I feel like the good faith presumption for this company has to have shifted by now. Is there any reason not to assume that the Chinese government is surveilling Zoom calls en masse? Documenting participants (face, voice, language, location, etc.), recording content, etc. We're talking about the data of 200M+ users.
I see people on HN defending Zoom all the time.
>The company has acknowledged that much of its product development has been based in China, and that some Zoom calls were accidentally routed through Chinese servers.
>The University of Toronto's Citizen Lab said it found serious concerns over Zoom's security protocols, and said the company's large workforce in China left it "responsive to pressure from Chinese authorities."
>The government of Taiwan banned official use of Zoom due to security concerns, as have New York State schools, the U.S. Senate, and the German ministry of foreign affairs.
>Zoom CEO Eric Yuan said in early June that the company has chosen not to encrypt free calls in order to cooperate with law enforcement.
>The government of Taiwan banned official use of Zoom due to security concerns, as have New York State schools, the U.S. Senate, and the German ministry of foreign affairs.
This is good enough reason to not use it.
Also I stopped using zoom and trying to avoiding it as much as possible after the very first vulnerability scandal[0] came about
The NYC Department of Education (DOE), one of the largest in the nation, banned Zoom in April but "following several weeks of collaboration with the company, [NYC DOE is] now able to offer Zoom as a safe, secure platform for use across the DOE" as per a letter Chancellor Carranza wrote on May 6th, 2020.[1]
Public school teachers tried other video conferencing solutions but, for better or for worse, Zoom's UX was always easier to use or less janky than other paid or opensource offerings at scale -- and that's saying something because Zoom's UX isn't what any of us might call super smooth.
Funny and true but also because companies should really scrutinize this kind of software more carefully. Your meeting app "participates" in some of the most delicate conversations.
I used Zoom exactly once. I was invited, I installed the software and Chrome extension as a regular user. I had a mediocre experience in the meeting but didn't pay too much attention, and then proceeded to uninstall the software when I got a prompt that I need to do it as admin.
For me this was a clear warning signal that they want the software to be there especially in companies (that didn't block it) where many users may end up installing it but then aren't able to remove and just forget about it.
Then I started reading about their installer "mishap", their general encryption scheme weakness "mishap", their encryption key routing through China (!!!) "mishap", the redefining of E2EE "mishap", the default settings "mishap", and the mishaps just piled on to the point where I personally believe only a great deal of ignorance or blissfulness could allow a company to still use it.
I get schools and individuals do, it's "free", meaning they don't pay with money and they don't need to look any further than that. But I refuse to ever use it again and when I got Zoom invitations I politely declined, offered to host the meeting myself, or else just asked to be sent the meeting notes on mail. I have no reason to believe Zoom intends to fix their issues but rather to hide them better next time.
I'm not sure if you are kidding, but that's not the reason. It was a decision by the security team and a reaction to multiple security issues that were found in the Zoom client. Google employees can still use the Zoom web client on work computers.
China has been accused a number of times of engaging in industrial espionage. As a company developing a lot of high technology products, I think Google is entirely justified in keep Zoom out of its technology infrastructure.
If it wasn't clear, I was just being sarcastic about Google's huge number of messaging products... I fully agree with your statement, their move totally makes sense from an IP protection standpoint.
I'm not surprised. My company has also done this. Basically it's because we don't have an agreement with them about data protection, and we can't have company information going over 3rd party systems without a contract.
Is there a non-Zoom client that can connect to Zoom meetings? My company implemented RingCentral about a year ago, which appears to just use a rebranded Zoom architecture for the online meeting component. They're not going to get rid of it anytime soon.
Zoom does have a SIP/H.323 bridge https://zoom.us/roomconnector . I believe it's the decision of the meeting host's organization whether to enable it, and there may be an extra cost associated with it.
Zoom is a company I have loved so far, but a lot of this is starting to really rub me the wrong way and I really don't want to have to go find another solution.
However, without some sort of reversal, this is enough for me to deal with the mess of doing that.
I've tried Google Meet, Jitsi, and some other things, but Zoom is the only service that my 6+ year old laptop can handle for more than 5 min without nosediving into 100% CPU usage and freezing up.
Does anyone have other suggestions? Either for other services or for troubleshooting Jitsi?
You could give Whereby [1] a try. I really liked it when it was named "appear.in" (that's now a completely different company), and used it for a bit, until my work switched to Teams.
Whereby is, as far as I can tell, completely owned by a Norwegian registered company.
