[BLOG] ZOOM IS NOT AN ACCEPTABLE CHOICE
TL;DR: Using tools like Zoom in groups like companies or schools is inappropriate. It forces everybody who wants to participate to accept terms and conditions which they may don’t want or cannot accept. Thus excluding everyone who cannot give up their human right to privacy.
In March 2020 many were hit unprepared by the pandemic. Online communication and video conferences were a thing, but there were no standards introduced in companys, schools or universities about how and which services to use.
As often, it happens to be the solution which promises to have the least amount of friction which becomes most popular. It’s easy to use Zoom, because it offers exactly what a pandemic shaken world needs – stable, scalable live video conferencing. In the hurry of the first wave of the pandemics nobody cared about side effects of the choices made. But we know as always – everything comes at a cost.
The Security Flaws
Zoom’s security and privacy practices were critized a lot during the first wave of the pandemic. They claimed and mislead people into thinking their communication was end to end encrypted. After reports about the issue, the company soon admitted, that all data was decrypted on their server, which theoretically let them monitor or tinker with everyones sensitive communication data. Though there is no evidence that Zoom misused that data, the marketing behaviour of lying about their encryption feature tells a lot about their security objectives.
Ok, that’ all, you ask? Not at all, there’s more.
Until 2019 the Zoom client on Mac came with a malicious component. They quietly installed a webserver which was listening for requests. The cameras and microphones could be remotely activated on these systems just by visiting a prepared website, posing a huge risk to the privacy of millions. And even worse – the webserver remained installed, even when Zoom was uninstalled on the machine. It took them more then 100 days to acknowledge and remove the bug.
In another case Zoom sent device data to Facebook even if the user wasn’t logged in to facebook. And their Mac installer used a trick, frequently found in Malware which installed the software before geting consent by the user.
But still people were using Zoom, propably out of convenience. After all, the public debate about it was dominated by the fact that Zoom tried hard to fix every of those issues, but not why they were there in the first place. To me their real intentions remain shady. It just not happens as an “accident” that you quietly install a secret permanent webserver on the machines of millions of Mac users. And if so, then your software is serious crap.
There is no reason why anyone should trust such a company. Your data is valuable. As is your commitment to use a tool and show it to others.
The Network Effect
Communication tools have something in common – they need two parts to work. It’s grotesque, but the spreading of Zoom occured in a similar way as the pandemic with small and large groups spreading something. Everyone who’s using Zoom spreads the message of Zoom, inviting or propagating the message in need of other people talking to them.
At one point in 2020 I realized that it’s much more likely I need to justify why I don’t have Zoom than not. Saying “I don’t have Zoom” can give you scornful looks and then the uncomprehending follow up “Then install it?!”. It seemed like a large part of the Internet adopted Zoom into their daily usage without ever thinking about it. In some cases, it became a necessity, or you are left out.
Halt a second and think about this. If the majority uses a closed communication tool – is it really your decision to not use it?
What accelerated the usage of Zoom the most are big organiziations who decided to shift their whole communication to Zoom. In the language of the pandemics they would be the “Superspreaders”. While I know of several big companies in Vienna who explicitly forbid it’s use, there were Universities and Schools which shifted all of their remote classes over to Zoom. And that’s especially a bad idea. Here are two reasons why.
Institutions are the biggest multipliers (superspreaders)
As with all social networks, everyone using a service is a multiplier. Every communication made on a specific channel is at the same time an endorsement to that same channel. Big organizations like Universities have an immens reach and therefore power with the tools they use. But I’m not sure wether the IT departments are fully aware of their responsibilities and implications of their software decisions. By forcing every of their students to get an account at Zoom to participate in their lectures, they are also forcing them to accept the terms and conditions, with all risks attached. Do they feel responsible if every student would have installed malicious software on their computers because of them? For example like the hidden Zoom Webserver on Macs in 2019?
In addition, everyone of those students may, out of convenience use Zoom outside of the University for private conversations. And with that every one of them sends a signal that they endorse their services. This creates a network effect which is even stronger within communication services as they can induce the feeling of beeing left behind which is escpecially stressful, and even more during Covid. Responsible for this are the institutions who required the use in the first hand.
The forgotten principles of Universities
The University of Applied Arts Vienna for example is automatically creating Zoom accounts for all of their students, even without their consent. All the remote lectures are held via Zoom, without alternatives. Their technical department addresses the issues around Zoom in a blog entry where they claim that it’s safe to use Zoom. They also link to an article from a lawyer to confirm that Zoom is harmless. But on the site there is an update and advice to consider alternatives because of a ruling of the EuGH in summer 2020. That’s bad research on one hand, but only addressing legal isues also neglects all the other factors and consequences of such software decisions.
Other universities like the Technical University Berlin published extensive guidelines under which conditions Zoom should be used in their doctrin. They at least see it as a necessity that students are able to participate anonymously without a login. Still, the network effects give humongous amounts of power to Zoom because of such endorsements.
„Die Wissenschaft und ihre Lehre ist frei“ (Science and it’s teachings are free) is a principle that European universities historically achieved with great effort. It tells about the importance of science and research beeing independent in every way. From the early days of the Internet until now, Universities maintain the backbone of the internet and historically engage in open source software and encourage it’s use by beeing role models themselves. Requiring the use of Zoom in lectures, therefore forcing others to give up on the human right to privacy is breaking with these principles. In 2020 it should rather read: “Science and it’s teachings are free, except you have to accept to terms of services of Zoom and install proprietary software and give away your personal data to get access to education.”
So I should use smoke signals instead?
No. Nobody said that. The goal is to use this great technology in a wise way. I mainly discussed Zoom in this text, but the same also takes effect on many other proprietory providers like Skype, Google Duo… you name them. Giving a comprehensive overview about good, privacy respecting video conferencing solutions is out of scope of this text, but in short: If you are in education take a look at Big Blue Button, an open source software with many useful tools for teaching.
As a group, company or private person consider Jitsi. Some tools like Nextcloud also have video conferencing built in. On the mobile side, there is the excellent app Signal which I can’t recommend enough.
Just be conscious about the implications of the tools you use and you’re probably good to go.
This blog post was inspired by an article from Jeffrey Paul, who knows many reasons why it’s not a good idea to use Discord to build communities. It’s a good read.