monocle while doing it.


I’ve never worked somewhere where the tech lead would make that call; product would make the call after the team or tech lead gave estimates on different trade offs.


Except we're talking about a company that continuously employs dark patterns in their product and is generally considered a security threat in many countries. It's quite plausible to assume malice here, given previous examples of it (dark patterns are malicious by design and intent).


Well, malice or not, the result is not conforming to the law. And from how I remember it, that's not the first time they are in that situation, so "oops, our bad" shouldn't really cut it.


Especially when you consider the software and design of Zoom, poor engineering culture sounds like the more realistic answer.


> "Poor engineering culture"

The software and service is currently running at a scale that the vast majority of visitors to HN can barely dream of achieving.

But yeah, they prioritized ease of install for the client of their software over other considerations, so that must mean they have a "poor engineering culture", whatever that's supposed to mean.


Profitable business culture, poor engineering culture. Happens all the time in companies of all sizes.


In other words: a) malice, and b) a business problem, not a tech problem.


Absolutely would call this a tech culture problem. Just like e.g. not writing tests because management doesn't want to spend time on that. Doesn't mean that individual developers are to blame for this kind of decision, but it speaks for the overall culture of the tech org. Yes, often driven by business objectives.


Sorry, I don't understand what you're saying. Someone put functionality into the uninstaller that modifies your Chrome cookie jar. I don't know who you're referring to by "the person who wrote the file".


"they don't want parts of it to stick around forever"*

I don't think you're being fair. It's readily apparent that Zoom understands not to make parts of their software stick around forever. The fact that they understand this is the entire reason for setting the cookie to last only 10 years. Which is clearly not as long as forever! /s


it takes for them to stop profiting off it


Zoom is not alone in this. Lots of crud gets left, and it differs between which OS it is.


This looks more like them actively placing a cookie into the cookie DB upon install. Doesn't appear to be simply left behind.


*uninstall


I’m curious if the same is happening on Mac or Linux when uninstalling.


A court ruling for violation of the GDPR might go some ways there. Of course, these things move slowly. But zoom are now grown up enough that they'll have to plan on these time scales I guess.


Why do you guys not use https://whereby.com (formerly appear.in), it’s free for 4 people, in-browser only, no-login, WebRTC, allows sharing the screen alongside faces.

But they made the 5+ rooms $9 per month, which is way too expensive. There are not enough competitors for WebRTC conf tools, it should be quite simple and $4-5 a month (WebRTC doesn’t incur data costs on the servers since the data is peer-to-peer).


> WebRTC doesn’t incur data costs on the servers since the data is peer-to-peer

There are probably some operators that do pure p2p, but vast majority use some kind of bridge past certain number of users (& TURN might also be used for p2p). Usually this is to limit the amount of bandwidth participant needs.

Another alternatives are https://meet.jit.si & https://8x8.vc/. I cannot remember what was the current limit of participants in Jitsi (it was 75 back in June), but on 8x8.vc it's 100. In cases where you simply need a lot of viewers and limited number of participants there is also an option to livestream to Youtube.

(Disclaimer: I work at 8x8, but not directly on Meet or Jitsi)


8x8 has intrigued me, but I'm a bit confused as to what happened. Did 8x8 buy the Jitsi brand from Atlassian? And what's the benefit of 8x8 vs Jitsi pure? I might be a customer if 8x8 is a compelling alternative to Zoom without some of the downsides of Jitsi (generally less reliable).


Disclaimer: I work at 8x8 (not specifically on meetings, but related)

8x8 offers more than just meetings.

You can see the feature list here: https://www.8x8.com/products/video-conferencing

Yes we bought Jitsi from Atlassian.

The Jitsi based meetings are integrated into our complete UC offering (yet we still deliver stand-alone meeting clients for customers who might want only meetings).


I don't get your argument about the pricing. If you're 5+ people you can split that cost. If it's for professional use, a few dollars is a blip.


We’re 2 in our startup. - Fastmail costs $50 per person per year, - Gapps would be $60, - Whereby asks for $90 per user.

It’s just a feeling that this is wrong for what they contribute, but you’re right, if we share one account for a team, that would be a lower cost.

Maybe I was “anchored” by their previous pricing $4, which I thought I’d subscribe as soon as I’d have income, even though I didn’t need the paid features. But at $9, it’s a second psychological step. It feels like they stuff with features, where all we ask is often the WebRTC part.


