Now that everyone's using Zoom, here are some privacy risks you need to watch out for:
Now that you've finished choosing your custom Zoom background, mercifully sparing your fellow workers-from-home the sight of a growing pile of gym socks behind your desk, you might think you've got a handle on the conference call software du jour. Unfortunately, there are a few other data security considerations to make if you want to hide your dirty laundry.
Privacy experts have previously expressed concerns about Zoom: In 2019, the video-conferencing software experienced both a webcam hacking scandal, and a bug that allowed snooping users to potentially join video meetings they hadn't been invited to. This month, the Electronic Frontier Foundation cautioned users working from home about the software's onboard privacy features.
[...]Here are some of the privacy vulnerabilities in Zoom that you should watch out for while working remotely.
[...] Tattle-Tale
Whether you're using Zoom's desktop client or mobile app, a meeting host can enable a built-in option which alerts them if any attendees go more than 30 seconds without Zoom being in focus on their screen.
[...] Cloud snitching
For paid subscribers, Zoom's cloud recording feature [allows] a host [to] record the meeting along with its text transcription and a text file of any active chats in that meeting, and save it to the cloud where it can later be accessed by other authorized users at your company, including people who may have never attended the meeting in question.[...] Data Gossip
[...] An analysis by Vice's Motherboard, published Thursday, found the iOS version of the Zoom [...] was telling Facebook whenever you opened the Zoom app, what phone or device you were using, and your phone carrier, location and a unique advertising identifier. Late Friday, Motherboard reported that Zoom had updated its iOS app so the app would stop sending certain data to Facebook.
Related Stories
Elon Musk's SpaceX bans Zoom over privacy concerns-memo
[...] In an email dated March 28, SpaceX told employees that all access to Zoom had been disabled with immediate effect.
"We understand that many of us were using this tool for conferences and meeting support," SpaceX said in the message. "Please use email, text or phone as alternate means of communication."
[...] NASA, one of SpaceX's biggest customers, also prohibits its employees from using Zoom, said Stephanie Schierholz, a spokeswoman for the U.S. space agency.
The Federal Bureau of Investigation's Boston office on Monday issued a warning about Zoom, telling users not to make meetings on the site public or share links widely after it received two reports of unidentified individuals invading school sessions, a phenomenon known as "zoombombing."
Also consider that one way to claim to have "end to end encryption" is to simply re-define the term. Zoom Meetings Aren't End-to-End Encrypted, Despite Misleading Marketing:
Zoom, the video conferencing service whose use has spiked amid the Covid-19 pandemic, claims to implement end-to-end encryption, widely understood as the most private form of internet communication, protecting conversations from all outside parties. In fact, Zoom is using its own definition of the term, one that lets Zoom itself access unencrypted video and audio from meetings.
With millions of people around the world working from home in order to slow the spread of the coronavirus, business is booming for Zoom, bringing more attention on the company and its privacy practices, including a policy, later updated, that seemed to give the company permission to mine messages and files shared during meetings for the purpose of ad targeting.
Security and Privacy Implications of Zoom - Schneier on Security:
Over the past few weeks, Zoom's use has exploded since it became the video conferencing platform of choice in today's COVID-19 world. (My own university, Harvard, uses it for all of its classes. Boris Johnson had a cabinet meeting over Zoom.) Over that same period, the company has been exposed for having both lousy privacy and lousy security. My goal here is to summarize all of the problems and talk about solutions and workarounds.
In general, Zoom's problems fall into three broad buckets: (1) bad privacy practices, (2) bad security practices, and (3) bad user configurations.
Privacy first: Zoom spies on its users for personal profit. It seems to have cleaned this up somewhat since everyone started paying attention, but it still does it.
Now security: Zoom's security is at best sloppy, and malicious at worst. Motherboard reported that Zoom's iPhone app was sending user data to Facebook, even if the user didn't have a Facebook account. Zoom removed the feature, but its response should worry you about its sloppy coding practices in general:
"We originally implemented the 'Login with Facebook' feature using the Facebook SDK in order to provide our users with another convenient way to access our platform. However, we were recently made aware that the Facebook SDK was collecting unnecessary device data," Zoom told Motherboard in a statement on Friday.
