A few other meeting apps have dark patterns like this. One of my favorite things about Hangouts Meet is it's web first.
Maybe it's like IRC vs all the other IM "solutions", except with an even larger difference in userbase.
Edit: looks like Zoom does use SIP too, but it's not that obvious how to use your own client: https://support.zoom.us/hc/en-us/articles/201207626-Video-La...
Recruiters sometimes ask me to turn my video on during interviews… I politely decline and move on to other opportunities.
Their app is so privacy invasive, I cannot understand why people keep using it, specially considering 2018 vulnerability [2].
Feross Aboukhadijeh talks about Zoom security problems in Stanford’s CS253 Web Security course [3][4].
[1] https://zoom.us/zoomconference
[2] https://www.tenable.com/blog/tenable-research-advisory-zoom-...
Since you mentioned Google Meet, I recently tried that with a group of 6-7 people, and it only lasted about 10 minutes before multiple participants (myself included) started having issues. It seems like it needs more time to bake, but since we're talking about Google, it's probably unlikely to ever receive that time before they kill it and reinvent it a year later.
Interesting. Thank you!!
Encryption is also off by default? why is this?
The Zoom App also collects screenshots and transcriptions of shared data. This is fine if you are Facebook or Google.
Also reading the EFF article on Zoom I feel like these are great usability features. The issue is if Zoom collects and stores the information.
"Hi, attention tracking feature is off by default - once enabled, hosts can tell if participants have the App open and active when the screen-sharing feature is in use. It does not track any aspects of your audio/video or other applications on your window."
Points to this article: https://support.zoom.us/hc/en-us/articles/115000538083-Atten...
Not exactly the gravity touted in the linked twitter thread, saying "If you manage the calls, you can monitor what programs users on the call are running as well". No proof of that...
Kinda scared by how much a single tweet can make something blow up, without a shred of evidence backing the claims up.
> If attendees of a meeting do not have the Zoom video window in focus during a call where the host is screen-sharing, after 30 seconds the host can see indicators next to each participant’s name indicating that the Zoom window is not active.
It doesn't seem too invasive, although of course it'd still be annoying if you have two monitors etc.
As far as I've been able to determine, there is no collection of "apps" or other data, just "not paying attention" time.
It seems like it trades a lot of privacy for something students will evade with no effort at all.
For example:
1. Zoom knows it’s not focused on Bob’s machine, and notifies Bob that someone has begun sharing their screen.
2. Zoom knows it’s not focused on Bob’s machine and notifies Sally of this.
Scenario 1 seems acceptable and helpful. Scenario 2 is invasive and unnecessary.
To have an open source alternative. Want videoconferencing on your own site? You can! See here for instance.
We have a harder challenge of making all the SDP offers work cross browser, but Chrome should def work.
Code: https://github.com/Qbix (If you like it, star it lol ⭐️)
Contact me if you want to learn how to use the Qbix platform. I will be teaching classes and put it online. We are following the wordpress model. My email is in https://qbix.com/about
Quick question for the networking experts here... with everyone connecting from home, what percentage are behind a LAN firewall that you need to use TURN servers? What if you avoided those servers and made peer to peer infra entirely, how many people would we lose?
(Is a complete graph of everyone sending to everyone worse than an SFU once you get too many users? Isn’t it exactly the same number of streams, just in a star topology? Can’t we just nominate a few of the browsers to do what the SFU does, namely forwarding video to the others? Is the issue only with resolution?)
From home? Essentially 100%.
that you need to use TURN servers?
That's less clear. I'm not sure how many home firewalls are impenetrable by STUN as well. I worked on Twilio's WebRTC-based audio product back in 2012-2014. In the beginning we only supported STUN. We did get some customer support requests about initial connection failures (which I mostly attributed to STUN failures), but never kept track of stats on what the success/fail ratio was. We eventually added TURN support (after I left that product team), but based on how long it took us to do that, my guess would be STUN was effective for most setups. Also consider that many (most?) of our users were probably behind restrictive corporate firewalls, and I'd expect home firewalls to be more lenient.