A Whereby-developer here. It's awesome you recommend us. <3 But we'll also kill your CPU ^_^
You can turn on "mobile mode" in advanced device settings, and it should be a bit better. But we're a bit limited in how CPU-friendly we really can be, living in the browser. Not that we can't improve, there's certainly extra tricks we could try - but not easily without also lowering fps and resolution.
I don't think "low resource use" is a big selling-argument for our product. Video can be quite heavy.
Actually, if you are using 4+ rooms, we will in many cases be better than some other webrtc services because we for these bigger rooms use a server in the middle to distribute all the streams. That will result in lower resource use. You only encode and send once, and it is distributed by the server. But if other webrtc kills CPU on 4 or less, we probably won't be much better.
This "more than 4 room" is not p2p and end-to-end encrypted, since the server (SFU) needs to read and change some headers. So it is a tradeoff. There's now "insertable streams" which allow you to do encryption on the media client side, but it's a test for now: https://webrtchacks.com/true-end-to-end-encryption-with-webr...
Hey! I've been using Whereby at work for a while and it's great.
However, I should mention that it's not possible to join calls through the mobile app (as far as I can tell), and the web app on mobile wouldn't capture my Bluetooth headset's audio properly somehow.
Again, thanks for the great work. Just thought I'd let you know :)
Thanks! It is very valuable with feedback like this, even if in this case we're painfully aware of it. :)
I was working on fixing up that when COVID-19 hit. Now we're trying to stamp out more obscure audio+video bugs (like bluetooth, which can be unreliable). We're in process of hiring a few more people so we can hopefully put someone on caring more for the non-logged in mobile app experience.
You do get a join button once you've logged in. But I must confess it is not a good experience by default. It used to be on the top of the priority list, but then scaling and any video/audio issues jumped to the top.
We have used a lot of time making it work on Safari. And we continue to use quite substantial resources on it. Their webrtc implementation is quite new, and not as stable as Chrome and Firefox. And with new code comes new bugs.
There is currently a bug with audio, where it'll crash in Safari, -- and we have had some issues reconnects that was more our fault (though Firefox and Chrome is much more forgiving). We have a workaround for the first, and will be doing a fix for the second once we're reasonably sure it won't regress other browsers.
Is it any of those issues you talk about? Or is it something else? (I'm not personally familiar with the Safari issues, btw, since I'm a Linux user, but I keep an eye on Firefox and Chromium-based browsers)
are you using it on the browser, or are you using the jitsi desktop version (which seems to be distinct and not cross-compatible)?
Are there settings you adjusted?
Are you just doing one-on-one meetings (that works fine for me too) or group calls of 3+ (which is what I need to do everyday where it immediately becomes unusable)?
I'm also using a linux distro based off ubuntu/debian.
> are you using it on the browser, or are you using the jitsi desktop version
I am using Jitsi in//on the browser [for me, Firefox].
I don't know if I have a preference as I have only "just started using" the past few months via being given a link I click on whilst I am on my laptop... so unfortunately I cannot speak about Jitsi via Desktop Version at this time.
> Are there settings you adjusted?
Besides simple sound volume off of my OS//headphones, I use whatever the default settings are.
> 1-1 meetings or 3+ group calls?
Group calls, each time would be roughly 5-12 people.
For other info just for giggles:
The laptop I do this on is connected wirelessly to my home wireless network, about 6 feet away from my wireless router; my wireless router may have multiple people using it at a given time since I share. I'm in US-California-Silicon_Valley on Comcast.
Jitsi Meet had some troubles in Firefox due to some WebRTC implementation differences. It is being worked on and the situation has improved, but I'm not sure whether all outstanding issues have been resolved. You could try Chromium and see if it gets any better.
Due to the god awful state of Microsoft Teams conferencing, we recently started trying Chime at my new job. There are still some hiccups, but I can vouch that the quality of both audio and video is very good on Chime.
We have also used GoToMeeting with a good amount of success. Anything but Teams, haha.
https://goteam.video/ (Disclaimer/Plug: I work for the company that built this). It's WebRTC based but should work fine in Chrome, Safari, Firefox and latest Edge (ie the Chrome variant). We've just added optional end-to-end encryption for multiparty sessions based on the recent "Insertable Streams" feature available in Chrome M83+.
HighFive seems to be popular where I'm at. I like, it works. I have a couple of minor UI complaints but overall it's fine. I haven't seen it in use with large (say, >20 people) meetings, though.
