Exposing Zoom


proprietary surveillance

Foreword

I often feel like my posts can come off as preachy. So this post is going to be a different than usual. This time, I want to include more facts. This post is for the people that don’t necessarily share my opinion that all software should be free (as in freedom). My hope is that this will speak to a wider audience.

Scale and Growth

To start off, I want to give you an idea of the scale of Zoom. Zoom is a video and audio conferencing platform for desktop and mobile devices. According to Zoom’s blog from 22 April 2020, Zoom CEO Eric S. Yuan said in a webinar that Zoom has surpassed 300 million daily Zoom meeting participants. This does not mean that Zoom has 300 million active daily users, but 300 million participants in Zoom calls daily. For example, one user may participate in several Zoom meetings and be double-counted. So the 300 million does not correspond to the number of users. Nonetheless, 300 million is no small number. For comparison, the U.S. population is estimated to be about 329 million during the time of this writing.

But Zoom didn’t always have such a huge user base. The Coronavirus pandemic causing people to work from home is what skyrocketed their numbers. According to Zoom’s Blog post, “Usage of Zoom has ballooned overnight - far surpassing what we expected when we first announced our desire to help in late February. This includes over 90,000 schools across 20 countries that have taken us up on our offer to help children continue their education remotely. To put this growth in context, as of the end of December last year, the maximum number of daily meeting participants, both free and paid, conducted on Zoom was approximately 10 million. In March this year, we reached more than 200 million daily meeting participants, both free and paid. We have been working around the clock to ensure that all of our users new and old, large and small can stay in touch and operational…our platform was built primarily for enterprise customers large institutions with full IT support. These range from the world’s largest financial services companies to leading telecommunications providers, government agencies, universities, healthcare organizations, and telemedicine practices”. Eric S. Yuan. (2020, April 1). Retrieved May 24, 2020 from Zoom, Zoom blog, https://blog.zoom.us/wordpress/2020/04/01/a-message-to-our-users/.

Terms of Service

“ACCESSING THE ZOOM WEBSITE OR BY UTILIZING THE ZOOM SERVICES YOU AGREE TO BE BOUND BY THESE TERMS OF SERVICE AND ALL EXHIBITS, ORDER FORMS, AND INCORPORATED POLICIES” Terms of Service. (2020, April 13). Retrieved May 23, 2020 from Zoom, Zoom terms of service website, https://zoom.us/terms. This means that even using the Zoom website or web app instantly binds you to the terms of service of Zoom whether you know about it or not. Section 2d.i states that you are prohibited from reverse engineering Zoom services. Since Zoom is proprietary, you can’t investigate the source code to figure out what it’s doing. Worse than that, the terms of services denies you to even try to figure out how Zoom works or what it does behind the scenes or help anyone else do so. This means that independent security audits of Zoom software are not possible unless Zoom gives up their source code. Therefore, any of the claims Zoom makes about security, encryption, data protection or privacy are impossible to verify without breaking the law. You just have to take their word on it.

According to section 2d.iv, you may not transmit materials that infringe intellectual property. This means if you have music playing in the background of a Zoom call or a movie playing on your television on in the background, you could be breaking Zoom’s terms of service without even trying. Section 2d.vi says you cannot “use the Services to communicate any message or material that is harassing, libelous, threatening, obscene, indecent, would violate the intellectual property rights of any party or is otherwise unlawful, that would give rise to civil liability, or that constitutes or encourages conduct that could constitute a criminal offense, under any applicable law or regulation” Terms of Service. (2020, April 13). Retrieved May 23, 2020 from Zoom, Zoom terms of service website, https://zoom.us/terms. I’m not a lawyer so I can’t interpret this, but the language seems to place broad restrictions on what you are allowed to say over Zoom. Section 15 also says you cannot use Zoom while in a “high-risk” environment.

In section 7d, the terms say that Zoom “content” can be turned over to law enforcement. Section 2b seems to define content as anything that is transmitted from you to Zoom. For example, audio, video, text messages, etc. including metadata is all accessible to law enforcement at any time.