> Whereby asks for $90 per user.

Whereby costs $90 per Organisation for Meetings up to 12 users. We have a url for each team without a password and it works for us. Yes, 1 person manages those meeting rooms.

Add $10/month to extend to 50users.

Whereby was the best I could find to share screen of Fedora, still limited as sharing only works under Firefox not their Chrome based app or any other variant of Chrome I could get my hands on. Zoom, jutsi and others couldn’t properly share screens nor application Windows.


I used appear.in a few years ago between friends, it was really nice. Now however, having to pay $60 when you are 12+ people is a bit much when I can do it for free with Zoom.

If it was for professional use $60 would not have mattered much, but that is not the case here.

(Our university offers some kind of paid plan on Zoom for all students so it will be hard to beat regardless, but that is not true for everyone)


We used them for a while but the quality just isn’t nearly as stable as zoom.


Maybe it's no-login, but in order to try it you need to register.


This is what we need app sandboxing for. No reason third-party apps should be able to read the browser's cookie database.


As an aside, the Chrome cookies database on Windows is protected using the Windows Data Protection API[1], which ties encryption keys to a specific user. In the case of the Chrome cookie database, each cookie's payload/value is encrypted using a cryptographic key generated by the DPAPI which is only accessible to that Windows user. Of course, (and as is the case with most situations like this), this does absolutely nothing to protect users against malicious or intrusive programs running with the permissions of that user.

So yeah, you're right. App sandboxing please.

[1] https://en.wikipedia.org/wiki/Data_Protection_API


I thought the rule was: If you can see it plaintext on the screen, it's not safe.


Could you elaborate on that? Of course no computer is completely secure against all forms of attack, but I’ve found statements like these to not contribute very much towards solving any practical security problems.


On windows any program can read the contents of any window on the current desktop (with some exceptions, like UAC prompts and other windows that dim your entire screen). This has legimate use cases for screen readers or dictation, but of course it can also be abused. Same for X11. On more modern operating systems like Android the user needs to take very explicit action to allow an app to do that.


Wow, I had no idea this was also the case on Windows! I was aware of this on X11 and switched to a Wayland compositor as a result. Is this true for macOS? I know for sure that on more recent versions of macOS, applications which want to capture the entire screen require special user-approved permissions, but can they selectively read other windows?


The moment that a string of text appears on your screen, it is passed through between many different functions (and even pieces of hardware, with textures being stored on the GPU VRAM) and has unencrypted copies laying all around in memory as the application is running.

Any part of the space in which these copies exist being compromised will mean that your encryption is useless in the end.


You have to draw the line somewhere. Otherwise we'd be saying that HTTPS/TLS is not secure since the webpage is rendered to your monitor unencrypted.

I agree with the parent quote:

> I’ve found statements like these to not contribute very much towards solving any practical security problems.


But HTTP/TLS indeed is not secure from the point of your local machine. Its entire point is protection of data in transit.


One of the great things about Flatpak [1] is being able to restrict permissions for each application. Flatseal [2] is a useful GUI for controlling it. Zoom is available as a Flatpak [3]

1. https://www.flatpak.org/

2. https://flathub.org/apps/details/com.github.tchx84.Flatseal

3. https://flathub.org/apps/details/us.zoom.Zoom


It is difficult to get a man to understand something when his salary depends upon his not understanding it. -- Upton Sinclair


Brief: adds cookies to Chrome on the UNinstall process. Includes a funny "everlogin" one that lasts 10yr


Worth mentioning that the uninstaller sets the cookie by adapting your cookies file after reading contents of the file entirely unrelated to Zoom.


Worth mentioning that the author speculates that this happens not for a nefarious reason, but in a binary tree search to locate your zoom cookie.


Further, it's a SQLite database. It's not like it's hard to check this behavior, or instrument the database file to see exactly what it's doing.

It was really odd they didn't bother.

https://imgur.com/a/jBaW7RL


What tools would you use to instrument a sqlite file in order to monitor reads?


When Julia Evans wanted to learn what SQLite does, she just stuffed some printf calls into the code and rebuilt it :).

https://jvns.ca/blog/2014/09/27/how-does-sqlite-work-part-1-...

You could do similar at API entry points.

Or, if you're after writes, it would be simpler to attach an "on insert/update" trigger that just records the changes in another table. See https://www.sqlite.org/undoredo.html for an example of using triggers this way.