My group (6 of us) did the oposite. We used to use Skype till we had continual problems of people getting infinite "loading" screens, we switched to Zoom the last 3 or 4 games because of it.
I have to say the video quality is much better and the DM being able to screen share while we can still see each other is great. Also the "Brady Bunch" view is great, being able to see everyone at once is awesome.
I'm not very happy with all of the news trickling out about Zoom but I really do like their product.
> I'm not very happy with all of the news trickling out about Zoom but I really do like their product.
That's my position, too. I teach at a large public university in Japan, where the school year begins in April. At the beginning of March, we were expecting to start classes in person as normal a month later. By around March 20, we had decided to teach most of our classes online; a week later, "most" had become "all." Teachers and students had little to no prior experience with online education, and their level of general digital literacy varied widely. From the plethora of tools available, we had to choose software that everyone could use and that would be reliable and scalable.
Despite concerns about security issues, Zoom was chosen as our videoconferencing platform. That seems to have turned out to be a good choice, as it is stable, can handle large groups, and offers features (breakout rooms, video and audio recording, attendance reports, etc.) that are useful for university classes. That fact that it hasn't (yet) been blocked in China was also a factor in choosing it, as we have students stuck overseas who need to take part in classes. Anecdotal reports from colleagues who teach at other universities in Japan suggest that the non-Zoom platforms have not performed as well.
Now that teachers and students are used to online classes, I hope we can also try other tools in the future. But considering how well Zoom performed during our hectic ramp-up to online teaching, I give it my grudging support for the time being.
Are you trying to do one-on-one of many-to-many calls? If you're doing just one-on-one there is very basic webrtc in web browser service[1]. I've also made my own for quickly connecting with people online[2], not sure if it's your use case though...
Are any of the participants using Firefox? There's a known problem with Firefox's WebRTC and Jitsi wherein even a single Firefox participant can create performance issues for everyone.
Is Google really any better? They may simply be better at hiding their surveillance apparatus. We need to decentralize, i.e. destroy large non-decentralized organizations.
US citizens have a significant better chance at fighting a warrant. Personally, we've been using Jitsi for video. It's not amazing, but it is free in many senses of the word.
Zoom is a US company founded by an immigrant from China with 700 employees in China where the software and product development teams are. All 700 of those employees can be leaned on to break security generally or to break it for one specific person or meeting, even if we don’t believe there management of the Chinese or American parts of the firm won’t just do what the CPC ask them to do.
No it is not. I'm planning on switching to jitsi for my personal and non-profit projects, and I guess I'll advocate for it at work. Switching from Zoom to Google/Microsoft/Cisco anything is like switching from Evian to Aquafina.
Absolutely, don't be ridiculous. Google is not and will never be complicit to Chinese censorship in America.
This is classic whataboutism and we don't benefit from such hyperbole.
After evaluating a number of solutions, we chose uberconference (no relation to uber). I really like it, especially that the conference is just a phone number.
Jitsi is great! If they can figure out a good webinar solution it could be an absolute killer. As it stands, it's (in my opinion) really just useful for small scale interactive meetings at this point, not 100+ participant events.
It's really great as a face-to-face solution though, where Zoom and many others are actually kind of overkill.
I should've made it clear when I say "events" I mean more webinar style events. 100+ participant meetings where everyone is an equal participant isn't useful, but that sort of thing isn't uncommon if you're holding all hands calls or annual shareholder meetings etc.
Well, no – not if you still need audience participation with video and/or audio. Things like annual/quarterly meetings and such where people have a right to speak etc. It's really not that different from a typical video conference, just that the moderator has controls to mute/unmute people and participants can't unmute themselves. Polling/voting/chat features I reckon are secondary I reckon.
I've wanted to like Jitsi, but the quality difference with Zoom is noticeable. Same with Google Meet and anything I've seen that uses WebRTC. They remind me of RealPlayer back in the early 2000s in terms of blockyness.
I would love to know about any Zoom competitors, free or paid, with comparable quality.
If you have your own jitsy server, you can define the max quality up to 1080p i think, the free jitsy service/server has probably really low 'max' video quality.
BigBlueButton is also interesting, but it's more like a Schooling-tool...but also without a client (aka just need a browser)
I think you’re overstating the complexity a bit. When people mention Zoom I don’t fuss over whether it’s desktop, web (do they even offer it?), mobile, or whatever.
>Do you love the company, its leadership, its product, or its pricing?
you didn't ask me, but imo they haven't existed long enough to garnish love for their company and leadership.