Privacy Policy

The privacy policy is always where it gets interesting for tech behemoths. So let’s dive in. Here is a list of data Zoom collects: account owner name, billing name, address, payment method, phone number, language, password, title, department, cloud recordings, instant messages, files, whiteboards, voice mails, and “other information shared while using the service”. This is mostly data that you explicitly give to Zoom. Let’s look at the technical data that you may not even know you are giving Zoom: IP address (who you are online), MAC address (unique to your device), “other device ID”, device type, operating system type and version, client version, type of camera, microphone or speakers, connection type, the nearest city you are in, whether you use VoIP, mobile or desktop client, whether you join with video on or off, if your meeting has a password or waiting room or allows screen sharing, how long the meeting was, your email or other identifying information, join and leave time, name of the meeting, date and time of the meeting, chat status, and call data records. For a service that claims to protect user privacy and not sell data to advertisers, that’s a lot of non-essential data being collected.

Recordings

The recordings section is explaining that anyone in a Zoom call can record a meeting on their local device and save it and that Zoom acknowledges they have no control over this. Despite this, Zoom Phone makes it easier for customers to record calls. “Zoom Phone allows customers to record phone calls, receive voice mail recordings, and obtain transcripts of voicemail, all which may contain personal information and also be stored in our cloud”. Privacy Policy. (2020, March 29). Retrieved May 23, 2020 from Zoom, Zoom privacy policy website, https://zoom.us/privacy. Creating the transcripts happens automatically which means that the audio data of a call is fed into some automated system which has to listen to the call to create the transcript.

Attention Tracking

The section on attention tracking in the Privacy Policy explains that if the host of the meeting is sharing their screen, they can activate a feature called “attention tracking”. This means the host can see whether or not the participants have the Zoom window open or are doing something else. This gives whoever the host might be (employers, teachers, etc.) power to invade the participants’ computers (employees, students, etc.) to check if they are paying attention or not. Zoom does not give participants any kind of forewarning that what they are doing on their own computers is being monitored and sent to the host other than it being buried in the Privacy Policy which, let’s be real, nobody reads. And even if people did read it, they still are not in a position to understand the significance of some of the data collected on them like IP address, MAC address, etc.

It’s peculiar how Zoom website obviously tries to give the overwhelming impression that you can trust the software, yet it’s against their terms of service to reverse engineer it and their own privacy policy shows they collect enormous amounts of data that isn’t strictly necessary or relevant to video conferencing. Do they really need your MAC address or know which OS you’re using? But not only does Zoom obtain data when you are using Zoom. They obtain data from you even when you are not using their service.

Their own privacy policy says they collect data about you from Google Analytics and Google Ads. Google analytics can run in your browser as Javascript that watches what you do and collects data on you as you browse the web. If you don’t know how to block Javascript, Google Analytics could be watching you in the background on any website without you even knowing it’s there. Zoom also collects data from “Data Enrichment Services”, and public sources. This could be just about anything from your social media accounts to arrest records. One way this is done is through tracking cookies.

Cookies Policy

On the Cookie Policy page, it starts off explaining how cookies work. Essentially, cookies are any data a site can store in the browser. They can persist across browsing sessions and unfortunately they are used to track you across the web. I want to pay special attention on the Cookie Policy page to the analytics subtype under functional cookies. “Zoom uses cookies and other identifiers to gather usage and performance data…This includes cookies from Zoom and from third-party analytics providers”. Cookie Policy. (2020, January 1). Retrieved May 23, 2020 from Zoom, Zoom cookie policy website, https://zoom.us/cookie-policy. Notice the important line about how they use third-party analytics providers. How is it possible for Zoom to ensure your data is protected if they use third party analytics providers of which they don’t control the data? It’s not. We know Zoom uses Google Analytics, and we know that Google’s business model is centered around collecting data on its users and selling it for profit.

Despite claiming they protect your data, they have advertising cookies. The interest-based advertising section states “Zoom uses cookies to collect data about your online activity and identify your interests so that we can provide advertising that is most relevant to you. You can opt out of receiving interest-based advertising from Zoom as described in the How to Control Cookies section of this cookie policy and in our Privacy Policy. Users who opt out of the “sale” of their personal information won’t receive interest-based advertising from us on their device. Note: If you opt out of interest-based advertising, we store your opt-out preference in a cookie on your device”. Retrieved May 23, 2020 from Zoom, Zoom cookie policy website, https://zoom.us/cookie-policy.

