Zoom isn’t trust-worthy, but sadly their recent success may already protect them

Yesterday, John Gruber shared his thoughts on the new privacy / security issue with Zoom, the now-famous video conferencing tool: its iOS app was sending data to Facebook, even if the user didn’t have a Facebook account. A well recommended read if you recently installed Zoom. I tweeted about this: Zoom does not appear to be a trust-worthy company and — not unlike Facebook or Uber — will have to do much better if they want to be trusted again. As Gruber says:

This Facebook data issue is nowhere near as bad as the web server issue. But it betrays Zoom’s institutionally cavalier attitude to privacy. Their privacy policy more or less grants them carte blanche to do whatever the hell they want.

Mistakes happen. Bugs happen. I not only forgive mistakes, I enjoy forgiving mistakes. But Zoom’s callous disregard for privacy does not seem to be a mistake. As Zoom itself said about the hidden web server they secretly installed on Macs, it’s a feature not a bug.

The main concern I have with this, is that trusting Zoom or not won’t matter. It just recently got adopted by millions of people accross the globe; I believe it is now close to become a verb, just like Skype of Facetime before it. Apps like Zoom tend to share the same behaviour than messaging apps in terms of adoption: the best one is the one your friends or colleagues are using. Even if a few users become concerned about Zoom after this new “bug”, they will have to convince most of their contacts to switch to something else: an video conferencing app where you’re the only one talking is rather useless. That’s why App.net failed, that’s why Signal, despite being a great app, is far from being as popular as Facebook Messenger.

The same happened with Facebook, the same happened with Uber. The services were already so ubiquitous, that not using them required not only a good alternative, but also a strong will to give up the benefits of using them.

That is why Zoom will probably get away with this. Its reputation is even more tainted than before, but this will probably not slow down a bit Zoom’s recent crazy growth.

UPDATE: Well, I barely got the time to publish this post before Zoom was at the center of another privacy-related scandal. VICE is once again behind the scoop:

For at least a few thousand people, Zoom has treated their personal email addresses as if they all belong to the same company, letting them video call each other.

Well, maybe the word “zoom” will become a verb sooner than expected, but rather as a synonym of “privacy-hostile bug”, instead of “Skype”.

UPDATE 2: So, apparently, Zoom is very generous with tech stories these days. This time it is reported by The Intercept:

Zoom, the video conferencing service whose use has spiked amid the Covid-19 pandemic, claims to implement end-to-end encryption, widely understood as the most private form of internet communication, protecting conversations from all outside parties. In fact, Zoom is using its own definition of the term, one that lets Zoom itself access unencrypted video and audio from meetings.

This company is a just a gift that keeps on giving.

UPDATE 3: and it goes on: this time about a critical vulnerability of the Windows client. I even suspect that BleepingComputer.com changed the publishing date to March 31st at 11:59pm just so the article isn’t mistaken for an April’s fool joke.

UPDATE 4: What does it take for an app to be qualified as malware? This Twitter thread exposes another shady behaviour from Zoom and the author of the thread — a technical expert on the matter — explicitly says “the same tricks that are being used by MacOS malware.”

One thing is for sure, I wouldn’t want to be working in their PR department right now.

UPDATE 5: I just can’t keep up.

UPDATE 6: Glenn Fleishmann at Tidbits produced a great recap of Every Zoom security and privacy flaw so far.