They had a product and a price point at a time with huge & abnormal sudden demand. I think this alone was enough to make them successful in the short term.
Not OP, I love the company's leadership and the product (not the privacy issue part). It's awesome to see Eric leaving Webex and building a product that seems and sells superior to Webex. It's not that easy to beat yourself at your own game and he's proved. That is one thing I like about Zoom
But that's an integral part of the product. There is a lot of reason for suspicion floating around the company and the product itself, and the long string of security screwups and misdirection confirms every bit of that.
What's the point of having even good functionality if it comes attached to such concerns? Most products have a good side but choosing one is always about picking what's the worst problem that you can live with rather than the best feature.
No, for the majority of people that is a part of the product they do not care about. That's educated tech people at Google, which had to forbid the use of Zoom, and high school teachers alike.
Subtle yet severe privacy invasions do not matter to the glaring majority of people because they cannot associate it with direct consequences.
If I have been using Zoom and the Chinese government now has 200 hours of my facial and speech data, at first it doesn't impact me. I don't see the impact, I don't feel it aside from some people yelling on HN.
The consequences are either subtle and easily dismissed (e.g. ad tech/marketing when Instagram secretly listens to the phone mic and suddenly you see products that were part of the conversation) or severe and too far out to relate it to a Zoom call 23 months ago (e.g. border control when entering China for tourism).
If you're not an activist then chances are you do not care about online privacy.
I think people care when they are properly informed, in a setting where they are ready to hear such information. The primary reason they seem not to care is because "everyone is using X, so I guess it can't be that bad" and an information/concern overload.
We are constantly bombarded with new concerns and this particular topic requires expert opinion to truly know which software you can trust. Then there is the problem of choosing which expert to trust. And you still have to have time left simply to live your life. It's just not an easy thing to let yourself be concerned with this.
In my personal experience, I've yet to meet a person that turned out not to care once I've taken the time to discuss this with them one on one.
In my workplace and from my perspective, I don't know how Zoom became trustworthy in the first place except through growth hacking and selling iPads with their software on it under the 'Zoom Rooms' name.
Besides that, why defend a company or a corporation in the first place? It's a damn shame that people are more enervated by corporate strife than by the suffering of our fellow beings.
To be fair, Zoom is the best video conference software I've ever used. It's so much better than Skype or anything created by Google, Facebook, etc. When I first started using it at work 5 years ago, I was blown away at how stable it was, and how many people could connect at the same time. It just worked.
You're getting downvoted, but they really do have a solid product. A lot of their growth does come from their aggressive sales and marketing, but their video conferencing solution is by far the best I have used—it Just Works™ in a way that none of their competition seem to be able to match. (And I've used most of their competitors.)
Which is a shame given issues like the OP and all of the security/privacy problems they have had recently.
Totally agreed. The thing I think contributes most to this impression is how local voice is recorded at all times on the client, and then replayed at a higher speed to the other participants if the connection drops briefly. This enables others to hear what was said, without having to listen to the speech at the original pace, which would result in a delay. Genuis!
This has been standard practice with video calling products for many years. I know at least FaceTime and Duo do it. It might even be built into WebRTC?
Then again talking about videoconferencing solutions and immediately comparing to Google or Facebook, and not mentioning something like Cisco Webex is like talking about mail and immediately comparing to Yahoo.
And before you say "but Zoom is free", obviously it's not. From the carefully orchestrated lie about "end to end encryption", to the routing of calls through China, and to the topic of this article. At every step they catered to companies more willing to look just at the price and never ask a single question.
Yahoo Mail is one of the best web email clients today. Any gmail user that I've talked to who has tried Yahoo Mail prefers the Yahoo UI overall.
Having said that, the US government installed a linux kernel module (approved by Marissa Mayer) that sniffs traffic on Yahoo Mail servers, so don't send anything you don't want recorded.
At least Skype and Webex don't accidentally route your calls through China. I don't really like Skype but Webex shines compared to either Zoom or Skype. And I'm talking meetings with triple digit attendance, meetings with dozens of simultaneous breakout sessions and screen sharing, etc. By far a better experience than Zoom.
The thing that Zoom really has going for it is that it's free and heavily marketed. This made it popular with a lot of people. But it's exactly the people who are least prepared to make an informed decision (and yes, I count a lot on "company men" here). The reasons are sprinkled all over every Zoom article.
