Zoom is now 'the Facebook of video apps'
Yet another startup that takes our privacy. Seriously.
Given our uncertain and nightmarish times, I’m going to cut right to it. A lot of us are wondering just how full of shit Zoom is. Because right now, at the terrifying end of one era and the beginning of another whose shape has yet to be known, this is really not the time for startup jocks to bluff and blunder hundreds of millions of instantly vulnerable adults and kids about security and privacy.
Acting like Facebook — taking what you want and pretending to care when caught — is already beyond unconscionable, even more so now that we’re all fighting for our lives. We know that fight extends to our human rights and pandemic surveillance, with unethical profiteers and billionaire despots rushing in to see what they can get away with.
Which is why it’s especially cynical for many of us that Google banned employees from using Zoom’s shady desktop app on the same day that Zoom hired Facebook’s former security bobblehead as a consultant on its hazy privacy and security triage campaign.
Everyone working remotely:
ZOOM monitors the activity on your computer and collects data on the programs running and captures which window you have focus on.
If you manage the calls, you can monitor what programs users on the call are running as well. It's fucked up.— Wolfgang ʬ 🇹🇼 🇭🇰 (@Ouren) March 21, 2020
Organizations that have now banned Zoom include Google, Taiwan’s government, the German foreign ministry, NYC public schools (among others), Singapore’s Ministry of Education, SpaceX and NASA. Oh, and the FBI began issuing warnings about it last month.
On top of all that, a Zoom shareholder this week filed a lawsuit over its now-sliding stock price, accusing the company of “deliberately hiding security flaws in its platform.” Don’t confuse it with the other lawsuit, filed at the end of March over Zoom’s improper (and possibly illegal in California) data-trading deal with Facebook.
The Trump administration’s DHS Cybersecurity and Infrastructure Security Agency, on the other hand, loves it and thinks Zoom is doing a great job.
I’m sorry, I should back up. I know every day is ten years long now so let’s anger-cry our way through a Zoom highlight reel.
Uber, but for teleconferencing
When February became March, quarantine became the rule for most of North America. Zoom, a “unicorn” founded by a Valley billionaire, was a security- and privacy-challenged teleconferencing app for businesses that had already wormed its way into daily use by ten million users. Founded in 2013, the company achieved quick adoption through partnerships with businesses like Facebook, and probably the same greasiness and hubris wealthy founders enjoy. But also likely because the founder made his billions selling Zoom’s ugly, clunky first iteration, WebEx, to Cisco, and had the connections.
Anyway, quarantine life was a violent change for most people and absolutely brutal for many businesses and educational institutions. Zoom’s use spiked to 200 million in March. These new users were desperate people trying to keep their jobs, educate their children, seek help from doctors, and yes, families and everyday people scrabbling for a shred of normalcy (human connection) while a mysterious and terrifying virus began to endlessly fill refrigerated trucks with dead bodies outside their living room windows.
Why Zoom? Good question. One answer is certainly its ease of use and robustness. The video quality is consistently good, calls seldom get dropped, and routine problems with other conferencing apps (like inconsistent or confusing UI) are far less. Zoom also did things a whole lot of people really want from old fuddy-duddy apps like Skype; namely, customizable backgrounds, a Brady Bunch-style grid view, and more. You still needed to download a third-party app like Snap Camera or iGlasses to get cool filters, but whatever.
The answer to “why Zoom?” may also lie in the fact that while Zoom saw its profits explode thanks to a terrified and literally captive user base, its founder decided to give away unlimited memberships to K-12 schools in Japan, Italy and the United States. He started, of course, with what press described as “a prestigious school in Silicon Valley.”
Re: NYC blocking Zoom
I like Matthew a lot, but I don't feel this is a "dumb overreaction."
As a security admin overseeing 40K+ students and participating in communities serving over 1.5M students, I would love to shed some light on the difficulties Zoom has created for us. https://t.co/sruZap9VnA— Nathan McNulty (@NathanMcNulty) April 6, 2020
It’s probably cynical to think that while a trapped user base is good for the stock portfolio, a similarly desperate and non-tech-savvy set of captives is an atmosphere conducive to sidelining privacy and security concerns.
Which is what Zoom had years of — documented security holes, malware-like behavior, unmasking users on LinkedIn, shady data dealings, and privacy complaints — long before its newfound popularity. And well before pandemic-confined press and researchers began to expose Zoom’s extremely misleading claims about security and things like leaks of users’ email addresses and photos to strangers.
This isn’t to say “people should have known.” This is to say instead, Zoom should have been better digital citizens than that.
Aspirational malware
In 2018, security company Tenable found a Zoom vuln “that allows an attacker to hijack screen controls, spoof chat messages or kick and lock attendees out of meetings.”
The end of 2018 is also when people tried to raise the alarm about what happened when people installed Zoom on a Mac; basically that Zoom *also* installed its own web server that could re-install Zoom even if you tried to remove it. The server also introduced security holes that let attackers hijack Mac users’ webcams. At the time, Zoom’s CISO said this server was meant to “bypass a security feature introduced by Apple in Safari 12” — under the guise of saving people a click.
In 2019, Register reported:
Leitschuh reported the problem to Zoom, along with a related denial-of-service vulnerability. He was offered a financial bounty, which he declined, because it was conditional on never publicly disclosing the bugs.
