Zoom needs to clean up its privacy act

Honest question [not trying to act controversial], especially with all the US-China spat.

Zoom's engineering team is based in China - the product is primarily built out of there. [1]

What guarantee is there that the CCP is not intercepting/backdooring all video communications? Especially in current situations, where so much sensitive information is being discussed via Zoom?

[1] https://www.cnbc.com/2019/03/26/zoom-key-profit-driver-ahead...

I've said this time and again only to get downvotes since there is no proof or substantiation about the CCP surveillance claims. But, it is an important to keep in mind. There are things that I cannot say due to our employment contract and NDA, but to say the least, we are looking into this matter.

Surveillance prospects, doesn't matter where they originate - US or China or Country X - need to be discussed and examined. But apparently, saying anything against China on HN is an automatic ban for creating a flame war. We've become too soft. Obviously personal attacks and racism is not tolerable. But, I would personally (some may disagree) say that we should also criticize bad parts of culture too...that's for another day or a different forum.

Can we just get past the my country your country bullshit on HN and talk about privacy implications especially from the world's largest surveillance network? It is one thing to be spied upon for advertisement tracking, an entirely another to be spied upon by a brutal authoritarian government. Fearlessly criticizing CCP or the NSA, or Israeli intelligence agency or whatever... should be one of the most important things to talk about on "Hacker" news forum.

I am gonna fire off some anon emails to WSJ/NYTimes/WaPo/Guardian to create some awareness and perhaps they can dig further into Chinese influence in using Zoom. I am deeply concerned. The entire world has given up video/audio/screen/application privacy in a snap... for the data might be stored in Tianjin datacenter, needless to say whose keys are in the hands of CCP - I guarantee that but cannot provide proof.

Edit: past comments that were downvoted (and flagged): https://news.ycombinator.com/item?id=22657794

https://news.ycombinator.com/item?id=22684767

https://news.ycombinator.com/item?id=22663295

https://news.ycombinator.com/item?id=22705960

Not much. In particular, the fact that you sign up for accounts under company emails makes it much easier for them to selectively target based on which users look the juiciest. Even if the backdoor isn’t in the public code, it’s trivial to put in logic to have clients receive a different update when signed in with an account marked as “VIP” or whatever.

I made a comment a few weeks ago criticizing the Chinese government[1]. No flame war came of it, it wasn't flagged, downvoted to oblivion, or result in an "automatic ban." I'm not sure what you're saying to cause those things to happen, but it doesn't seem to be what you think it is.

[1] https://news.ycombinator.com/item?id=22490791

I am glad to hear. My perception is based on entire posts (not just comments) that were flagged due to extreme polarization of views. I can't find the thread but most comments that were anti-China were downvoted/flagged in that thread. I just have a general feeling, but I am glad to see your concerned voiced.

Zoom as a legal entity is a US company, headquartered in San Jose, California. So US law should apply.

https://en.wikipedia.org/wiki/Zoom_Video_Communications

I have noticed there has been a lot more downvoting here recently, really innocuous and innocent things as well. It might just be more traffic or a different type of traffic to the site while everybody is staying home.

And while I agree with your sentiment regarding the CCP, the comments you link lack the meat of the one you just posted. I'm not surprised they got a kicking.

> I am gonna fire off some anon emails to WSJ/NYTimes/WaPo/Guardian to create some awareness

Well done.

>There are things that I cannot say due to our employment contract and NDA, but to say the least, we are looking into this matter.

Who is "we"?

Pay no attention to the man behind the curtain.

In case it's not clear, I'm with you. Either you're in a position to state in what capacity you work or you're not. In the latter, don't hint at it. Just leave that out. It's useless, and more likely to make people doubt the validity of the vague claim.

I really hate to mention this, but this perhaps answered an question of mine about why quality of code in Zoom is so low.

When I installed Zoom for Mac for the first time, I noticed it took a while to start up and caused beachballing. So I grabbed a sample of the process via Activity Monitor. To my utter horror, the Zoom binary is shelling out by calling system(3) on the fucking main thread.

I just verified this is the case on the latest version of Zoom for Mac. The binary zoom.us.app/Contents/Frameworks/zmLoader.bundle/Contents/MacOS/zmLoader invokes system(3) on three separate occasions in two functions: -[ZPMBSystemHelper disablePTAutoRestoreWindow] and -[ZPMBSystemHelper disableConfAutoRestoreWindow].

And looking at what the string was, it's just a fucking call to defaults(1). Now I'm not a Mac programming expert but I cannot understand why Zoom needs to change its own preference settings this way. This just screams sloppy software engineering quality. I guess this is what you get when you outsource software engineering.