Except that Skype non-accidentally routes your calls through Microsoft's servers, and it was originally a P2P application. End-to-end encryption too started being "complicated", "unfeasible" and "unnecessary" after they acquired the company. Thanks, but no thanks.
But that's exactly the point, others do things more transparently and if you don't like them you're at least in a better position to make an informed decision. Plus there's a major difference between Microsoft and China. Take the current article for example.
You're willing to hand-waive all of the many, many proven, and intentionally hidden major issues with Zoom but you suddenly become worried that Skype works as advertised, poorly as that may be? Would you apply the same principle to your food and taking the one that lies on the label about dangerous ingredients? Or do principles change with accounts?
Aw man, I didn’t know those iPads were a Zoom product. For some stupid reason I was under the illusion that my company made a home-grown Zoom meeting room solution.
It never really worked properly for us, but what worked a little too perfectly was the camera control.
I had so much fun pointing the camera towards the open door and zooming in so far that we could all lip-read a conversation happening across the office. Or, due to a lack of forethought, creating the official CrotchCam(tm) by letting the camera auto-focus and then zooming in to the unfortunate victim's midriff.
If they have a workforce in China, there are 100% spies working there. Putting it another way, China would be foolish not to have spies working at Zoom, just like it would be foolish to not have spies working at Facebook, Google, Amazon, Microsoft, etc. You should assume all of those companies have been infiltrated by the major countries of the world, or they are working with them. To believe otherwise would be extremely naive.
The first time I read that Zoom is the shell (in the USA) while the majority of work is being done in China, I thought the exact same thing. That China has everyone's face 3D scanned by now (multiple photos from multiple angles), everyone's voiceprint, everyone's IP, transcripts of what was said and by who...
Now they are trying to rebuild their shattered rep, while still handing anything and everything to their patrons.
"That China has everyone's face 3D scanned by now (multiple photos from multiple angles), everyone's voiceprint, everyone's IP, transcripts of what was said and by who"
As a native Chinese, I haven't been scanned by 3D scanner. How do you get this conclusion?
Presumably they mean that if you use your web cam with zoom they would be able to construct a 3D model of your face from the camera feed as you move your head around.
Some comms you want to monitor, some you want to disrupt... And Chinese authorities like big gestures, sending messages, "we know who you are and what you do, we can get you anytime, you are not safe anywhere".
Yes, and we may all be disembodied brains living in vats inside a teapot. This is why I don't find such arguments very compelling for showing we should necessarily assume we are being surveilled. The same argument can be applied to situations that have nothing to do with the internet too.
Those are certainly possible ways in which the surveillance could still be happening, because nothing is certain. But the argument is necessarily probabilistic (in the Bayesian sense) and not binary. So yes, I have to take this into account to determine my final risk, but there is no point in necessarily assuming I am being surveilled because then I might never do anything at all.
> Is there any reason not to assume that the Chinese government is surveilling Zoom calls en masse?
It makes perfect sense to boycott Zoom based on their security issues, but does the presumption of innocence mean nothing anymore? It shouldn't be difficult to prove that Zoom is actively trying to block Chinese activists.
China banned Zoom during the trade war. Are you going to treat that as evidence that Zoom isn't colluding with the CCP? Why is Zoom not embracing end-to-end encryption to free users evidence that they are beholden to China, but Zoom committing to end-to-end encryption for paid users not evidence of the contrary? This type of circumstantial cherry picking is how conspiracy theories sprout.
For some reason, China periodically bans and unbans websites before banning it completely. Reddit is one example of this. It looks like Zoom is moving away from the Chinese market altogether:
does the presumption of innocence mean nothing anymore
In a court of law, yes. In the court of public opinion, it has never been that way.
I don't blame people for being suspicious of Zoom. Why wait until the harm has already been done to move to something else?
Zoom knows it has a credibility problem. If Zoom really cared, it would do something to distance itself from China and the Chinese government. But it doesn't.
I don't blame people for being suspicious of Zoom either. I just find it sad that so many readers of Hackernews are endorsing logic that is so unscientific.
In what way is it "unscientific"? That's an odd choice of words in this situation. What we're aiming for is rational and in this instance, it's perfectly rational to be suspicious based on an abductive argument and unproven extrapolation. As another commenter aptly noticed, once you're able to prove it, the harm has already been done.
Having read the original comment again, I can see how it can be interpreted as suggesting to avoid Zoom as a precautionary measure, rather than accusing Zoom of wrongdoing. However, plenty of people are treating this incident as proof that Zoom is lying about encryption.