There is a lot there. They collect interest-based data on you automatically. That is, unless you opt-out. Notice it’s not opt-in. The default is collecting your data. You have to know it’s happening and then choose to opt out which a lot of the more non-technical users of Zoom aren’t going to figure out how to do. I personally find it condescending how they put “sale” in quotes like that’s not exactly what they’re doing. Further, when you opt out, the fact that you want opted out is stored in a cookie. So if you try to clear tracking cookies from your browser, you might accidentally clear the cookie which says you don’t want to be tracked. This also means if you switch browsers or devices, or ever clear your browser cookies, the preference is forgotten and you have to remember to reactivate it every single time. And until you do, you are being tracked by Zoom cookies. Even if you opt-out, there’s no guarantee that Zoom doesn’t enable a feature to get the same information out of you a different way without using cookies. Again, it’s impossible to know because it’s against terms of service to reverse engineer Zoom.

“Some of our websites and Products include code snippets provided by social media companies that can sense if you are already logged into a given social media account so you can easily share Zoom content with other social media users via that account”. Retrieved May 23, 2020 from Zoom, Zoom cookie policy website, https://zoom.us/cookie-policy. This means sites like Facebook and Google know you are using Zoom services and what page you are on. Social media sites use tracking cookies to track what websites you visit. Social media sites shouldn’t be allowed to know that. Nevertheless, they are found on Zoom’s website and services, the videoconferencing platform that “cares about your privacy”.

Third Parties

Zoom gives your data to third parties. On their subprocessors page, they list the following third parties which they give your data to: People.ai, Zendesk, Wootric, Totango, Answerforce, Rocket Science Group LLC, Five9, EPS Ventures, WKJ Consultancy, Salesforce, CyberSource, Adyen, Zuora, Amazon Web Services, Oracle America Inc, and Bandwidth. We will ignore the 3 third parties related to billing (CyberSource, Adyen, and Zuora) since if you’re not paying Zoom it probably doesn’t apply to you. That still leaves 13 subprocessors each with their own privacy policies and their own third parties. You can see very quickly how the amount of third parties your data is being shared with grows exponentially. 11 of the 13 relevant third parties are under US jurisdiction. Since the 2013 Snowden leaks, We know that the U.S. government performs massive dragnet surveillance on US-based companies without any oversight, so it’s probably safe to say that the U.S. government is collecting Zoom data from either Zoom itself or Zoom subprocessors.

Weasel Words

Here, Zoom is trying to weasel out of the fact that they are selling your data: “As described in the Zoom marketing sites section, Zoom does use certain standard advertising tools on our marketing sites which, provided you have allowed it in your cookie preferences, sends personal data to the tool providers, such as Google. This is not a “sale” of your data in the sense that most of us use the word sale…It is only with the recent developments in data privacy laws that such activities may fall within the definition of a “sale”". Retrieved May 23, 2020 from Zoom, Zoom Privacy Policy website, https://zoom.us/privacy.

Sadly, Zoom’s privacy policy is right. When Zoom gives your data to Google, they are not “selling” your data in the traditional sense that most people understand the word sale to mean. The part Zoom left out is this. Most people wouldn’t understand it as a sale because you’re not paying for the service with money. You’re paying with your data which is far worse. Zoom allows Google to collect and sell your data and in return, Zoom receives services from Google such as analytics without explicitly paying Google for it. Put simply, Zoom pays for Google services with your data. You are the product. Google gets the valuable data to sell, and in return they process it and make it available to Zoom to improve their software or whatever else. This has been Google’s business model for a very long time now and just because most customers don’t think of the word “sale” that way doesn’t mean they wouldn’t expand their definition if they understood the business model.