> after reading contents of the file

In the same way I'm reading your mail if I look at it to see whether it's my mail, and then put it back down when I see your name.

That is to say, not at all.


A better analogy would be that when uninstalling Zoom it looks through all of your emails to find its email. It has no business being there in the first place.


Cookies are just temporary passwords.

It's like Zoom goes through your temp password database to change your saved password for zoom.


Except you are UNinstalling the application? What cause is there to save anything that isn't already there at that point?


I mean, if you had zoom installed on desktop you there's a high likelihood that you will use zoom again. By leaving that cookie, they are making the web experience better the next time you use it.

Then again, planting a 10 year cookie that can only exist when edited outside the browser's sandbox is a helluva effective long term marker for a particular person. Maybe they just want to keep tabs on you. :)


I don't even know what to say to all that. There's a point at which you're sick and tired of being sick and tired. I'm there.


At least zoom has privacy statement / policy page available on their web site unlike threatspike.com


Fair point. threadspike's homepage talks about how they store data in a - according to them - secure fashion in a secure data center in London. What this tells me is that they collect data and store data. Moreover, their article tells me that they do have access to a lot of information, or else they couldn't have known about the zoom behavior if their stuff didn't phone home such information.


Have you seen Zoom’s stock price? Wall Street don’t give a shit about security unless the company goes under due to a massive fine.

Let’s accept the fact that US govt doesn’t give a shit about little privacy/security like this. EU will sometimes strike a big hammer but even that is sporadic.

Zoom has built momentum on “dark growth hacks” and they’re reaping the rewards. This is standard Silicon Valley.


Zoom is a joke on Linux. You enter a meeting, it goes automatically into full screen mode and when you put in windowed mode, the window can get lost. Then you need to reconnect the session.


I argue Zoom does understand GDPR and the ePrivacy Directive from a legal perspective.

The specific citation about the length of a cookie is a recommendation and not a law[0]. The key word is 'should'.

I'm not a lawyer nor claim the ability to interpret GDPR legally, but I have seen companies that actively worked to edge case GDPR to their advantage (I was part of one). We would have lawyers and other 'GDPR experts' tell us what was possible and what wasn't then simply extend into the grey area.

Here, I reject the Halon's Razor[1].

[0] https://gdpr.eu/cookies/#:~:text=All%20persistent%20cookies%....

[1] https://en.wikipedia.org/wiki/Hanlon%27s_razor


The website gdpr.eu is not official. It's just a website made by some people. The length of the cookie, as far as I can tell, is not even a recommendation in the law. It's just a thing someone said on the Internet.

The ePrivacy Directive requires strict consent (as defined in GDPR) in order to read or write data from a user's computer, including cookies, except were strictly necessary to provision the service. There's potentially wiggle room for throttling, which is in the name of one of the cookies. I have doubts about a cookie tracking whether you've ever logged in.


I imagine GDPR doesn't apply to Zoom, as a non-EU company. Much like China bans what it doesn't want, the onus is on the EU to set up a GFW of their own and ban Zoom (and other GDPR-non-compliant foreign websites) if they disagree with it.

Otherwise, Zoom only needs to obey the laws of USA and wherever else they have offices.

Disclaimer: IANAL

Also: I'm not arguing for Zoom's sketchy practices but just saying that GDPR might be the wrong card here. The EU isn't the world police.


Any company that has an operating entity in an EU country must comply or risk being fined by regulators.

If the target is big enough, EU regulators will ask for help from other countries.

Zoom operates offices in a few EU countries[0] so they'll definitely have some sort of entity(ies) setup - regulation pressure can be applied.

[0] https://zoom.us/contact


That is incorrect. GDPR applies to EU residents using the service, wherever that service is.


That is a jurisdictional grey area. It is technically true, but practically speaking, it's why I specifically said "EU regulators will ask for help from other countries".

GDPR is only strictly enforceable in EU countries. All the other countries, it's up to whether they want to cooperate.

Example - EU cannot force China to make Tiktok/Bytedance to follow GDPR practices in China for EU citizens. They really they can only wave a big finger and claim Bytedance is out of compliance.

Sure, EU can sue Bytedance cross border in China, but it carries no weight/teeth. At which point, EU has to escalate... trade relations? sanctions? war?!

So practically - they have to ask for help.


You're right, I checked and Zoom does have offices in Paris and Amsterdam.