Don't want to sound I'm defending Zoom or CCP, but how does en masse surveillance work technically in this case? How practical it is to go over all the voice data (not manually I presume)? Text based mining and censoring is possible but there still is a huge gap and language expertise isn't cheap. I might be missing a few references but it'll be great if someone could point me to these links.
I might be wrong here, since I only have this from hearsay, and I certainly won't touch Zoom. But, wasn't the "end-to-end encryption" a term they used in a blatantly deceptive way? The two ends not being the two users, but the user A and zoom servers, and zoom servers and user B? Please do correct me if I'm misinformed.
I think Zoom is probably best used for hangouts-on-air type things, where you are literally publishing the contents of the call to the world in realtime anyway; for anything else it's off my list.
There is really no excuse for "accidentally" routing through Chinese servers for a service. To me the reasons are as shallow as Google's "error in algorithm".
Just recently YouTube "accidentally" deleted the account of a pro-democracy channel in Hong Kong with more than 600k subscribers [1]. Incidentally, this has never happened to pro-Chinese channels.
I get the vibe with anything China related. Like it takes an over abundance of facts not to be attacked. Zoom fiasco is interesting though. I don’t do anything I don’t mind be monitored on there so sort of careless for now
> Is there any reason not to assume that the Chinese government is surveilling Zoom calls en masse?
Why does this event move the needle one way or another? The group had a paid account so Zoom knows who they are, and this was a publicized event. All the Chinese government needed to know was an event they don't like was happening, with the services of a company they can exercise soft power over.
I totally agree with you, there's a very high probability that the Chinese gov is recording everything.
But is that any better than being 100 % sure that the US gov is doing it?
I mean, what is the point of "the Chinese may be listening this is horrible!" when we know for a fact that the US are listening and most probably multiple european countries.
Nowadays, you must assume that whatever you do online is recorded by multiple states and may be used against you one day.
I am more worried about dictatorships recording everything than other regimes. Does not excuse recording at all, just an appreciation of the level of risk.
Thanks for your reply, but I fail to see how a dictatorship would do worst things with these recordings than a democracy, say like the USA, UK or France, where intelligence services operate outside the law as Snowden (and many others) have shown over the last decade.
Also, I see that I'm being downvoted and I would be really interested to know why I'm wrong. I mean it, I love the level of discussion here and I really like constructive criticsm.
Intelligence services may operate outside of the Law in pretty much all countries but the difference is that democracies typically have a Rule of Law as to how the data can be used against you. Not a perfect safeguard but way better than dictatorships where power has a blank check to do anything to you, anytime.
You are oversimplifying the issue, in my opinion. Zoom has R&D office in China. If Chinese authorities come to Zoom with a violation of local law, Zoom has two options. First ignore the request and this means that the company is likely to be banned in China or comply with the request and get blowback in US. This issue is not unique to Zoom and each company makes its own decision. For instance, Google and Facebook fail to comply and are banned in China. But Apple does comply with Chinese laws and there are number of apps that are simply not available in China but are available in US. However, I wouldn't make a judgement that Google is good, but Apple is bad. Nor is this issue limited in China. Same thing applies to EU. EU has passed GDPR laws that all US companies have to comply with if they want to do business in EU. Again, some decided to comply with GDPR, others exited the market. Even in US this issue exists. When the government tells Google that they can't offer their services to Iran or sell to Huawei. Google chose to apply. You can try to make an argument that complying with US government orders is good, but complying with other government orders (EU, China, Brazil) is bad. This may work for you if you are an American, but the rest of the world knows about the Patriot Act, Edward Snowden and NSA. You could also make an argument that complying with any government is bad and the way PRISM is enabled by US tech is terrible. But if US companies start ignoring US laws, no matter how terrible they are, the only right thing to do is to shut the company down. It's called a rule of law. I am writing this not to say that Zoom is good or bad, but to prevent oversimplifying the issue or vilifying specific companies, countries or governments.
How on earth could a user "prove" this? Mention some secret on a call and then watch for the Chinese government to act on that secret? Give us a break. It's much safer to assume surveillance and protect oneself accordingly.
We have definite proof of surveillance by the Five-Eyes, why would China would be better at hiding evidence of surveillance. Claiming that something can't be measured at all doesn't help your argument either. That type of reasoning is only acceptable in theology.
There are plenty of Chinese dissidents, including the the activist that is the subject of TFA. The default assumption is to assume noncorrelation between things until proven otherwise. That's a defensible position, yours isn't.
