I often feel like my posts can come off as preachy. So this post is going to be a different than usual. This time, I want to include more facts. This post is for the people that don’t necessarily share my opinion that all software should be free (as in freedom). My hope is that this will speak to a wider audience.
Scale and Growth
To start off, I want to give you an idea of the scale of Zoom. Zoom is a video and audio conferencing platform for desktop and mobile devices. According to Zoom’s blog from 22 April 2020, Zoom CEO Eric S. Yuan said in a webinar that Zoom has surpassed 300 million daily Zoom meeting participants. This does not mean that Zoom has 300 million active daily users, but 300 million participants in Zoom calls daily. For example, one user may participate in several Zoom meetings and be double-counted. So the 300 million does not correspond to the number of users. Nonetheless, 300 million is no small number. For comparison, the U.S. population is estimated to be about 329 million during the time of this writing.
But Zoom didn’t always have such a huge user base. The Coronavirus pandemic causing people to work from home is what skyrocketed their numbers. According to Zoom’s Blog post, “Usage of Zoom has ballooned overnight - far surpassing what we expected when we first announced our desire to help in late February. This includes over 90,000 schools across 20 countries that have taken us up on our offer to help children continue their education remotely. To put this growth in context, as of the end of December last year, the maximum number of daily meeting participants, both free and paid, conducted on Zoom was approximately 10 million. In March this year, we reached more than 200 million daily meeting participants, both free and paid. We have been working around the clock to ensure that all of our users new and old, large and small can stay in touch and operational…our platform was built primarily for enterprise customers large institutions with full IT support. These range from the world’s largest financial services companies to leading telecommunications providers, government agencies, universities, healthcare organizations, and telemedicine practices”. Eric S. Yuan. (2020, April 1). Retrieved May 24, 2020 from Zoom, Zoom blog, https://blog.zoom.us/wordpress/2020/04/01/a-message-to-our-users/.
Terms of Service
“ACCESSING THE ZOOM WEBSITE OR BY UTILIZING THE ZOOM SERVICES YOU AGREE TO BE BOUND BY THESE TERMS OF SERVICE AND ALL EXHIBITS, ORDER FORMS, AND INCORPORATED POLICIES” Terms of Service. (2020, April 13). Retrieved May 23, 2020 from Zoom, Zoom terms of service website, https://zoom.us/terms. This means that even using the Zoom website or web app instantly binds you to the terms of service of Zoom whether you know about it or not. Section 2d.i states that you are prohibited from reverse engineering Zoom services. Since Zoom is proprietary, you can’t investigate the source code to figure out what it’s doing. Worse than that, the terms of services denies you to even try to figure out how Zoom works or what it does behind the scenes or help anyone else do so. This means that independent security audits of Zoom software are not possible unless Zoom gives up their source code. Therefore, any of the claims Zoom makes about security, encryption, data protection or privacy are impossible to verify without breaking the law. You just have to take their word on it.
According to section 2d.iv, you may not transmit materials that infringe intellectual property. This means if you have music playing in the background of a Zoom call or a movie playing on your television on in the background, you could be breaking Zoom’s terms of service without even trying. Section 2d.vi says you cannot “use the Services to communicate any message or material that is harassing, libelous, threatening, obscene, indecent, would violate the intellectual property rights of any party or is otherwise unlawful, that would give rise to civil liability, or that constitutes or encourages conduct that could constitute a criminal offense, under any applicable law or regulation” Terms of Service. (2020, April 13). Retrieved May 23, 2020 from Zoom, Zoom terms of service website, https://zoom.us/terms. I’m not a lawyer so I can’t interpret this, but the language seems to place broad restrictions on what you are allowed to say over Zoom. Section 15 also says you cannot use Zoom while in a “high-risk” environment.
In section 7d, the terms say that Zoom “content” can be turned over to law enforcement. Section 2b seems to define content as anything that is transmitted from you to Zoom. For example, audio, video, text messages, etc. including metadata is all accessible to law enforcement at any time.
There is a lot there. They collect interest-based data on you automatically. That is, unless you opt-out. Notice it’s not opt-in. The default is collecting your data. You have to know it’s happening and then choose to opt out which a lot of the more non-technical users of Zoom aren’t going to figure out how to do. I personally find it condescending how they put “sale” in quotes like that’s not exactly what they’re doing. Further, when you opt out, the fact that you want opted out is stored in a cookie. So if you try to clear tracking cookies from your browser, you might accidentally clear the cookie which says you don’t want to be tracked. This also means if you switch browsers or devices, or ever clear your browser cookies, the preference is forgotten and you have to remember to reactivate it every single time. And until you do, you are being tracked by Zoom cookies. Even if you opt-out, there’s no guarantee that Zoom doesn’t enable a feature to get the same information out of you a different way without using cookies. Again, it’s impossible to know because it’s against terms of service to reverse engineer Zoom.
