New to Zoom - have their security issues been resolved?

Their issues went beyond accessing the mic and camera. I haven’t followed the issue in a while.

The people behind ProtonMail have an interesting write up about Zoom’s privacy concerns:

1 Like

Just FYI that WebEx also has similar attention tracking.

Big Zoom can track you now

There’s the cutesy side to Zoom — when chatting, you can change your background to the set of The Office , among many other options. Some remote work companies are even rolling out custom Zoom backgrounds — “Hotline Bling,” anyone? — to drive customers.

There’s the embarassing, such as the professor who tried to screen-share with her students and accidentally revealed a desktop folder labelled “DIVORCE.” Or the executive at Impossible Foods who spent a full work meeting vaguely resembling an alien because of a video glitch.

And there’s the creepy: Zoom has an attention-tracking feature that alerts hosts if an “attendee does not have Zoom Desktop Client or Mobile App in focus for more than 30 seconds.”

Just wait for the ZoomBomb to drop

No:

Unbelievable. :face_with_raised_eyebrow:
Thanks for letting us know.

From Michael Tsai’s blog —.

Zoom allows administrators to see detailed views on how, when, and where users are using Zoom, with detailed dashboards in real-time of user activity. Zoom also provides a ranking system of users based on total number of meeting minutes. If a user records any calls via Zoom, administrators can access the contents of that recorded call, including video, audio, transcript, and chat files, as well as access to sharing, analytics, and cloud management privileges.

The complete post is here.

It feels kind of uncomfortable.

1 Like

If I worked for a company that used Zoom, I would expect administrators to have access to this information. I would expect other platforms to provide it as well.

I don’t consider attention tracking to be evil either. If you were leading an in-person meeting, you would be attention tracking - wondering if Chad’s furious typing was note taking or the more likely answering email or texting.

This is not intended to be dismissive of the other security and privacy concerns of Zoom and other platforms. I do think the wording of these reports and blog posts can be a bit alarmist, probably to drive clicks. “Attention tracking” sounds a lot more sinister than “can tell if Zoom doesn’t have focus for more than 30 seconds.”

3 Likes

Thankfully, staff at my university are allowed to use personal Zoom accounts that we own rather than company ones. This makes me much happier about using the service because only I have access to the statistics. They also offer to pay for it if we use their corporate account, but I prefer my own!

1 Like

Misunderstanding - this wasn’t zoom.
ironically this happened with Whereby; the tool we switched to. Whereby is by default open with self-selected room names, which is kind of stupid if you consider how many rooms with names like “WashingtonHigh10thGradeEnglish” and the like there must be right now.
At least the rooms aren’t listed anywhere, and the problem is easily avoided by making a less guessable room name; but teachers as a group have never been very tech savvy.

Or just set a password.

2 Likes

Concerns exist regarding Zoom approach to user privacy.

See John Gruber on Daring Fireball, 30 March 2020.

See also Zoom is under privacy scrutiny from the NY Attorney General - Business Insider

Thanks all for highlighting these issues! I’ve been using Zoom for a few things, but promptly deleted my account and will log in via web browser from now on.

For those who need to host Zoom meeting, here are some recommendations I received from my place of work. They can help prevent others disrupting things.

Edit your global preferences as follows:

In the “Meeting” Tab, set the following:
1. Require a password when scheduling new meetings: ON
2. Require password for participants joining by phone: ON
NOTE: When you set “require a password for participants joining by phone”, any meetings (recurring or otherwise) you have already set up will NOT be secured. You’ll have to cancel those and re-schedule new ones for them to be protected too.
3. In the “Screen sharing” section, set “Who can share?” and “Who can start sharing when someone else is sharing?” to “Host Only” unless you have a specific need to let multiple people share.

In the “Personal Meeting Room” tab, set:
1. Require meeting password: ON. Set a password of at least 8 digits since this doesn’t change very often and automated password guessing is fairly simple. A four-digit password can be guessed in under 5 minutes, and 6 digits in 7.2 hours.
2. Enable waiting room: ON. This lets you view attendees before accepting or rejecting each one individually.

1 Like

Also: Zoom’s oft-repeated assertion that it offers end-to-end encryption turns out to have been a lie they’ve just admitted:

Gruber’s advice from yesterday is sound: if you need to use Zoom it’s better to use it with an iOS device via the iOS-sandboxed App Store app. And if you need to use it on a desktop use it in an isolated web browser, and do not install the desktop app.

9to5Mac recommends using FaceTime when possible, as it always has end-to-end encryption, and it points out

In contrast, Apple’s FaceTime has always been end-to-end encrypted. When Group FaceTime was introduced in 2018, it too was end-to-end encrypted. FaceTime remains the only video chat app that supports end-to-end encryption on group calls with up to 32 participants.

The kind of encryption Zoom actually uses is no different from browsing the web over HTTPS. Your connection to the server is secured, but the content of the call can be decrypted and snooped on with the server if the owner wanted to. Obviously, Zoom says it does not do this and simply uses the server to re-encode the connection to the call’s recipients.

…FaceTime requires that everyone on the call is using a fairly modern iPhone, iPad, iPod touch or Mac. FaceTime currently lacks key enterprise videoconferencing features, like the ability to share your computer’s screen so everyone can work through a document or project together.

However, if you want the utmost security and privacy, Group FaceTime is what you should use.

1 Like

I don’t have any skin in this game, but I think it’s worth pointing out that their actual privacy policy isn’t terrible and their encryption model is pretty much identical to every consumer VPN service out there.

1 Like

I don’t know aof any reputable consumer VPNs that had a privacy policy that allowed them to share info with Facebook (even if you aren’t a Facebook user).

Aside form that, which they’re now scrambling to remove after Motherboard’s scoop, have you ever used a VPN which stated that they “use certain standard advertising tools which require Personal Data (think, for example, Google Ads and Google Analytics). We use these tools to help us improve your advertising experience (such as serving advertisements on our behalf across the Internet, serving personalized ads on our website, and providing analytics services)… Sharing Personal Data with the third-party provider while using these tools may fall within the extremely broad definition of the ‘sale’ of Personal Data under certain state laws because those companies might use Personal Data for their own business purposes, as well as Zoom’s purposes.”

Of course not.

Zoom shares data with enough advertisers and data crunchers, in enough states, that it would broadly qualify as selling your data. VPNs don’t do that.

2 Likes

The section your referring to seems to related to their website and not their actual video conference service. Express VPN’s privacy policy has similar language.

(Edited to add: My point about similarity to VPN services was directed at the non-end-to-end encryption model. Edited (Edited to add) to add: (That’s not intended as a criticism of any consume VPN services, only as a basis for context about the encryption model))

Zoom was only sending Facebook data because they had the standard Facebook SDK in the app for logins. The data was default behavior for the SDK; Zoom didn’t write any code to send it. While unfortunate, they had no special relationship or intent here.

1 Like