Follow

That Zoom shut down accounts and calls where people were talking about Tiananmen Square is bad enough. But you need to understand the subtext: Zoom says that their calls are encrypted and private, and yet they can monitor them.

Those two things are mutually exclusive. This entire video chat system is built on a foundation of lies and backdoors.

washingtonpost.com/technology/

They don't mean it is end-to-end encrypted.
They can livestream your meeting on YouTube, if you have given them your youtube credentials. They also allow company administration to view their employees during a meeting.

They can say it is encrypted because they use HTTPS. Your stream is encrypted on your computer and then sent to Zoom. It is decrypted there. And then it is encrypted again from their server to everyone else in the meeting.
@cyberpunklibrarian

They do have E2EE (end-to-end encryption) but many features people use such as screen share is unavailable in E2EE for some reason.

I also explained it in my blog: murtezayesil.me/digital-cleans

@cyberpunklibrarian

@murtezayesil That’s exactly my point — Zoom puts itself out there as a safe and secure service where your meetings are encrypted and everything is locked away.

Except for this stack of caveats, exceptions, and disclaimers.

I cannot fathom why so many businesses are relying on this service after so many incompetencies, missteps, hacks, and abuses of power. It’s not safe, it’s obviously monitored, and they’ll shut you down if someone doesn’t like what they’re hearing.

What exception?

As far as I know, there are no exceptions. Everyone using Zoom with default configuration is equally monitored.
@cyberpunklibrarian

@murtezayesil I'm talking about the exceptions to the E2EE system and the encryption itself. Zoom tells you your meetings are safe and encrypted.

Except if you're not using the full E2EE system... which isn't the default. Even then, I've my own doubts how effective their E2EE system is.

Zoom doesn't monitor your meetings. Their privacy and security page says they don't. zoom.us/privacy-and-security

Except they obviously do.

@cyberpunklibrarian @murtezayesil I mean, WhatsApp is end to end encrypted too. They just listen in on your local client because hey, you gotta use their client as well as you use Zoom's.
So end2end only means it's encrypted on the way, it doesn't mean they're not sending a second copy somewhere else or do some local analysis or whatever...

@murtezayesil @cyberpunklibrarian It is not technically impossible. They just want to discourage users to enable E2EE, and let them be ignorant of what merit E2EE should provide.

Their term "Enhanced security" is not really enhanced one, unless E2EE is either enabled or forced.

@cyberpunklibrarian the calls are encrypted to and from there servers, this is normally what encryption means on the internet, i think they made it sound like they were going to implement end to end encryption, which would mean they couldn't monitor the contents of calls, but thats been know to not be true for some time now

@dreadfulscribbler @cyberpunklibrarian If that's the case then encryption is honestly a waste of processing power on that service. tbh. :blobglarenervous:

@Jo @dreadfulscribbler E2EE is available, but optional, and there are limits to what you can do versus what you can do with their regular encryption. So it's not the default.

Zoom also claims not to monitor meetings or their contents, and ya know... that might be true.

But if so, they seem to be copacetic with other entities monitoring their meetings and contents. They'll certainly take action based upon someone else's monitoring.

@cyberpunklibrarian @Jo it seemed like they could have been getting the information from publicly advertised events, so they wouldn't need to actual watch/listen in for that

@Jo @cyberpunklibrarian
without encryption between users and servers anyone between, eg your isp, who ever runs the wifi etc can monitor and change the date, for example copying all your login details, adding extra ads to webpages or serving completely different sites to the ones you asked for

so its still useful but you can only trust it as much as you trust who ever runs the server

@dreadfulscribbler @cyberpunklibrarian Eh, I feel like if it's open to one unauthorised party, its potentially open to anyone, but probably being paranoid. :blobawkward:

@marnanel @Jo @dreadfulscribbler @cyberpunklibrarian probably not your i.s.p., but that definitely opens the possibility for hackers to gain access to zoom's servers and listen to communications there. these hackers could be sponsored, or be part of, a state government. or a state government could demand to hand over communications from a specific user, or tap into them n.s.a./prism-style.

of course, the level of concern would depend on what threats one considers dangerous.

