TL;DR: Zoom has a, cautiously said, difficult privacy history. Using tools like Zoom in companies or schools can be inappropriate. It forces everybody who wants to participate to accept terms and conditions which they may don’t want or cannot accept. Thus excluding everyone who cannot give up their human right to privacy.

In March 2020 many were hit unprepared by the pandemic. Online communication and video conferences were a thing, but there were no standards introduced in companys, schools or universities about how and which services to use.

As often, it happens to be the solution which promises to have the least amount of friction which becomes most popular. It’s easy to use Zoom, because it offers exactly what a pandemic shaken world needs – stable, scalable live video conferencing. In the hurry of setting up home offices nobody cared about side effects of the choices made. But we know as always – everything comes at a cost.

The Security Flaws

Zoom’s security and privacy practices were critized a lot during the first wave of the pandemic. They claimed and mislead people into thinking their communication was end to end encrypted. After reports about the issue, the company soon admitted, that all data was decrypted on their server, which theoretically let them monitor or tinker with everyones sensitive communication data. Though there is no evidence that Zoom misused that data, the marketing behaviour of lying about their encryption features tells a lot about their security objectives.

Researchers at the University of Toronto found found that Zoom used the weakest possible implemenation of the AES Encryption. Also, some of their key exchange servers are located in China. During a testcall even if no participant was participating from China, the encryption keys were provided from chinese servers. Zoom may be legally obligated to give those encryption keys to chinese authorities. The study concludes Zoom is “not suited for secrets”.

Until 2019 the Zoom client on Mac came with a malicious component. Zoom quietly installed a webserver which was listening for requests. The cameras and microphones could be remotely activated on these systems just by visiting a prepared website, posing a huge risk to the privacy of millions. And even worse – the webserver remained installed, even when Zoom was uninstalled on the machine. It took them more then 100 days to acknowledge and remove the bug.

In another case Zoom sent device data to Facebook even if the user wasn’t logged in to facebook. And their Mac installer used a trick, frequently found in Malware which installed the software before geting consent by the user.

But still people were using Zoom, propably out of convenience. The public debate was dominated by the fact that Zoom tried hard to fix every of those issues, but not why they were there in the first place. To me their real intentions remain shady. It just not happens as an “accident” that you quietly install a secret permanent webserver on the machines of millions of Mac users. And if so, then your software is serious crap. From a security perspective, there is no reason why anyone should trust such a company. Your data is valuable. As is your commitment to use a tool and show it to others.

The Network Effect

Communication tools have something in common – they need at least two parts to work. It’s grotesque, but the spreading of Zoom occured in a similar way as the pandemic with small and large groups spreading something. Everyone who’s using Zoom spreads the message of Zoom, inviting or propagating the message in need of other people talking to them. This is important to consider when deciding to use a tool – it may not only affect you and your own privacy, but also the privacy of others.

At one point in 2020 I realized that it’s much more likely I need to justify why I don’t have Zoom than not. Saying “I don’t have Zoom” can give you scornful looks and then the uncomprehending follow up “Then install it?!”. It seemed like a large part of society adopted Zoom into their daily usage without giving a thought. In some cases, it became a necessity, or you are left out.

Halt a second and think about this. If the majority uses a closed communication tool – is it really your decision to not use it?

Institutions are the biggest multipliers (superspreaders)

To again borrow the language of the pandemics, big instituations implementing Zoom could be called “superspreaders”. While I know of several big companies in Vienna who explicitly forbid it’s use because of securtiy issues, there were Universities and Schools which shifted all of their remote classes to Zoom. And that’s especially a bad idea.

As with all social networks, everyone using a service is a multiplier. It’s like shouting “Hey, I’m using Zoom and if you want to talk to me, use it too!” Big organizations like Universities have an immens reach and therefore power with the tools they use. But I’m not sure wether the IT departments are fully aware of their responsibilities and implications of their software decisions.

At some universities, students are forced to get an Zoom account to participate in their lectures. They are also forcing them to accept the terms and conditions, with all risks attached. Do they feel responsible if every student would have installed malicious software on their computers because of them? For example like the hidden Zoom Webserver on Macs in 2019?

A log-in-only lecture on a University in Vienna

As a consequence, those students may, out of convenience, also use Zoom outside of the University for private conversations. And with that every one of them sends a signal that they endorse their services. This creates a network effect which is even stronger within communication services as they can induce the feeling of beeing left behind which is escpecially stressful, and even more during Covid. Responsible for this are the institutions who required the use in the first hand.

The forgotten principles of Universities

The University of Applied Arts Vienna for example is automatically creating Zoom accounts for all of their students, even without their consent. All the remote lectures are held via Zoom, without alternatives. Their technical department addresses the issues around Zoom in a blog entry where they carelessly claim that it’s safe to use Zoom. They also link to an article from a lawyer to confirm that Zoom is harmless. But on the site there is an update and advice to consider alternatives because of a ruling of the EuGH in summer 2020. That’s bad research on one hand, but only addressing legal isues also neglects all the other factors and consequences of such software decisions.

Other universities like the Technical University Berlin published extensive guidelines under which conditions Zoom should be used in their doctrin. They at least see it as a necessity that students are able to participate anonymously without a login. Still, the network effects give humongous amounts of power to Zoom because of such endorsements.

„Die Wissenschaft und ihre Lehre ist frei“ (Science and it’s teachings are free) is a principle that European universities historically achieved with great effort. It tells about the importance of science and research beeing independent in every way. From the early days of the Internet until now, Universities maintain the backbone of the internet and historically engage in open source software and encourage it’s use by beeing role models themselves. Requiring the use of Zoom in lectures, therefore forcing others to give up on the human right to privacy is breaking with these principles. In 2020 it should rather read: “Science and it’s teachings are free, except you have to accept to terms of services of Zoom and install proprietary software and give away your personal data to get access to education.”

What are the alternatives?

The goal is to use this great technology in a wise way. I mainly discussed Zoom in this text, but the same issues also takes effect on many other proprietory providers like Skype, Google Duo… you name them. Giving a comprehensive overview about good, privacy respecting video conferencing solutions is out of scope of this text, but in short: If you are in education take a look at Big Blue Button, an open source software with many useful tools for teaching.
As a group, company or private person consider Jitsi which can be self hosted. Some tools like Nextcloud also have video conferencing built in. On the mobile side, there is the excellent app Signal which I can’t recommend enough.
Just be conscious about the implications of the tools you use and you’re probably good to go.

This blog post was inspired by an article from Jeffrey Paul, who knows many reasons why it’s not a good idea to use Discord to build communities. It’s a good read.