If I worked for a company that used Zoom, I would expect administrators to have access to this information. I would expect other platforms to provide it as well.
I don’t consider attention tracking to be evil either. If you were leading an in-person meeting, you would be attention tracking - wondering if Chad’s furious typing was note taking or the more likely answering email or texting.
This is not intended to be dismissive of the other security and privacy concerns of Zoom and other platforms. I do think the wording of these reports and blog posts can be a bit alarmist, probably to drive clicks. “Attention tracking” sounds a lot more sinister than “can tell if Zoom doesn’t have focus for more than 30 seconds.”
Thankfully, staff at my university are allowed to use personal Zoom accounts that we own rather than company ones. This makes me much happier about using the service because only I have access to the statistics. They also offer to pay for it if we use their corporate account, but I prefer my own!
Misunderstanding - this wasn’t zoom.
ironically this happened with Whereby; the tool we switched to. Whereby is by default open with self-selected room names, which is kind of stupid if you consider how many rooms with names like “WashingtonHigh10thGradeEnglish” and the like there must be right now.
At least the rooms aren’t listed anywhere, and the problem is easily avoided by making a less guessable room name; but teachers as a group have never been very tech savvy.
For those who need to host Zoom meeting, here are some recommendations I received from my place of work. They can help prevent others disrupting things.
Edit your global preferences as follows:
In the “Meeting” Tab, set the following:
1. Require a password when scheduling new meetings: ON
2. Require password for participants joining by phone: ON
NOTE: When you set “require a password for participants joining by phone”, any meetings (recurring or otherwise) you have already set up will NOT be secured. You’ll have to cancel those and re-schedule new ones for them to be protected too.
3. In the “Screen sharing” section, set “Who can share?” and “Who can start sharing when someone else is sharing?” to “Host Only” unless you have a specific need to let multiple people share.
In the “Personal Meeting Room” tab, set:
1. Require meeting password: ON. Set a password of at least 8 digits since this doesn’t change very often and automated password guessing is fairly simple. A four-digit password can be guessed in under 5 minutes, and 6 digits in 7.2 hours.
2. Enable waiting room: ON. This lets you view attendees before accepting or rejecting each one individually.
Also: Zoom’s oft-repeated assertion that it offers end-to-end encryption turns out to have been a lie they’ve just admitted:
Gruber’s advice from yesterday is sound: if you need to use Zoom it’s better to use it with an iOS device via the iOS-sandboxed App Store app. And if you need to use it on a desktop use it in an isolated web browser, and do not install the desktop app.
9to5Mac recommends using FaceTime when possible, as it always has end-to-end encryption, and it points out
In contrast, Apple’s FaceTime has always been end-to-end encrypted. When Group FaceTime was introduced in 2018, it too was end-to-end encrypted. FaceTime remains the only video chat app that supports end-to-end encryption on group calls with up to 32 participants.
The kind of encryption Zoom actually uses is no different from browsing the web over HTTPS. Your connection to the server is secured, but the content of the call can be decrypted and snooped on with the server if the owner wanted to. Obviously, Zoom says it does not do this and simply uses the server to re-encode the connection to the call’s recipients.
…FaceTime requires that everyone on the call is using a fairly modern iPhone, iPad, iPod touch or Mac. FaceTime currently lacks key enterprise videoconferencing features, like the ability to share your computer’s screen so everyone can work through a document or project together.
However, if you want the utmost security and privacy, Group FaceTime is what you should use.
I don’t have any skin in this game, but I think it’s worth pointing out that their actual privacy policy isn’t terrible and their encryption model is pretty much identical to every consumer VPN service out there.
I don’t know aof any reputable consumer VPNs that had a privacy policy that allowed them to share info with Facebook (even if you aren’t a Facebook user).
Aside form that, which they’re now scrambling to remove after Motherboard’s scoop, have you ever used a VPN which stated that they “use certain standard advertising tools which require Personal Data (think, for example, Google Ads and Google Analytics). We use these tools to help us improve your advertising experience (such as serving advertisements on our behalf across the Internet, serving personalized ads on our website, and providing analytics services)… Sharing Personal Data with the third-party provider while using these tools may fall within the extremely broad definition of the ‘sale’ of Personal Data under certain state laws because those companies might use Personal Data for their own business purposes, as well as Zoom’s purposes.”
Of course not.
Zoom shares data with enough advertisers and data crunchers, in enough states, that it would broadly qualify as selling your data. VPNs don’t do that.
The section your referring to seems to related to their website and not their actual video conference service. Express VPN’s privacy policy has similar language.
(Edited to add: My point about similarity to VPN services was directed at the non-end-to-end encryption model. Edited (Edited to add) to add: (That’s not intended as a criticism of any consume VPN services, only as a basis for context about the encryption model))
Zoom was only sending Facebook data because they had the standard Facebook SDK in the app for logins. The data was default behavior for the SDK; Zoom didn’t write any code to send it. While unfortunate, they had no special relationship or intent here.
Considering that the new TOS call their website a ‘marketing website’ and that they continue to market user data, don’t assume that just because they don’t send the data right away that it’s not getting sent at some point later on.
I appreciate the warning not to make assumptions. In Zoom’s case, they were only sending Facebook’s standard telemetry from the SDK, and they removed the SDK, so there isn’t any code left to send that data. Their app and service is being analyzed by so many security researchers, and they are going to have to make disclosures in the process of the new lawsuits against them, that we can reasonably assume they removed the SDK when they said they did. I value privacy and am glad a public company has learned to be more careful about what they claim, but I also don’t want people to misunderstand the situation.
Just because they removed the SDK doesn’t mean that they won’t continue their professed business model to have third parties serve you personalized ads across the internet, or sell analytics.
More, friends of mine who are doing telemeetings with psychiatric patients are alarmed that despite being HIPAA-compliant, the professed e2e encryption does not exist, that client info is being collected, that videos can be seen by the company. (HIPAA does not require end-to-end encryption as long as you have a BAA with the provider. Zoom has an option for a BAA starting at $200/month - which is what they’re now scrambling to look into). That apparently is the only way you get real privacy with Zoom.
So, Zoom “takes its users’ privacy extremely seriously” and their “customers’ privacy is incredibly important” yet they released software without a strong knowledge of what third party code they’re adding in, and what exfiltration might be happening as a result? They hold user privacy in such high regard and yet released a program without even hooking it up to a network monitor for five minutes?
I was forced into a Zoom conference today. Why does it download a .pkg? And on my Windows (work) machine, it wanted me to start an .exe. Absolute no go. Most video conferencing solutions work from a browser…
You can do a Zoom meeting in the browser. Also, most or all of the common conference software options (in the US, anyway) have desktop and mobile apps.
A big thank you for all the informative posts, and supporting links on what has been a timely and dynamic topic. FWIW… I’ve taken John Gruber’s advice and have installed Zoom on iOS (I resurrected a retired iPAD 2). Unfortunately, on iOS Zoom I haven’t found a way of viewing video and chat simultaneously in separate panes the way I can on Zoom meetings via browser. What am I missing?