I only said that it is safer to assume surveillance. I didn't say it was more fair or more "defensible" or whatever. In reply you've offered "default assumptions" and "burdens of proof" and "theology". Whom do you attempt to convince with this [EDIT:] sophistry?
Oh and nice job implying that Chinese dissidents have the duty of "proving" to the world that the Chinese government surveils them. Snowden is not a dissident, he is a whistleblower. Also, in general, telling people who suffer that they ought to educate the rest of us about the particular details of their suffering is not cool.
> its product development has been based in China, and that some Zoom calls were accidentally routed through Chinese servers.
Curious, did you background check every employee/contractor to make sure they are Chinese race free?
Did you do every byte of your network traffic audit to make sure they are not Chinese IP routable? How often do you update your firewall rules?
Because if you don't do either of these, if you run a successful company, someone will write an article to complain you have employed a Chinese developer and routed traffic to China.
There’s a big difference between routing an encrypted packet through China and decrypting that packet on a server located in China.
Likewise, there’s a big difference between employing a Chinese national in the US and having a large part of you engineering organization operate from within China.
> having a large part of you engineering organization operate from within China
Shockingly, Microsoft, Google, Facebook, IBM, Redhat, Cisco all have engineering team in mainland China. Do a job list search please.
> decrypting that packet on a server located in China
In your infrastructure setup, for hostnames in a cluster, how do you separate China servers and non-China servers? Do you put a subdomain or something? And how do you link user's nationality to which server they are supposed to connect to?
What if there's a US hosted meeting, a mainland Chinese user joins the meeting? Is it an ethical thing to happen?
Should the packet decrypting happen in a US server? China server? or server located in a third neutral country instead?
What if a US citizen joins a mainland Chinese hosted meeting? Is it wrong for Zoom to decrypt packets in China?
> In your infrastructure setup, for hostnames in a cluster, how do you separate China servers and non-China servers? Do you put a subdomain or something?
Yes, these are exactly the sorts of things one does. The PRC is so distinct in terms of legal norms that servers hosted there need to be treated differently. If PRC would adhere to the legal norms of most of the rest of the world, and stop trying to start a cold war with the U.S, this would not be necessary.
> And how do you link user's nationality to which server they are supposed to connect to?
It's not so much about nationality, but about jurisdiction. For calls where no participants' connections originate from a PRC IP block, don't use the PRC infrastructure. For calls where at least one connection originates from the PRC, terminate the call wherever meets the legal requirements (that PRC participant may have special obligations to their government) and is technically convenient. It's not really that hard.
> What if a US citizen joins a mainland Chinese hosted meeting? Is it wrong for Zoom to decrypt packets in China?
Again, it is not a matter of citizenship, but of jurisdiction. If the call is hosted in PRC, that's not even a question; if PLA asks, you must decrypt the packets on the host, or at least provide keys.
In each case, you bring up nationality or citizenship, but when it comes to these scenarios, these are not relevant. Chinese nationals legally present in U.S. jurisdiction have most of the same rights as U.S. citizens, and all of the same legal obligations. In terms of obligations, the same is true in PRC: if you are present in PRC, you are obligated to follow the PRC's law, whether or not you are a national.
That's what happens when a lawyer designs IM/conf app. Follow your design, the switches/routers need to confirm the "jurisdiction" of each TCP/IP packet? What wonderful idea, please do submit your RFC to IETF.
> but about jurisdiction. For calls where no participants' connections originate from a PRC IP block, don't use the PRC infrastructure.
That's basically where the Chinese got the idea of building the Great Firewall started. Some IP addresses are from evil capitalist USA and need to be filtered.
> Curious, did you background check every employee/contractor to make sure they are Chinese race free?
That's immoral, illegal, and silly; effectively nobody is doing this, and if most people found out about that, they would try to put a stop to it. The PRC is a state, that state does not have a monopoly on representing any race.
This is not a Chinese people problem, it's a CCP problem. Chinese people in the ROC don't do this sort of thing.
這不是華人的問題,這是中共的問題啊。中華民國的華人不這樣做。
> Do you audit every every byte of your network traffic to make sure it is not Chinese IP routable? How often do you update your firewall rules?
Yes, I operate servers and routers that simply do not route to or from PRC IP blocks. It's often the right thing to do, given that “reputable” server operators like Baidu seem to be the source of a huge proportion of the impersonation and spam, and often zero legitimate connections. When I get DMARC reports, more than half of the reports are PRC IPs impersonating my mail host, hopefully for reflection rather than full-on impersonation.