Zoom responded by changing the host's ability to choose whether the camera is enabled – but the fix regressed and Leitschuh also found that the iframe workaround mentioned above bypassed it.
2019 brought more of the same. The Electronic Privacy Information Center filed an FTC complaint alleging Zoom “committed unfair and deceptive practices,” saying the company “intentionally designed its web conferencing service to bypass browser security settings and remotely enable a user’s web camera without the knowledge or consent of the user.”
Zooming in on the fine print
But that was then and this is now. When Zoom was suddenly in everyone’s homes, a lot of privacy focused orgs were like, please no. Proton Mail delivered a laundry list of everything rotten about the company’s privacy practices, including the extremely scary privacy choices around who can see your private messages (and more). Then, the Intercept dissected Zoom’s claims and practices of end-to-end encryption, finding that the company had made up its own (misleading) definition of encryption — followed by Citizen Lab’s brutal report on Zoom’s terrible encryption practices.
As more articles came out about Zoom’s problems, Zoom finally started to take some action. For instance, two days after Vice’s report on the company’s Facebook iOS data sharing (including how it fed Facebook’s shadow profiles), Zoom removed the code that sent data to Facebook.
But the hits just keep coming. This month it’s nonstop.
Examples like “Zoombombing” — call hijacking — hit critical mass this month when attackers got organized. Zoombombs have included flashers, hate speech, porn, and threats. According to NPR, those affected include: “an Alcoholics Anonymous meeting in New York, Sunday school in Texas, online classes at the University of Southern California and a city meeting in Kalamazoo, Mich.” And Washington Post just reported that thousands of Zoom recordings of private meetings and calls were exposed online. These included therapy sessions, elementary school classes, business meetings and, because horny always finds a way, nudes.
Zoom is the Facebook of video apps
Zoom is the Facebook of video apps
Zoom is the Facebook of video apps
Zoom is the Facebook of video apps
Zoom is the Facebook of video apps
Zoom is the Facebook of video apps
Zoom is the Facebook of video apps
Zoom is the Facebook of video apps https://t.co/HPe9qXqBqu— Fight for the Future (@fightfortheftr) March 29, 2020
Look, people are already calling Zoom “the Facebook of video apps.” I guess they just had to complete the vicious cycle by hiring that Facebook security guy.
That’s Alex Stamos. He was Facebook’s CSO when Facebook got caught giving advertisers people’s security information (phone numbers users provided for two-factor security purposes) for ad targeting. When infosec folks complained about giving Facebook their phone number for two-factor and then got SMS spammed via the number they provided, Stamos attempted to soothe the betrayal by writing: “The last thing we want is for people to avoid helpful security features because they fear they will receive unrelated notifications.”
I’m sure Mr. Stamos will help Zoom get its security story together for prime time. It’s just a hell of a dark comedy PR move, at least if your perspective isn’t looking down from management. And that’s what got us here with Zoom, really.
What we really want to know is how this is all still happening. I mean, we know the system is broken; billionaire jerkwads and their bros get rewarded for exploiting us, ruining our lives, making us feel unsafe, destroying democracy, and get a big ‘ol unicorn pat on the back for it.
They’ll never have true ethics and compassion for true otherness because they’ll never experience true consequences. They genuinely don’t have all-stakes relationships with people outside their class. Right now their jobs are secure, they just bought all this new stuff to stay entertained in quarantine, they have concierge doctors, they don’t really see that it’s a big deal. They never thought Zoombombing would be a real problem for anyone whose opinion or business that matters to them, because they’ve probably never experienced the “poor people” (or working class, or scared) side of their product’s use. For them, privacy is like money, insofar as it is a moral reward for those who “deserve” it.
It’s no coincidence that the people most affected by COVID-19 are the exact same people who are marginalized, sidelined, excluded, left behind, exploited, and silenced by tech (and there are a lot of us).
How to survive a Zoombie apocalypse
The question is how this keeps happening to those of us who are lucky to know a little bit more about tech than our friends and family. And the answer right now is that the stakes are impossibly high, while the options are unbelievably bad. Think about it. Like all of us, schoolteachers suddenly woke up in The Walking Dead. Even if they had jumped on Google and searched “Zoom: best privacy and security practices” the search would have been meaningless — because Zoom’s bad practices were baked in and its statements could not be trusted.
In light of the privacy and security avalanche raining on Zoom right now, the company’s CEO is eager for all of this to go away. Eric Yuan told TIME that basically, he can’t wait for the pandemic to be over so they can go back to focusing on their enterprise customers. Er, as in, going back to the way it was before? When they were unmasking people’s employees, deceiving their enterprise customers about encryption, exposing businesses to vulns, and who knows what else?
Yeah. So.
I would like to encourage everyone, especially companies that have been skating by on BS privacy and security practices, to think of quarantine 2020 like one big, long, super-angry hacking and security conference. Because the 20,000 who normally attend Black Hat USA (or the 30,000 at DEF CON) may not be going this year. They’re certainly not at the security conferences they usually go to this time of year. The new hacking conference is your bad practices, Zoombros. And all those bored researchers get pretty mad when you put their families at risk during a goddamn pandemic.
Update: An earlier version of this story suggested the vulnerability Tenable found was not fully fixed and that a bounty was offered. These references were to a different vulnerability which is now reflected in the text.