I suppose then they have the choice of doing Google's playbook in China and just close their EU offices if they wanted, instead of complying. I mean, China wanting censorship and EU wanting GDPR aren't any different. Without arguing for or against either, China's censorship and GDPR are both local laws and foreign-based companies with no local offices don't need to comply. Foreign companies may be blocked, that's all.

Not that I'm advocating for Zoom violating privacy, but I'm not in support of EU unilaterally setting rules for the world or their right to police EU laws outside their borders. They should set up a GFW if they don't like certain things being sent into their country borders over the web, but they can't tell me what to do if I haven't set foot in their jurisdiction. (Neither can Iran, Russia, or North Korea, so why does EU get a pass to police you? If Kim Jong Un sent you a fine for $1 million would you pay it?)


> but they can't tell me what to do if I'm not in their jurisdiction.

True, but if you have offices and do business in their jurisdiction, then you get to follow their laws.


> they can't tell me what to do if I haven't set foot in their jurisdiction.

By accepting customers from the EU you are setting a foot here albeit economically and not physically. You are free to not serve european costumers if you do not want to deal with the GDPR.


I think you entirely misunderstand the purpose of the GDPR.


> The EU isn't the world police.

That’s not how the world works. Non US citizens have been arrested in the US for breaking US law when they aren’t in the US. Hell the US has tried to extradite people to the US who have never been to America.


There's no need to ban Zoom itself. Just stop all money from the EU going to Zoom's accounts.


I'm pretty sure GDPR applies to any companies with dealings in the EU, or at least to that company's dealings which occur within the EU.

Disclaimer: IAANAL


You could say that about China as well. China's laws say that you need to censor your search results of certain things. Google and Facebook don't censor. They get banned by the GFW. Plain and simple.

The EU can do the same thing and set up their own firewall if they wish to enforce GDPR on foreign websites.

The fact that their citizens would revolt over the idea of internet censorship, is irrelevant. The point I'm trying to make is that EU saying "you can't serve X to our citizens" and China saying "you can't serve Y to our citizens" is no different and it's upto them to enforce it within their borders if they wish. The EU doesn't get to play world police any more than China's government does.

FWIW baidu.com and tencent.com are both pretty damn GDPR incompliant and the EU isn't doing anything about it. And yes there are Chinese-speaking EU nationals that use these companies' services.


You, uhh, you realise that we're stuck with restrictions on what we can do in significantly more important sectors than serving tracking cookies because of the US - like the financial industry - right? There's not a world power in existence which doesn't extend its power in order to attempt to either protect its citizens or protect its tax income.


Google Meet features seem so much better suited for government and education, especially if using G Suite on top of it. It is like the same price of Zoom but includes a lot of other great features, including unlimited storage using Google Drive.


Does anyone expect any consequences? It’s not like any EU member would ban Zoom in the middle of the pandemic.


The first step wouldn't be banning, it would be helping Zoom to be compliant, then if they were uncooperative, a fine.


Why is an uninstaller allow to access a browser's files on the first place and then modify it? There's a name for that category of software.


While it's annoying that this is the case, pretty much all software on all commonly-used operating systems has complete access to everything.

When you install software in Windows, either it installs without Administrator permissions (in which case it still has access to every single user file) or it asks for elevation to Administrator, and users blindly click Yes (in which case it has access to the entire machine).

When you install software in Unix/Linux, you're almost certainly using sudo, giving up complete control. User permissions on single user systems are almost irrelevant. It's all about blind trust. People think nothing of installing software via "curl | sudo bash", or adding random PPA repositories to apt, downloading a binary and running it as root, or deploying a docker container linked from a blog. I know the risks and I do it all the time, because convenience always wins and popular things are reasonably safe due to the "mob trust" factor.

MacOS has made some incremental steps to wall applications off from each other, requiring explicit authorization for some actions via System Preferences toggles, but really, it's just adding inconvenience for your average user, and people will generally blindly agree, in part because some of the categories are too vague or broad (small UI widgets that alter e.g. keyboard bindings or window placement require carte blanche).

Phone operating systems are better at this than most, requiring explicit permission to access e.g. contacts, but there are still limits on how protected your data is. Most of the security on phone apps comes from the vetting required by the vendor lock-in stores. Yet we still had apps able to invisibly steal global clipboard contents until earlier this year.

