Zoom Video Conferencing: A Checkered Past

Over the past few weeks, as the COVID-19 crisis has escalated, I've seen many friends and groups I am involved with flock to Zoom to keep in touch.


by flipperpa on March 29, 2020, 1:54 p.m.

Random

UPDATE 2020-03-30:

Zoom has updated their privacy policy! Thank you to everyone who expressed concerns about the language of their privacy policy, given their track record. This seems to be a major step in the right direction, and they are on record saying they will never sell user data to third parties.

This is an important lesson. Privacy Policies and Terms of Service can not solely be authored by lawyers looking to protect the company at the expense of user rights. While protecting the interest of the company is a necessary component, they must also be documents where you SAY WHAT YOU DO, so you can DO WHAT YOU SAY.

My original post follows, appearing as it was published yesterday.

Background

It is understandable that in a time of crisis, so many people have discovered Zoom to keep in touch via video conferencing. They offer a product with a fantastic feature set that is very easy to use. Now that the immediate need to stay in touch has largely been met, we should all take a step back and look at what options are available to stay in touch. Zoom has a questionable track record when it comes to data privacy, security, and anonymity. When we create video conference meetings, we are not just responsible for our data: we are responsible for the data of everyone we invite to the meeting, who may not be as technically savvy as we are.

When I see therapists, doctors, government officials, and recovery groups using Zoom, I worry that people have not considered the privacy implications. These are situations where privacy and anonymity are absolutely essential, and many people using Zoom seem unaware of the privacy, security, and anonymity risk that comes with trusting a company with a questionable track record. You can search for more examples beyond what I cover here as well, and make your own decision.

Zoom's Past

Last week, Zoom was found to be sending data from their mobile apps to Facebook without notice to or permission from the user, regardless of if the user had a Facebook account. They have claimed this was an honest mistake, and have since updated their software to stop sending data to Facebook. But this is worrisome for a company with a checkered privacy track record. If I ran a company which had privacy issues in the past, I would be extra vigilant to ensure that lapses like this did not occur. At best, it gives the appearance of a company "asleep at the wheel" when it comes to privacy concerns. If this hadn't been found, this data would still be being sent to Facebook. Zoom was doing this for both the free and paid versions of their product.

This comes on the heels what happened just last year, when Zoom installed a back door into users' operating systems to allow them to automatically turn on the camera. Not only is this a major violation of decency and privacy, they introduced a bug that would allow anyone - not just the Zoom program - to activate the camera on the user's computer. In addition, they installed a web server on user's computers without their knowledge, a huge security flaw for people who are not Systems Administrators. This occurred for users of both the free and paid product.

Zoom's Current Privacy Policy

To download and use Zoom, all users must agree to their privacy policy. This is regardless of whether the meeting is using a free or paid version of Zoom. In a recent blog post at Harvard University, Doc Searls (former editor-in-chief of the Linux Journal) reviews the privacy policy, ending with this chilling quote:

What Zoom's current privacy policy says is worse than "You don’t have any privacy here." It says, "We expose your virtual necks to data vampires who can do what they will with it."

Forbes has recently posted an article on many of the concerns as well:

On the surface of it, Zoom's privacy policy is similar to the likes of Facebook and Google–it collects and stores personal data and shares it with third parties such as advertisers. But Zoom's policy also covers what it labels "customer content," or "the content contained in cloud recordings, and instant messages, files, whiteboards ... shared while using the service."

This includes videos, transcripts that can be generated automatically, documents shared on screen, and the names of everyone on a call. Consumer Reports points out that your instant messages and videos can be used to target advertising campaigns or develop a facial recognition algorithm, like videos collected by other tech companies. "That's probably not what people are expecting when they contact a therapist, hold a business meeting, or have a job interview using Zoom."

There Is a Solution: Alternative Video Conferencing Platforms

Zoom has the best set of features and is among the easiest to use video conference solution out there. With such a good product, it baffles me why they continue to have some of the worst data protection practices I've seen from a company. I have been asked, "But aren't Facebook just as bad?" Yes. But people aren't required to use Facebook to see a therapist or join a recovery meeting. Facebook participation is optional, and there's a big difference between seeing a doctor and sharing pictures of your pet.

If you want more detailed information, I encourage you to explore the in-line links throughout this post. People are relying on these Zoom meetings for crucial services, and they shouldn't have to choose between the security of their personal information and life-saving essential services. There are lots of alternatives to Zoom from companies with better track records when it comes to personal information; I haven't used them all, but here is an alphabetical list of potential alternatives:

  • BlueJeans: while it doesn't have all the features of Zoom, and there isn't a free version available, it is very affordable and the company has an excellent stability, security, and data privacy track record.
  • Google Hangouts: this product still has issues with larger groups, and like many, I have mixed feelings about Google, as their entire business is built around advertising data. But if you're already using the Google ecosystem, this may be an option.
  • GoToMeeting: another videoconferencing option, from LogMeIn.
  • Jitsi: a free, open-source video conferencing platform that you can host yourself (if you know what you're doing!)
  • Skype from Microsoft: people have mixed feelings about Microsoft, but they have a good track record at protecting private user data.
  • WebEx from Cisco: a professional video conference meeting solution with affordable monthly options.

In closing, please remember: if you're not paying for something, you are the product. How much is your most private data, information, and interactions worth? Those of us who are creating video conference meetings are shepherds for the less technically savvy people in our lives who may be joining the meetings we create. We must take that role seriously, and have trust in the companies that run these platforms. Until Zoom turns over a new leaf with a new privacy policy, I can't in good faith recommend them.