IIRC this is basically what skype did back when it was P2P, those clients were called supernodes and would route calls for clients that could not be directly P2P. To be a supernode you needed to be internet-routable and have good bandwidth.
Supernodes could be used for hole punching or to relay calls (as you talk about).
See more here: https://en.wikipedia.org/wiki/Skype_protocol
About the same time this story broke I interviewed for a Paris based AppSec company and their CTO asked me to install Zoom. It was really awkward because I had to ask: "Is this a trick question??"
Seriously I wouldn't touch Zoom with a 20 foot stick!
[1] https://medium.com/bugbountywriteup/zoom-zero-day-4-million-...
> Whether you have Zoom account or not, we may collect Personal Data from or about you when you use or otherwise interact with our Products. We may gather the following categories of Personal Data about you:
> - Information commonly used to identify you, such as your name, user name, physical address, email address, phone numbers, and other similar identifiers
> - Information about your job, such as your title and employer
> - Credit/debit card or other payment information
> - Facebook profile information (when you use Facebook to log-in to our Products or to create an account for our Products)
> - General information about your product and service preferences
> - Information about your device, network, and internet connection, such as your IP address(es), MAC address, other device ID (UDID), device type, operating system type and version, and client version
> - Information about your usage of or other interaction with our Products (“Usage Information”)
> - Other information you upload, provide, or create while using the service ("Customer Content"), as further detailed in the “Customer Content” section below
[0] https://twitter.com/zoom_us/status/1241768006327336963
[1] https://www.schneier.com/blog/archives/2019/07/zoom_vulnerab...
- General information about your product and service preferences
- Information about your device, network, and internet connection ...
- Information about your usage of or other interaction with our Products
- Other information you upload, provide, or create while using the service
Does Zoom sell Personal Data?
No part of that paragraph makes me feel better, and it ends with this...
" If you opt out of “sale” of your info, your Personal Data that may have been used for these activities will no longer be shared with third parties."
My problem with this isn't the info they collect, it's how they would collect it, which this privacy policy doesn't seem to clarify.
As it stands, this policy technically gives them the right to crawl through all my personal files or even listen using the microphone to search for and collect this information.
I'm not saying they are doing this, but the policy is not reassuring. I wish there was enforced legislation (so GDPR is excluded, as regulators don't give a fuck) to curb this. There should be a legal requirement describing exactly the information collected, how is it collected, transmitted, sorted and which third-parties it is given to, if any.
Zoom isn't actively scraping your info, and there's 0 evidence of anything in the Tweet.
Translation: "Yeah, that's one of the parts where we really screw you, but you don't have a choice, lol."
There is an incentive to do so and they have taken measures to legally protect themselves if they do. That's grounds enough for alarm, even without evidence of them actually doing it.
That being said, I don't see anything surprising on the list.
> such as your name, user name, physical address, email address, phone numbers, and other similar identifiers
That sounds like billing information
https://support.zoom.us/hc/en-us/articles/115000538083-Atten...
Seriously, you've given this information to any service you've ever signed up for and / or ran.
[1] see news from ca July 2019
I certainly avoid mixing activities (I don't have access to a company computer at home, but I don't use the work computer or network for personal stuff).
After reading this, I've deleted it too. Super weird.
ETA: Checking the dpkg file listing shows that everything goes into /opt/zoom except a /usr/bin/zoom symlink to /opt/zoom/ZoomLauncher.
https://www.zdnet.com/article/zoom-defends-use-of-local-web-...
Still seeing loads of red flags in mainstream media. This is not a Secure business tool
Because right now, people have much more pressing matters and need to communicate.
1. When the call quality is less than 100%, it is difficult to attribute this blame to the other person, my equipment, my connection, or the service provider. A heartbeat signal could fix this.
2. When somebody else is presenting, I can't point on THEIR screen. I have fumble through "higher, higher, too high, it's on the bar, do you see the bar?, yes, click on that one, you're right it doesn't really look like a pencil does it?"
The documentation is a bit lacking, but it's actually a very capable system for unifying voice, video and chat communications – and a whole lot more.
No wonder it's such a great little product.