So, yeah, it's stupid that Zoom's uninstaller has access to browser cookies, but do you think there's a single piece of software you use that doesn't? Everything on your system has access to everything else in most cases.


Disclaimer: I used to work at ThreatSpike Labs but left before this article was written and before any of the findings on this article were discovered.


HN is cool with self-posting, so in all cases you’re in the clear.


Yes, but they (we) still like disclosure.


It seem Zoom is so big that a small bone to pick on can yield clicks for them.


a desktop uninstaller messing with chrome cookies isn't a small bone imo


Read between the lines: a company established on the territory of a state where there is no concept of "private property" does not understand that it is impossible to collect personal data.


Who what now? Zoom? California? Because of that one squatting case?

Whatever it is that you are referring to, it sounds political and can't possibly have anything to do with the topic at hand. Save it for a different thread.


If you have run the native programme (for me it keeps breaking up in the browser), run it from a dedicated unpriviledged user, without installing it on the system. (Run ./opt/zoom/ZoomLauncher.) If you have to log in (I couldn't change the input device without logging in), when your browser tries to open the not installed programme, copy the link and give it as a command-line argument to ZoomLauncher.

Looking forward to a working alternative.


I really don't like how Zoom forces the download of an executable, how doesn't this trip the antimalware? What a bad practice.


It's annoying when you don't have the client and you want to jump into a meeting. or you don't want to install client for different reasons.

They obviously focus on pushing their client because they can offer more features and better user experience. It's easier to sell their product to you. Otherwise most web clients are limited in features which means it's harder to compete for them.


I find the name of the NPS_0487a3ac_throttle cookie suspicious enough, but the article does not comment on it. Is this a common practice? Throttling the website for users who uninstalled your application?


I'm sure Zoom would be doing privacy-iffy things even if in full compliance with the GDPRAnd the possibility they might be surveying other cookies, and uploading them elsewhere, would be a giant concern if verified.

But the specific complaint here, about a cookie with an expiration longer-than-12-months, seems pretty silly.

It's not stored on some remote machine - it's stored locally, transparently. The user – and their own software – can control this easily & completely. If there's a good rationale for expiring cookies earlier, a browser can easily do it directly - it needn't involve regulators, or ineffectually hoping every one of thousands of different companies/websites do something the laws of one place ask.


Why people still uses zoom? Something like Google Meet or Microsoft Teams are better.


Because it's frictionless. It's very easy to set up a Zoom meeting with anyone in the world.

When I tried MS Teams, my impression was that it required a fair amount of advance configuration. This is no problem if you're meeting the same people repeatedly and they work for the same employer as you. Indeed, as the name of the software suggests, it's good for "teams". But for me, anyway, this hasn't been my typical use case.


It's the dropbox argument all over again. "I don't understand why people just won't use <much more complicated service>!"

I've never used Teams, but my girlfriend was trying to walk her mum through getting it setup for work. It was a very long phone call. When I tried Zoom with my parents it took a grand total of about 2 minutes from the moment they get the link to being in the call, most of the time spent figuring out audio.

Also, fuck Microsoft. From the complete destruction of Skype, the crappy Skype-rebranded Lync, to the shitshow that is their "Microsoft Store" and the whole xbox gaming ecosystem, if I ever have a choice between a Microsoft and non-Microsoft application that does the same thing, I'm never going with the Microsoft one.


Zoom seems pretty high-friction vs jit.si . It forces (kinda, tricks I suppose) install of a client exe for example and IIRC requires registration.

Jitsi you just follow the link, webrtc means no download.


The high friction with Jitsi is browser permissions. You need to interact with both the webpage and the browser's chrome to set up and switch media devices, which can get confusing even for someone with deep knowledge of the browser APIs, let alone for someone who couldn't tell a UAC prompt from a MsgBox().

That's why Zoom uses all these dark patterns to get native code running as soon as possible and as privileged as possible so it can do all the work for you. See also: Mac installer disaster.


Browser just says "give permission to use mic and camera" and you click yes.

If you click no, then I think you're going to struggle to intuit how to proceed; but it's no harder than navigating UAC dialogs to install software, much easier IMO.

None of the olds in my family had a problem. YMMV I guess.


Except that the permission popup is very difficult to spot and disappears if you touch anything other than it, after which it's pretty hard to find again. It also asks you to select an input device and if you pick wrong, you might have to track it down again to fix that.