Zoom gives your data to third parties. On their subprocessors page, they list the following third parties which they give your data to: People.ai, Zendesk, Wootric, Totango, Answerforce, Rocket Science Group LLC, Five9, EPS Ventures, WKJ Consultancy, Salesforce, CyberSource, Adyen, Zuora, Amazon Web Services, Oracle America Inc, and Bandwidth. We will ignore the 3 third parties related to billing (CyberSource, Adyen, and Zuora) since if you’re not paying Zoom it probably doesn’t apply to you. That still leaves 13 subprocessors each with their own privacy policies and their own third parties. You can see very quickly how the amount of third parties your data is being shared with grows exponentially. 11 of the 13 relevant third parties are under US jurisdiction. Since the 2013 Snowden leaks, We know that the U.S. government performs massive dragnet surveillance on US-based companies without any oversight, so it’s probably safe to say that the U.S. government is collecting Zoom data from either Zoom itself or Zoom subprocessors.
This is tantamount to saying “Zoom isn’t really selling customer data because customers don’t understand Zoom’s business model”. That way Zoom can confidently say they aren’t selling customer data misleading customers to think that their data is safe. It’s absurd. The essence of what Zoom is doing is a sale. It’s a value transaction of customer data for service. If that isn’t a sale I don’t know what is. They also use the word “standard” to make you feel safer. Standard doesn’t mean secure. Google analytics and social media tracking cookies may be standard, but that doesn’t mean they are good, or even acceptable. It’s an example of the bandwagon fallacy.
Citizen Lab Findings
I already mentioned how Zoom must provide data to the U.S. government, a member of the Five Eyes. But Zoom provides data to China as well. Citizen Lab, an interdisciplinary laboratory at the University of Toronto, reported several troubling findings on 3 April 2020. I’ll just go over the key findings and expand on them.
Zoom claimed to use AES-256 in their security whitepaper, however Citizenlab found that they actually use AES-128 in ECB mode. Anyone that knows about block cipher modes knows that ECB mode is not suitable for video conferencing. Citizen Lab included the classic example of the ECB penguin, which is why you don’t use ECB mode for large files. Any audio or video conferencing over ECB would be as secure as the penguin image on the right, not very secure. Worse yet, the encryption keys were found to be generated by Zoom servers in China even when all meeting participants were outside of China. So the Chinese authorities could get the keys and decrypt Zoom communications of children in K-12 classrooms, U.S. courts using Zoom, meetings between government officials, college students, and everyday Americans as well as non-Americans and other countries that used Zoom.
Citizen Lab also shows Zoom advertising their use of end-to-end encryption. End-to-end encryption means only the communicating parties are able to decrypt the communication. Clearly, with the encryption keys generated on the Zoom server itself, that’s not possible. Zoom can decrypt your communications. Citizen Lab also claims that they found a “serious security issue” with Zoom’s waiting room feature, advising users not to use waiting rooms if they care about meeting confidentiality.
On 30 March 2020, Boston FBI issued a warning about using Zoom. According to the warning by Setera (30 March 2020) “The FBI has received multiple reports of conferences being disrupted by pornographic and/or hate images and threatening language”. This is followed by advice of what to do to prevent Zoom-bombing. But Zoom is not innocent in this because it was possible to scan for random meetings to join. It doesn’t strike me as a very useful or necessary feature. Zoom is for teleconferencing. Most meetings will have a specific purpose and the participants don’t want random people joining in to disrupt the meeting. So it doesn’t make sense to me why this was a feature in the first place. To make matters worse, the FBI report explains Zoom didn’t have passwords enabled by default for meetings until January 2020.
It wouldn’t be fair for me to criticise Zoom without also pointing out steps they have taken to address the platform’s many problems. First, I want to focus on their April 1st blog post. Eric S. Yuan claims (April 1, 2020) “Thousands of enterprises around the world have done exhaustive security reviews of our user, network, and data center layers and confidently selected Zoom for complete deployment”. I would like a full list of these enterprises so I know not to trust their “security reviews”. Frankly, 128-bit AES in ECB mode is an embarrassing rookie mistake. It basically only happens when you don’t know what you’re doing. Just looking at Zoom’s track record of horrible security and privacy that I’ve outlined above, I don’t see how thousands of “exhaustive security reviews” could miss so much.
In that blog post, Yuan mentions the increased outreach and video tutorials. But security mistakes caused by user error are not really in the scope of this post. One of the first things the post mentions is that on March 27th, the Facebook SDK was removed from the Zoom app on iOS. It’s astounding to me that Yuan can claim in the same blog post detailing the removal of the Facebook SDK that (March 27, 2020) “Our customers’ privacy is incredibly important to us”. This is insane. If customer privacy was important then the Facebook SDK would never ever have been in the Zoom app. Facebook is an absolute surveillance monster. The SDK spies on people that don’t even use Facebook. Apps that really care about privacy don’t touch anything Facebook or Google with a ten foot pole. Some information sent by the Facebook SDK was: Application bundle identifier, application instance ID, application version, device carrier, iOS advertiser ID (gross), iOS device CPU cores, iOS disk space available (why???), iOS device disk space remaining, iOS device display dimensions, iOS device model, iOS language, iOS timezone, and iOS version. This doesn’t happen by accident. At some point, a developer for Zoom wrote some code for the iOS app to make it send that device information to Facebook on purpose. For a teleconferencing app, the Facebook SDK is absolutely unnecessary. Zoom only remove the SDK after being called out. for it. This is an example of being reactive to security and privacy issues, not proactive.
Reactive, Not Proactive
The Facebook SDK isn’t an isolated case either. Zoom didn’t start caring about user privacy until they had to start caring about it due to increased media pressure. Here’s a Zoom blog post on April 1st about Zoom encryption practices. In the following quote, we can see Zoom trying to weasel their way around not having end-to-end encryption by redefining words again. Oded gal posted (April 1, 2020) “…we used the term end-to-end encryption. While we never intended to deceive any of our customers, we recognize that there is a discrepancy between the commonly accepted definition of end-to-end encryption and how we were using it…”. When in doubt, just change the meanings of words so you don’t look bad. In Zoom’s defense, they don’t use end-to-end encryption that way legacy protocols can be supported. Protocols such as H.323, SIP, and PSTN don’t work with end-to-end encryption. In my personal opinion, these are good reasons to abandon the PSTN (public switched telephone network) and other legacy protocols that don’t support end-to-end encryption. In the year 2020, end-to-end encryption should be ubiquitous and we should reject any applications not using it.
Another absolutely disgusting thing is that Zoom lied to customers again about not selling their data: “…we do not sell our users’ data, we have never sold user data in the past, and have no intention of selling users’ data going forward” Eric S. Yuan. (2020, April 1). Retrieved May 24, 2020 from Zoom, Zoom blog, https://blog.zoom.us/wordpress/2020/04/01/a-message-to-our-users/. They did permanently removed the attention tracking feature which never should have existed to begin with. There is no mention of removing Google Analytics though.
To play devil’s advocate, I can go through Zoom’s 90-day plan focusing all their resources on security and privacy to fix their platform. A few things they have done so far: only the host can screen share by default, participants need consent to be unmuted, audio indication for the waiting rooms, removing Giphy, and giving the host more control over the meeting. They also published a draft crypto design to redo their cryptography. It is apparently available for peer review on Github. It’s still early to see where all this goes. But given that Zoom hasn’t ever owned up to selling user data in exchange for service, I don’t have my hopes high.
Use Jitsi Instead
Zoom is a proprietary platform. This means it is essentially a black box. As I mentioned earlier, this means it will always be less trustworthy than free software video conferencing solutions such as Jitsi. The Tor Project recommended using Jitsi instead of Zoom. I haven’t done much research on Jitsi yet, but if the Tor Project is saying to try Jitsi, I would use it over Zoom any day. It’s also cross-platform and features actual end-to-end encryption. Even if Zoom implements end-to-end encryption, how can you trust it if it can’t be independently reviewed by anyone and no one outside of Zoom can see the source code? How can you trust the implementation on desktop or mobile platforms? In short, you can’t. No platform is perfect, however there are more secure and less secure solutions out there. And in general, you want to avoid proprietary programs because they cause the incentives to be aligned in such a way that Zoom will always have reasons to insert privacy-corroding features into their platform.
When no one except you or your organization can see the source code, there are incentives to insert malicious pieces of code that benefit you at the user’s expense. Jitsi does not have the same incentive structure because it’s free software. Anyone with the know-how can look over the code and see if something fishy is going on. This will never be true of Zoom. Zoom has no reason to ever give away their source code and make their program trusted free software. Part of the reason I dropped out of my classes at my university was because Zoom because being forced on us students and I refused to use it.
Call to Action
I’m not saying you, the reader, should go as far as I did. I’m just saying if we, as a society, want to live in a world where we are given more privacy and security in our digital lives, then we have to say no to platforms like Zoom. If we don’t, we will move ever closer to some kind of dystopian surveillance hell, assuming we aren’t already there. Ask yourself this question: If you don’t reject these untrusted proprietary platforms with a horrible track record, then who will? How many people do you know that would reject Zoom if their boss or professor told them to use it? The demand for our digital rights back has to start somewhere, before it’s too late.