Finally, bad user configuration. Zoom has a lot of options. The defaults aren't great, and if you don't configure your meetings right you're leaving yourself open to all sort of mischief.
Zoom has had a meteoric rise as a result of the SARS-CoV-2 outbreak. Jitsi and other useful teleconferencing tools are not very well known, though still widely used. Nearly all the buzz has been about the newcomer instead, but few have actually evaluated it. One group has. The Citizen Lab, an interdisciplinary laboratory based at the Munk School of Global Affairs and Public Policy, at the University of Toronto, has investigated Zoom briefly, covering both the technology, especially its lack of encryption, and the company itself:
Key Findings
- Zoom documentation claims that the app uses “AES-256” encryption for meetings where possible. However, we find that in each Zoom meeting, a single AES-128 key is used in ECB mode by all participants to encrypt and decrypt audio and video. The use of ECB mode is not recommended because patterns present in the plaintext are preserved during encryption.
- The AES-128 keys, which we verified are sufficient to decrypt Zoom packets intercepted in Internet traffic, appear to be generated by Zoom servers, and in some cases, are delivered to participants in a Zoom meeting through servers in China, even when all meeting participants, and the Zoom subscriber’s company, are outside of China.
- Zoom, a Silicon Valley-based company, appears to own three companies in China through which at least 700 employees are paid to develop Zoom’s software. This arrangement is ostensibly an effort at labor arbitrage: Zoom can avoid paying US wages while selling to US customers, thus increasing their profit margin. However, this arrangement may make Zoom responsive to pressure from Chinese authorities.
In a nutshell, throughout the mad rush to adopt teleconferencing software, due diligence has been largely abandoned and licenses left unread and software unevaluated. More scrutiny was needed, and still is needed, when acquiring and deploying software. That goes double for communications software.
Previously:
- Elon Musk's SpaceX Bans Zoom over Privacy Concerns (2020)
- Now That Everyone's Using Zoom, Here Are Some Privacy Risks You Need to Watch Out For (2020)
- Working from Home: Lessons Learned Over 20 Years (2020)
- Conferencing Application Zoom Allows Remote Activation of Your Mic and Cam Without Questions (2019)
Zoom admits data got routed through China - Business Insider:
In a statement late Friday, Zoom CEO Eric Yuan admitted to mistakenly routing calls via China.
"In our urgency to come to the aid of people around the world during this unprecedented pandemic, we added server capacity and deployed it quickly — starting in China, where the outbreak began," Yuan said. "In that process, we failed to fully implement our usual geo-fencing best practices. As a result, it is possible certain meetings were allowed to connect to systems in China, where they should not have been able to connect."
He did not say how many users were affected.
During spells of heavy traffic, the video-conferencing service shifts traffic to the nearest data center with the largest available capacity – but Zoom's data centers in China aren't supposed to be used to reroute non-Chinese users' calls.
This is largely due to privacy concerns: China does not enforce strict data privacy laws and could conceivably demand that Zoom decrypt the contents of encrypted calls.
Separately, researchers at the University of Toronto also found Zoom's encryption used keys issued via servers in China, even when call participants were outside of China.
[...] Zoom has faced multiple high-profile security issues in recent weeks as it struggles to cope with an unprecedented surge in traffic and new users.
Zoom did not immediately respond to Business Insider's request for comment and clarification.
Apparently the bad guys can now use a device's ambient light sensor:
That tape over your webcam may not be enough. Researchers at the Massachusetts Institute of Technology (MIT) have highlighted imaging privacy threats enabled by ambient light sensors, in a paper recently published in Science Advances. Device users concerned with security and privacy may be comforted by hardware solutions (shutters) and software permissions restricting webcam use. However, researchers have shown visual information can be gathered via one of the common ambient light sensors installed in many devices. These small sensors usually aren’t shuttered or disabled by users and are typically permission-free on a device level.