On a fast and stable machine and Internet connection this is much less of an issue, but in my experience at least, that is not the norm.


Cool, thanks for expanding on that.


Zoom has a lot of brand recognition that gives them momentum.

The BBC for instance regularly talks about Zoom for video conferencing. They rarely, if ever, discuss the privacy implications of Zoom or that alternatives are available* in articles not directly about Zoom's privacy failings.

* mentioning "other <commercial thing> are available" has become a widely known running joke for the BBC as their charter says they shouldn't favour one firm over another. For instance, in East Enders when in the pub always ask for "vodka", "gin and tonic" or "larger" but never a brand name.

They seem to have dropped that in the case of Zoom.



Because in a Google meet with just one other person my computer fans spin up like crazy and the video quality is crap.

With Zoom I can be in a call with many people and I don't notice my CPU fans, and the video quality is better.


This is excellent work by threatspike and we should commend/support efforts like this that help keep us informed of the sneaky and intrusive actions of certain pieces of software


My bet is that Zoom understand the GDPR just fine, and don't care.

They have repeatedly shown that they will do whatever they want, and then act contrite later if they're caught out. They are not trustworthy, and I won't run their software on any nonsandboxed environment AT ALL. There's utterly no reason to.


The author is referring to the ePrivacy directive - its not the same as the GDPR.

Does he mean the ePrivacy regulation?

The ePrivacy regulation (not directive) is no binding law yet.


Maybe it's obvious but how does this break GDPR?


You shouldn't set a cookie without expiry date especially after user opt-out. This particular example isn't really a big issue. But, perhaps you wouldn't read it if the title was too accurate.


It doesn’t. Or if it does, no one here has yet to explain why.


*doesn't


The article is written in grammatically correct British English.


It caught me off guard too. The company is UK-based so it's probably a British colloquialism.


When referring to collective nouns for a group of people (like Bands, political parties, etc.), both plural and singular are acceptable to refer to them, depending on what you want to emphasize.

"Korn was a Nu Metal band"

"Korn were made up of musicians of very different backgrounds"


As far as I can find online, it's american street language; I only know it from US shows and Eminem (and other rap) songs. Maybe here it's used to indicate that "zoom be stupid".


Perhaps. I'm American but live in the UK, and I have observed how people in the UK use "don't" as opposed to "doesn't" when the thing being referred to is an organisation, I suppose with the idea of it being an organisation comprised of many people (i.e. "they don't") as opposed to an inanimate non-human entity ("it doesn't").

Still incorrect to my understanding of how English works.


Perhaps it’s built into a different perception of what a company is. In America, I get the feeling people think more of companies (large companies) as human beings with rights (but no responsibilities), and that’s far less than the general view in the UK where the view is often they are parasites with valueless shareholders.

I wonder if a company with a well known single owner (amazon/bezos, spacex/musk) is also thought of as a group Or a person subconsciously.

Two countries separated by a common language


No, it's just that American English in general is much less free with the use of plural agreement with collective singular nouns. So e.g. "My team are" is much less acceptable in American English than in British English.


Zoom is terrible, but when you deep dive into GDPR it's pretty clear that nobody understands it.


[flagged]


Zoom is an american company by the way. Its headquarters is in silicon valley. Its founder, chairman, and CEO is an american citizen. It has employees in California and China, like nearly all tech companies.


> Zoom is an american company

Correct. But it has significant dev in China. Corporately, it’s American. But when describing its engineering decisions, it’s fair to call it principally Chinese.


By your logic apparently Boeing is an Indian company.


On what basis are you making that claim about how they base their engineering decisions?


Would you call Cisco and Dell principally Indian companies?


Why not, if that’s where a majority of the teams making engineering decisions are?


That's not fair. You should look where their vision, policy , and standards are set. Engineering decisions respect those principals.


> Engineering decisions respect those principals.

Do they?

How well does management verify that they do?


How about GitLab then? The CEO is Dutch, working (AIUI) in SF, and the engineering team are all remote. The company is incorporated in the Netherlands, US, UK, and a load of other countries. Does that make them principally a Dutch, American, or ??? company?


As an American company, are they subject to GDPR regulations?


They have European users and offices.