> effectively every US media is name calling companies/universities who have a slightest business with China or Chinese people.
Business with PRC and business with Chinese people are separate matters. I don't know of any North American university that doesn't have "the slightest business" with Chinese people; and "effectively every U.S. media" is not "name calling" them all.
What I have seen, is a select few journalists reporting on the proven PRC-funded academic espionage schemes, where the PRC is illegally bribing academics to privately provide advance copies of U.S. government funded research. The coverage of this has been sparse, and there are whole major outlets who simply have not mentioned it.
> Zoom CEO Eric Yuan said in early June that the company has chosen not to encrypt free calls in order to cooperate with law enforcement.
This is incorrect. They don't offer end-to-end encryption, but it is encrypted between each client and the Zoom servers, and they have promised there's no way for a Zoom employee to spy on a conversation without visibly joining the meeting. https://twitter.com/alexstamos/status/1268061790954385408
> They don't offer end-to-end encryption, but it is encrypted between each client and the Zoom servers,
I think it's absurd that when talking about private messages the bar for privacy would be so low as to say that client-server encryption would be a "feature"-
> they have promised there's no way for a Zoom employee to spy on a conversation without visibly joining the meeting
That's false unless no one at zoom has logins to any of the servers that route the calls or deploy code to them. Let's be clear and specific about the terms. "no way for" and "not allowed under guidelines" have very different technical meanings.
A promise is a promise. The "no way to spy" is likely just compliance. A lot of companies have compliance guarantees in place, like SOC2, which is about processes and documentation/audit trail. So the thing blocking you from reading customer data is another person in the organization having to confirm it's a legitimate action.
Government level surveillance is not the same as an employee listening in on a whim. It's an organized endeavor, which comes with a process, so it may as well be ok from compliance point of view.
> This is incorrect. They don't offer end-to-end encryption
It's all about end-to-end encryption, so it's correct. If they decrypt it anywhere on the way then three letter agencies can always listen to what you say with a proper letter.
IMO that's not "incorrect" so much as it is "ambiguous about the type of encryption being referred to. Even the most spy-happy, malicious service could offer HTTPS encryption, so hearing "they do encrypt some stuff" doesn't address concerns about Zoom willfully monitoring customers
Neither does the second part about promising not to spy on a conversation; surrendering conversation metadata would be almost as bad from a privacy perspective.
Either it is E2E encrypted, or it is unencrypted on zoom servers and the only claim that they can reasonably make is that they haven't provided their employees with the tools to observe a call invisibly.
This is addressed in the Alex Stamos twitter thread.
It _is_ E2E encrypted. And from what I understand the "promise" is a technological promise, not a process promise; you can check the exact terms of the promise in the paper.
The paper’s ideas are not yet implemented. Right now, it’s encrypted to whatever keys Zoom likes, including the PRC’s. Same system as Apple’s or Google’s
OK, but if we were to take this stance it than literally the whole thread is pointless debate, right? It started with this:
> Zoom CEO Eric Yuan said in early June that the company has chosen not to encrypt free calls in order to cooperate with law enforcement.
The entire debate is about the not-yet-implemented E2E encryption (that's where Zoom "does not encrypt free calls"). And the Alex Stamos thread explains very well both why that is a sensible choice, and how they will implement E2E encryption& what are the limitations.
If we're discussing about current implementation, it doesn't make sense to be outraged that "Zoom doesn't offer encryption for free calls" - if we talk about E2E encryption, it doesn't offer it for anyone; and if we talk just about HTTPS, it offers it to everyone. So in fact we must've been discussing the future implementation not the current one - right?
Encrypted = private to most people. There’s no reason to muddy the waters with the fact that Zoom encrypts some data temporarily at some time with keys that they control, because that isn’t what anyone cares about.
I see people on HN defending Zoom all the time.
>The company has acknowledged that much of its product development has been based in China, and that some Zoom calls were accidentally routed through Chinese servers.
>The University of Toronto's Citizen Lab said it found serious concerns over Zoom's security protocols, and said the company's large workforce in China left it "responsive to pressure from Chinese authorities."
>The government of Taiwan banned official use of Zoom due to security concerns, as have New York State schools, the U.S. Senate, and the German ministry of foreign affairs.
>Zoom CEO Eric Yuan said in early June that the company has chosen not to encrypt free calls in order to cooperate with law enforcement.