Ambient light sensors are categorized as low-risk by device makers and can often be accessed directly by software (or malware) without any permissions or privileges. Nevertheless, previous studies have shown such a rudimentary sensor can provide enough information to infer keystrokes on a virtual keyboard and steal a device PIN, about 80% of the time. The new research shows what an ambient light sensor can do when combined with an active light source component – namely the device' screen.
For their experiments, the MIT researchers used a Samsung Galaxy View 2. This rather old and large (17.3-inch) consumer tablet has its ambient light sensor next to the front-facing (selfie) camera, which is still a very common configuration.
[...] The scientists explained that the ambient light sensor reads the light emitted by the screen shining on a person’s face and being partially blocked by the hand / screen interaction. A whole lot of complicated math, aided by AI and image processing technology, was used by the researchers to deliver their results.
Journal Reference: Imaging privacy threats from an ambient light sensor - Yang Liu, Gregory W. Wornell, William T. Freeman, and Frédo Durand - https://www.science.org/doi/10.1126/sciadv.adj3608
Related: Now That Everyone's Using Zoom, Here Are Some Privacy Risks You Need to Watch Out For
(Score: 0, Funny) by Anonymous Coward on Saturday March 28 2020, @11:45PM (2 children)
I don't use your product because I don't work from home. If you've got so much work that you need to bring it home, you should find another job with better work- life balance.
(Score: 5, Funny) by darkfeline on Saturday March 28 2020, @11:51PM
> If you've got so much work that you need to bring it home
Hello, time traveler or alien visitor! Our race is currently experiencing a pandemic, so most of us are quarantined and thus must work from home.
Join the SDF Public Access UNIX System today!
(Score: 4, Funny) by MostCynical on Sunday March 29 2020, @01:10AM
is it nice, wherever you are? Is it an alternate universe, or a different planet?
"I guess once you start doubting, there's no end to it." -Batou, Ghost in the Shell: Stand Alone Complex
(Score: 0) by Anonymous Coward on Sunday March 29 2020, @12:03AM
https://condenaststore.com/featured/woman-stands-at-the-front-of-a-board-room-holding-farley-katz.html [condenaststore.com]
(New Yorker cartoon)
(Score: 3, Informative) by acid andy on Sunday March 29 2020, @12:06AM
That's why you do your mid-meeting web surfing on your second laptop, beside the machine running the Zoom client. Duh.
If a cat has kittens, does a rat have rittens, a bat bittens and a mat mittens?
(Score: 2, Interesting) by Anonymous Coward on Sunday March 29 2020, @12:09AM
American product made by programmers from Chyna, how much does this app call home just like everything else designed by CCP controlled China.
(Score: 2, Touché) by Anonymous Coward on Sunday March 29 2020, @12:12AM (1 child)
Not interested enough to even find out what Zoom is. I guess I am no longer included in "Everyone". Just remember, if I told you once, I have told you a million times, never exagerate.
(Score: 0) by Anonymous Coward on Sunday March 29 2020, @12:33AM
Here's some zoomies -- https://www.ebay.com/i/133127614034 [ebay.com]
If you need a jargon-translation, happy to oblige!
(Score: 0) by Anonymous Coward on Sunday March 29 2020, @12:52AM (1 child)
What is this zoom thing?
You know, i'm no boomer (no offense to boomers), i used to be a hip computer programmer back in the dot-bomb days, partying at "raves" and shits.
So, what is this zoom thing?
(Score: 3, Informative) by MostCynical on Sunday March 29 2020, @01:13AM
Zoom, is a video chat program, like >many other programs [ionos.com]
For those unable or unwilling to leave home due to Covid-19, it enables meetings and social interaction without leaving the house.
"I guess once you start doubting, there's no end to it." -Batou, Ghost in the Shell: Stand Alone Complex
(Score: 2) by opinionated_science on Sunday March 29 2020, @01:31AM
zoom ,google hangouts, whatever else microsoft offers, apple lockin
I couldn't care less - who needs to see anyone they talk with? Out of synch cues?
Having said that, this crisis has seen an uptick on zoom meeting - perhaps because of habit.