This is tantamount to saying “Zoom isn’t really selling customer data because customers don’t understand Zoom’s business model”. That way Zoom can confidently say they aren’t selling customer data misleading customers to think that their data is safe. It’s absurd. The essence of what Zoom is doing is a sale. It’s a value transaction of customer data for service. If that isn’t a sale I don’t know what is. They also use the word “standard” to make you feel safer. Standard doesn’t mean secure. Google analytics and social media tracking cookies may be standard, but that doesn’t mean they are good, or even acceptable. It’s an example of the bandwagon fallacy.

Citizen Lab Findings

I already mentioned how Zoom must provide data to the U.S. government, a member of the Five Eyes. But Zoom provides data to China as well. Citizen Lab, an interdisciplinary laboratory at the University of Toronto, reported several troubling findings on 3 April 2020. I’ll just go over the key findings and expand on them.

Zoom claimed to use AES-256 in their security whitepaper, however Citizenlab found that they actually use AES-128 in ECB mode. Anyone that knows about block cipher modes knows that ECB mode is not suitable for video conferencing. Citizen Lab included the classic example of the ECB penguin, which is why you don’t use ECB mode for large files. Any audio or video conferencing over ECB would be as secure as the penguin image on the right, not very secure. Worse yet, the encryption keys were found to be generated by Zoom servers in China even when all meeting participants were outside of China. So the Chinese authorities could get the keys and decrypt Zoom communications of children in K-12 classrooms, U.S. courts using Zoom, meetings between government officials, college students, and everyday Americans as well as non-Americans and other countries that used Zoom.

Citizen Lab also shows Zoom advertising their use of end-to-end encryption. End-to-end encryption means only the communicating parties are able to decrypt the communication. Clearly, with the encryption keys generated on the Zoom server itself, that’s not possible. Zoom can decrypt your communications. Citizen Lab also claims that they found a “serious security issue” with Zoom’s waiting room feature, advising users not to use waiting rooms if they care about meeting confidentiality.

FBI Warnings

On 30 March 2020, Boston FBI issued a warning about using Zoom. According to the warning by Setera (30 March 2020) “The FBI has received multiple reports of conferences being disrupted by pornographic and/or hate images and threatening language”. This is followed by advice of what to do to prevent Zoom-bombing. But Zoom is not innocent in this because it was possible to scan for random meetings to join. It doesn’t strike me as a very useful or necessary feature. Zoom is for teleconferencing. Most meetings will have a specific purpose and the participants don’t want random people joining in to disrupt the meeting. So it doesn’t make sense to me why this was a feature in the first place. To make matters worse, the FBI report explains Zoom didn’t have passwords enabled by default for meetings until January 2020.

Zoom’s Response

It wouldn’t be fair for me to criticise Zoom without also pointing out steps they have taken to address the platform’s many problems. First, I want to focus on their April 1st blog post. Eric S. Yuan claims (April 1, 2020) “Thousands of enterprises around the world have done exhaustive security reviews of our user, network, and data center layers and confidently selected Zoom for complete deployment”. I would like a full list of these enterprises so I know not to trust their “security reviews”. Frankly, 128-bit AES in ECB mode is an embarrassing rookie mistake. It basically only happens when you don’t know what you’re doing. Just looking at Zoom’s track record of horrible security and privacy that I’ve outlined above, I don’t see how thousands of “exhaustive security reviews” could miss so much.

In that blog post, Yuan mentions the increased outreach and video tutorials. But security mistakes caused by user error are not really in the scope of this post. One of the first things the post mentions is that on March 27th, the Facebook SDK was removed from the Zoom app on iOS. It’s astounding to me that Yuan can claim in the same blog post detailing the removal of the Facebook SDK that (March 27, 2020) “Our customers’ privacy is incredibly important to us”. This is insane. If customer privacy was important then the Facebook SDK would never ever have been in the Zoom app. Facebook is an absolute surveillance monster. The SDK spies on people that don’t even use Facebook. Apps that really care about privacy don’t touch anything Facebook or Google with a ten foot pole. Some information sent by the Facebook SDK was: Application bundle identifier, application instance ID, application version, device carrier, iOS advertiser ID (gross), iOS device CPU cores, iOS disk space available (why???), iOS device disk space remaining, iOS device display dimensions, iOS device model, iOS language, iOS timezone, and iOS version. This doesn’t happen by accident. At some point, a developer for Zoom wrote some code for the iOS app to make it send that device information to Facebook on purpose. For a teleconferencing app, the Facebook SDK is absolutely unnecessary. Zoom only remove the SDK after being called out. for it. This is an example of being reactive to security and privacy issues, not proactive.