I would not be surprised at all if someone reports vulnerabilities in Zoom, whether deliberate or accidental.

It’s possibly just perception, but a week or so ago there seemed to be a mass of China versus US bickering and trolling, then the threads were all deleted. It was really grim. Dang seemed to be moderating it then presumably had to resort to killing the lot. Whoever they are, they do a great job.

I don't know about code quality, and I'm not ruling out privacy or security issues, but zoom must be doing something very right -- their rise to popularity regardless of there being plenty of free (!) alternatives has to come from somewhere.

It may be just anecdotal but their calls work flawlessly, regardless of number of participants, where other apps are just a laggy mess. So yes, their apps are just a means to an end and may be rushed and "low quality", but oh boy do they deliver.

Of course the CCP can intercept those videos, Snowden's book talked about how the NSA is doing what they are doing specifically because China was doing it.

It's not specific to Zoom, they intercept at the global fiber lines, they can watch ANY video they want.

So yes, the CCP can watch your videos and so can the NSA.

I'm willing to put a finer point on that: If there is some sinister force behind your work that you can't talk about, you can't hint at it either.

The organizations that are really that sinister will smash you just as hard for hinting that they're doing bad things under cover of darkness as they will for outright saying it.

If you can hint at it without being smacked down hard, the org you say you fear only has aspirations of evil world domination; it's not there yet.

Of course, maybe OP was scrubbed for hinting at it and we'll never know. Let it be a warning to others who would make vague hints of disclosure regarding their evil overlords.

It is hard for me to imagine being in Dang’s shoes. Probably daily trying to walk the line. Making tough decisions on when to put an and to inflammatory, unproductive, even abusive threads. All that, while striving to administer as ‘light’ a touch as possible, and foster a healthy, and conducive community.

It must be so stressful. I think it might drive me crazy. Doing thas job will never be perfect, but let’s all give a big ‘Thank you’ to dang (and any other admins?) who put in non-trivial work, to keep this place running smoothly!

Hey OP here, I am not working on some sinister corp. I work at a biotech startup. We are just concerned about IP theft than anything else. I can't edit the comment anymore...I just wrote down whatever, sorry if that was "hinting" to something more sinister.

By all means, ignore it.

I think it is probably a perception thing or may be not. Here is my opinion.

Dang is doing his job and it is tough. He is keeping this place sound and clean. Dang - nothing against you but I see some double standards for e.g. criticizing CCP has far more weight than criticizing western governments. No one gets offended for criticizing the UK Govt or the German Govt or the even the Indian Govt - but when it comes to criticizing the Chinese Govt... we can't do that, it is a flame war. If people get offended, so be it. If someone from China or of Chinese ethnicity is reading this criticism and doesn't like it...well, tough luck. The onus is on the person getting offended, not the offender.

This double standard needs to end (or as I see it through my own lens). Infact, we should be criticizing the CCP even more so than democratic governments.

Aaaaaaahhhh this is just so horrible. There is specific in-process C and Objective-C API for this. Someone should look at this app. Maybe I will if I finish up what I’m doing.

For what reasons would spy organisations in other countries care about the laws in California or the US and following them?

The question "What guarantee is there that the CCP is not intercepting/backdooring all video communications?" from luminati was towards Zoom, not towards any other orgnization. You might want read the question more carefuly.

"was towards zoom" -- that's your interpretation of the question.

I think it was more "can I feel safe as an end user wrt the risk that the CPP intercepting and listening".

You guys need to let me know that you have questions like this, assuming you want an answer. I don't have a mind reader (or even a software alert).

People get moderated here for posting flamebait about western countries and governments all the time. I'd be careful about that feeling that there's a double standard. It's a natural artifact of the well-known cognitive biases that affect these perceptions. You (i.e. everybody) are far more likely to notice, and to weight more strongly, the cases of moderation that you dislike or disagree with. That gives you a generalized image of what goes on here. But that image is just an inverse reflection of your own views. It's not based on the data as a whole. People with opposite views have the opposite image. To take the current topic, for example, they say that HN has an extremely anti-China bias, any comments that try to defend China or Chinese people instantly get downvoted, the mods are in on the racism, and so on. They have the opposite image to yours, but they have it for the same reason you do: they feel very strongly about the issue, and so when they run across instances in the data stream that touch (i.e. hurt) those feelings, it makes a strong impression. Those strong impressions accrue into an image of bias. But the data stream has more than enough data points to make every such impression. That's simply what you get at scale.

More explanation and links in this recent comment: https://news.ycombinator.com/item?id=22723626