@marnanel @Jo @dreadfulscribbler @cyberpunklibrarian for me in russia, i do not think the f.s.b. is directly spying on me, and i'm not enough of a political activist or whatever for anyone to consider me a threat, but i know that russian government agency data very often gets sold on the black market, to the point that (ironically) journalists can use it to find out which russian intelligence operatives tried to poison alexey navalny.

@devurandom @Jo @dreadfulscribbler @cyberpunklibrarian fair enough!

I figure GCHQ knows everything I do anyway, unfortunately.

@marnanel @dreadfulscribbler @cyberpunklibrarian Companies like Zoom are always one tiny cockup away from having a major breach.

@Jo @marnanel @dreadfulscribbler With Zoom, I figure the breach is coming from the inside.

In my opinion, a company only gets so many "oopsies."

Zoom leaves a web server installed on your Mac even after you uninstall it: OOPSIE!

People can guess Zoom meeting IDs for Zoom Bombing: OOPSIE!

Zoom lied about E2EE: OOPSIE!

Zoom lied about their number of daily users: OOPSIE!

tomsguide.com/news/zoom-securi

@cyberpunklibrarian @Jo @dreadfulscribbler holy crap that's quite a string of failures

I was shocked that the House of Commons decided to run stuff over Zoom without much discussion of whether it was safe to let the infrastructure of an entire *parliament* be handed over to an unaccountable foreign corporation

@cyberpunklibrarian isn’t it illegal to say that there, in the same way it’s illegal to deny the holocaust in germany?

sounds like they are just complying with the law…

@pernia @cyberpunklibrarian yeah that’s different. i guess that’s what you get for choosing a chinese communication company to do stuff that is illegal in china. idiots.

@pernia @cyberpunklibrarian that’s definitely suspicious then. The CEO is called Eric Yuan which likely goes some way to explain why this sort of thing is happening.

@cyberpunklibrarian

I fully agree. #signal has now added the group call function, but I didn't test it yet.

signal.org/blog/group-calls/

@cyberpunklibrarian yiiiiikes

from the article, it sounds like these privacy violations happened in spring and summer and particularly around June 4th; zoom released their E2EE draft in mid-June with plans to start rolling it out in July as an opt-in thing: https://blog.zoom.us/end-to-end-encryption-update/ So I'm not sure they're straight-up lying about E2EE, but they're definitely not doing enough to protect users and set safe defaults.

@xenofem From Tom's Guide:

In a blog post April 1, Zoom Chief Product Officer Oded Gal wrote that "we want to start by apologizing for the confusion we have caused by incorrectly suggesting that Zoom meetings were capable of using end-to-end encryption. "

"We recognize that there is a discrepancy between the commonly accepted definition of end-to-end encryption and how we were using it," he wrote.

-----

They claimed before that they were E2EE, thanks to phoney definitions.

@xenofem @cyberpunklibrarian Their "E2EE" was released only after a backlash (they were previously claiming to have E2EE because your data was sent to their server over HTTPS then sent to other people in the meeting via HTTPS) and E2EE is automatically disabled silently if you do any sort of video sharing, be it webcam or screen share.

@cyberpunklibrarian it's called a "front door" for law enforcement 😉

@cyberpunklibrarian They can be encrypted and monitored in the sense of looking for predefined keywords on the local machines. But if the account is shut down then there is at least the information that a pattern was detected (and zoom knows the potential patterns). This is a pice of information derived from the call, so the call is no more completely private. So there is still a lie.

Sign in to participate in the conversation
glammr.us Mastodon

glammr.us is a space for folks interested in productive conversation about, well, galleries, libraries, archives, museums, memory work and records. It is pronounce “glamorous” as our work are often charmingly or fascinatingly attractive, especially in a mysterious or magical way. Sometimes it is also full of excitement, adventure, and unusual activity (oh, yes). It is also inspired by Toys’R’us to showcase the fun playful side of glammr.us tooters. But you don't necessarily have to only post about GLAMMR-related topics, bring your whole self. Talk about fun things you saw, your exciting day or even your struggles. Many of us are Twitter refugees looking for an inclusive and community supported approach to social media. If any of these things sound good to you, consider joining us by contributing as little as a $1 a month on our patreon to help keep our server online. Take a look at our code of conduct.