Then we have slack the crap remake of all of the above...seriously,
I miss xpp-chat....
(Score: 2) by Rosco P. Coltrane on Sunday March 29 2020, @01:41AM
Not that everyone's using [any online service], here are some privacy risks [you can't avoid because it's a fucking online service] you need to watch out for
(Score: 5, Insightful) by EJ on Sunday March 29 2020, @02:01AM (2 children)
Why in the fuck would I use Zoom? Who is this even useful for? Why do I want to look at someone's face? That's not useful information. If they want to have a useful meeting, then all I need to see is the presentation on their screen.
(Score: 2) by Common Joe on Sunday March 29 2020, @03:35PM
Because sometimes we communicate with our body and face, not just our voice. In a small group, it can be a good thing.
Personally, if someone is looking at their phone while I'm talking to them, it tells me a lot about how much they are paying attention. I usually call them out on it.
(Score: 2) by gtomorrow on Sunday March 29 2020, @08:02PM
Obviously you are either a replicant or a psychopath...oh, if I only had a Venn diagram for this site.
The most effective communication is two people face-to-face. While subjective projection exists in any similar situation, facial cues, body language, physical presence and tone of voice all augment language in communication. Information signal-to-noise ratio worsens in one-to-many situations.
Videochat (Zoom/Skype/Whatsapp/etc.) loses the physical presence and much of the body language. It's not pure communication as participants are aware of the camera on them; it's almost "breaking the fourth wall among friends/collegues". Again, information signal-to-noise worsens in one-to-many situations (group chat/videoconference).
Audio-only communication: All facial cues and body language are lost. Participants must rely solely on tone of voice and language.
Written communication: All visual and aural cues are lost. Any "tone" is projected from the participant. Information is reduced to minimum. Your cited "presentation" is more or less included here.
That (so eloquently) said, I conclude with "why would anybody want to look your YOUR face?"
(Score: 2) by The Mighty Buzzard on Sunday March 29 2020, @04:43AM (6 children)
What's Zoom?
My rights don't end where your fear begins.
(Score: 3, Funny) by aristarchus on Sunday March 29 2020, @05:06AM (1 child)
You drop-out reprobate, The Magnetisized Brasstard, you notice that there are no liquor stores on Zoom, so they are hardly essential. Drunks will drink, but the thirst for education is insatiable! This is why you fail, TMB, you stopped being edumacated.
(Score: 2) by RamiK on Sunday March 29 2020, @05:03PM
And to add insult to injury: https://www.diffordsguide.com/cocktails/recipe/2132/zoom [diffordsguide.com]
compiling...
(Score: 0) by Anonymous Coward on Sunday March 29 2020, @09:22AM
They make cheap but decent audio equipment. Their portable microphones are pretty damn good,
(Score: 2) by Runaway1956 on Sunday March 29 2020, @09:45AM (1 child)
How quickly the young forget.
https://www.youtube.com/watch?v=M4D3jwSYpEc [youtube.com]
(Score: 2) by Runaway1956 on Sunday March 29 2020, @10:07AM
If Mazda doesn't do it for you, try this one - https://www.youtube.com/watch?v=xe0igW8jNyU [youtube.com]
(Score: 0) by Anonymous Coward on Sunday March 29 2020, @02:48PM
See (#976783) above -- dragster headers.
(Score: 3, Insightful) by richtopia on Sunday March 29 2020, @08:00PM (1 child)
There are others, but when I need a quick video conference/screen share solution I turn to Jitsi Meet (https://meet.jit.si). I don't host my own but they do have instructions if you are concerned for your privacy. Using Jitisi Meet is a very easy experience most, follow the link to connect.
(Score: 2) by gtomorrow on Sunday March 29 2020, @08:09PM
JITSI?? I didn't know that still existed!
I used to play with that just before Skype gained popularity (~15 years ago maybe?). I was always disappointed though: performance wasn't great, IIRC you had to sign up for a SIP number (which wasn't effortless) and...who the hell used it? I'm having enough trouble getting people to use Signal!