Reactive, Not Proactive

The Facebook SDK isn’t an isolated case either. Zoom didn’t start caring about user privacy until they had to start caring about it due to increased media pressure. Here’s a Zoom blog post on April 1st about Zoom encryption practices. In the following quote, we can see Zoom trying to weasel their way around not having end-to-end encryption by redefining words again. Oded gal posted (April 1, 2020) “…we used the term end-to-end encryption. While we never intended to deceive any of our customers, we recognize that there is a discrepancy between the commonly accepted definition of end-to-end encryption and how we were using it…". When in doubt, just change the meanings of words so you don’t look bad. In Zoom’s defense, they don’t use end-to-end encryption that way legacy protocols can be supported. Protocols such as H.323, SIP, and PSTN don’t work with end-to-end encryption. In my personal opinion, these are good reasons to abandon the PSTN (public switched telephone network) and other legacy protocols that don’t support end-to-end encryption. In the year 2020, end-to-end encryption should be ubiquitous and we should reject any applications not using it.

Another absolutely disgusting thing is that Zoom lied to customers again about not selling their data: “…we do not sell our users’ data, we have never sold user data in the past, and have no intention of selling users’ data going forward” Eric S. Yuan. (2020, April 1). Retrieved May 24, 2020 from Zoom, Zoom blog, https://blog.zoom.us/wordpress/2020/04/01/a-message-to-our-users/. They did permanently removed the attention tracking feature which never should have existed to begin with. There is no mention of removing Google Analytics though.

90-Day Plan

To play devil’s advocate, I can go through Zoom’s 90-day plan focusing all their resources on security and privacy to fix their platform. A few things they have done so far: only the host can screen share by default, participants need consent to be unmuted, audio indication for the waiting rooms, removing Giphy, and giving the host more control over the meeting. They also published a draft crypto design to redo their cryptography. It is apparently available for peer review on Github. It’s still early to see where all this goes. But given that Zoom hasn’t ever owned up to selling user data in exchange for service, I don’t have my hopes high.

Use Jitsi Instead

Zoom is a proprietary platform. This means it is essentially a black box. As I mentioned earlier, this means it will always be less trustworthy than free software video conferencing solutions such as Jitsi. The Tor Project recommended using Jitsi instead of Zoom. I haven’t done much research on Jitsi yet, but if the Tor Project is saying to try Jitsi, I would use it over Zoom any day. It’s also cross-platform and features actual end-to-end encryption. Even if Zoom implements end-to-end encryption, how can you trust it if it can’t be independently reviewed by anyone and no one outside of Zoom can see the source code? How can you trust the implementation on desktop or mobile platforms? In short, you can’t. No platform is perfect, however there are more secure and less secure solutions out there. And in general, you want to avoid proprietary programs because they cause the incentives to be aligned in such a way that Zoom will always have reasons to insert privacy-corroding features into their platform.

When no one except you or your organization can see the source code, there are incentives to insert malicious pieces of code that benefit you at the user’s expense. Jitsi does not have the same incentive structure because it’s free software. Anyone with the know-how can look over the code and see if something fishy is going on. This will never be true of Zoom. Zoom has no reason to ever give away their source code and make their program trusted free software. Part of the reason I dropped out of my classes at my university was because Zoom because being forced on us students and I refused to use it.

Call to Action

I’m not saying you, the reader, should go as far as I did. I’m just saying if we, as a society, want to live in a world where we are given more privacy and security in our digital lives, then we have to say no to platforms like Zoom. If we don’t, we will move ever closer to some kind of dystopian surveillance hell, assuming we aren’t already there. Ask yourself this question: If you don’t reject these untrusted proprietary platforms with a horrible track record, then who will? How many people do you know that would reject Zoom if their boss or professor told them to use it? The demand for our digital rights back has to start somewhere, before it’s too late.