The fact that they operate and have revenue in the EU is enough. They are still subject to GDPR even without offices.


wow as with everything that's come out about them it feels like they're trying to get the job done but with limited platform support and badly

it's not absurd for a product manager to want your desktop zoom app to inherit your browser login

though as a user if I saw this behavior I would have a few wtfs. But as a user I would never ever install zoom on a laptop

my takeaway from this isn't GDPR implications, it's that desktop OSes need to get serious about permissions, especially filesystem walkabouts


> it's not absurd for a product manager to want your desktop zoom app to inherit your browser login

Of course not, and there are many ways to do this while respecting the application boundary. In no particular order: passing a token in the launch URI, a bundled WebExtension, a local WebSocket/HTTP server, on-demand executable customization.


it does it on uninstall, not install.


“Zoom cookies are firstly written when the user connects to the website zoom.us and accepts the cookies options.”

That was the moment Zoom received your consent to store data transmitted by cookies. Adding a few more cookies to the pile, regardless of expiration date, doesn’t change the agreement.

Rummaging round the cookie bin on uninstall is a nice find and deserves a raised eyebrow but this doesn’t really have anything to do with GDPR.


> According to the ePrivacy Directive, they should not last longer than 12 months.

( Quick search about cookies)


You'll note they don't reference or explain that.

The ePrivacy Directive is a directive to member states to create legislation or regulation. It doesn't have the force of law and it certainly isn't the GDPR.

The OP is right - there is nothing here that indicates that Zoom misunderstands the GDPR. Indeed the author of the post seems to misunderstand it, or include it as an attempt to grab attention.


The ePD text says nothing about a 12 month cookie expiration and also ePD != GDPR


> While GDPR only applies to the processing of personal data, ePrivacy regulates electronic communication even if it concerns non-personal data. Also, in the case of cookies, the ePrivacy generally takes precedence.

https://gdpr.eu/cookies/#:~:text=All%20persistent%20cookies%....

> persistent cookies have an expiration date written into their code, but their duration can vary. According to the ePrivacy Directive, they should not last longer than 12 months, but in practice, they could remain on your device much longer if you do not take action.


> According to the ePrivacy Directive, they should not last longer than 12 months

The quote you keep referencing is false. The ePD says nothing about this.


This is very likely not valid consent under GDPR. Look at specific guidance on valid consent by DPAs: https://ico.org.uk/for-organisations/guide-to-data-protectio...


Can you explain what is invalid about it? The list of functional cookie permissions on the consent opt-in specifically mentions cookies to remember log in details.


Sure, let's have a look at Article 4 GDPR: ‘consent’ of the data subject means any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her

In this case, I doubt that consent is freely given (which requires a true choice on the user's part), I doubt that it is specific (that the choice is granular pertaining to different cookies fulfilling different purposes), and I doubt that it is informed (that the user understands the relevance of different cookies).

Most importantly, consent given in the context of a visit of the zoom.us site cannot be specific and, at the same time, cover cookies being unexpectedly set by a local uninstall program. We are not talking about the usual session ID cookie here ("remember log in details").

Recital 43: Consent is presumed not to be freely given if it does not allow separate consent to be given to different personal data processing operations despite it being appropriate in the individual case,

Somewhat questionable in this case. Is there a way to opt out of the specific cookie? I guess not.

or if the performance of a contract, including the provision of a service, is dependent on the consent despite such consent not being necessary for such performance.

Quite likely.

Recital 42: For consent to be informed, the data subject should be aware at least of the identity of the controller and the purposes of the processing for which the personal data are intended

Where does Zoom explain the purpose of the "everlogin" cookie?

Consent should not be regarded as freely given if the data subject has no genuine or free choice or is unable to refuse or withdraw consent without detriment.

Again, is there a way to opt out of the specific cookie?

Article 7 GDPR: The data subject shall have the right to withdraw his or her consent at any time. ... It shall be as easy to withdraw as to give consent.

It's quite easy to consent to cookies at zoom.us. Where, however, can a user revoke their consent?

When assessing whether consent is freely given, utmost account shall be taken of whether, inter alia, the performance of a contract, including the provision of a service, is conditional on consent to the processing of personal data that is not necessary for the performance of that contract.

I don't think it's possible to use Zoom without this (unnecessary) cookie being saved. Therefore, consent is most likely not applicable.

Again, ICO guidance is a great resource: Be specific and ‘granular’ so that you get separate consent for separate things. Vague or blanket consent is not enough.

Consent under GDPR simply doesn't work like "I consent to all of your cookies".


Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact

Search: