Issue 71

Zoom! There goes your data

Delivered on 30 March 2020 by Justin Pyvis. About a 4 min read.

Most of us have used Skype and email for work-related communication for a very long time, but they both lack comprehensive team coordination and collaboration features. That wasn't a big deal when you're sat sat within a few metres of the people with whom you want to collaborate. However, COVID-19 and the requisite social distancing has made that model all but impossible.

A huge percentage of the world's office workers are now locked up at home, and that has created demand for services that purport to offer said features. Enter the likes of Microsoft Teams (pre-installed with Windows), Slack, and Zoom, which have all surged in terms of user growth over the past few weeks.

Zoom is suddenly very popular. Source: Forbes

But the large scale move to video conferencing and collaboration software has caused some to question just how private these services actually are. While Microsoft Teams and Slack are the more mature products and have at least put some thought into their privacy policies, Zoom has been rather reckless with its approach:

[UPDATE: Since we wrote this issue Zoom patched its iOS app, and no longer sends data to Facebook upon opening. However, its blasé attitude to privacy and data security is still something to be very concerned about.]

Upon downloading and opening the app, Zoom connects to Facebook's Graph API, according to Motherboard's analysis of the app's network activity. The Graph API is the main way developers get data in or out of Facebook.

The Zoom app notifies Facebook when the user opens the app, details on the user's device such as the model, the time zone and city they are connecting from, which phone carrier they are using, and a unique advertiser identifier created by the user's device which companies can use to target a user with advertisements.

Zoom is not forthcoming with the data collection or the transfer of it to Facebook. Zoom's policy says the company may collect user's "Facebook profile information (when you use Facebook to log-in to our Products or to create an account for our Products)," but doesn't explicitly mention anything about sending data to Facebook on Zoom users who don't have a Facebook account at all.

Zoom is basically malware, as it's "intentionally designed to cause damage to a computer, server, client, or computer network". And it has been like that for some time:

Last year, security consultant Johnathan Leitschuch discovered that Zoom set up a local web server on a user’s Mac device that allowed Zoom to bypass security features in Safari 12.

This led Electronic Privacy Information Center to file an FTC complaint against Zoom, alleging that Zoom “intentionally designed its web conferencing service to bypass browser security settings and remotely enable a user’s web camera without the knowledge or consent of the user.”

While Zoom has since removed these remote web servers, its cavalier approach to getting user permission and its disregard for security and privacy concerns in the pursuit of convenience raise serious questions about trust.

As the article notes, Zoom has decided that control, convenience and operability should always come before privacy and security. Fair enough, too - that probably matches the choice set of most of its users.

The good news is that there are alternatives, including the fully encrypted and open source Jitsi Meet. The bad news is that you've got a snowball's chance in hell of convincing your IT team it's a good idea to sacrifice a bit of centralised control to better protect their employees' privacy.

Enjoy the rest of this week's issue. Cheers,

— Justin

Other bits of interest

China wants to reinvent the internet

Not all progress is good:

Huawei describes the existing internet infrastructure that underpins global networks — known as TCP/IP — as “unstable” and “vastly insufficient” to meet the requirements of the digital world by 2030, including self-driving cars, the ubiquitous internet of things and “holo-sense teleportation”.

Instead, the Chinese proposals suggest the ITU take a “long-term view” and “shoulder the responsibility of a top-down design for the future network”.

It may be correct, but that doesn't mean its solution is the right one. A decentralised, bottom-up approach should be the only option considered going forward. If anything we need fewer centralised intermediaries (points of failure), not one big one.


A bit of social distancing is a good thing

I've been wondering about this for a few weeks - will social distancing and the the cessation of cruise ships spreading disease between hemispheres every year stop other bugs, not just the coronavirus, spreading? It sure looks that way:


When all is said and done...

...the fight to claw back liberties will be an immense one. When fear rises, liberty tends to fall out of favour with the populous. Some of it might be justified - for example, enhanced powers to lock up people deliberately going around infecting others.

But right now we have governments - which by and large botched their initial responses to this crisis - granting themselves enormous powers over people while simultaneous spending ten, twenty percent of GDP on relief packages loaded with pork to fix a problem largely of their own making.

That's effectively a power trip combined with a gravy train that will be difficult to stop, let alone unwind.


Issue 71: Zoom! There goes your data was compiled by Justin Pyvis and delivered on 30 March 2020. Join the conversation on the fediverse at