Not a bad way to entice business customers to pay.
I rather zoom become a product that earns money by providing value to customers, rather than having the "customer" as the product like google's offerings.
You're kidding right? I routinely decline meetings where zoom is used. Good UX doesn't wash away corporate douchebaggery or outright and intentional compromise.
I would argue that cutting corners when it comes to data protection in favor of feature development is a very different tradeoff than intentionally building a monetization strategy around selling said data.
I do feel that the data residency law should be respected regardless of whether a customer is paying or not. Otherwise it's like a restaurant offering not to spit on your food if you paid for the premium service...
Slack is worse. If you don't pay, not only do they not give you access to >10k messages, but they still store those messages and don't allow you to do things like delete them.
It doesn't. Big companies who want to be gdpr compliant buy enterprise Slack and force slack to store the data in European datacenters. Slack doesn't give a shit about gdpr if you're not paying
Depends: Do they not delete the data if you explicitly contact them and tell them to do it, or do they just not give you a convenient button in the UI?
I never really thought about it before, but the non-deletion might offer Sarbanes-Oxley protection which could lead to publicly traded companies being more tolerant of teams using slack without clearing it through central IT.
Doesn't seem like a particularly bad idea to me - I'd much rather they were making money from paying corporate customers, rather than making money selling users data....
I highly suspect the vast majority of home users, who are using Zoom to host weekly quiz nights with friends, particularly care about strong encryption....
Tim Cook had it right with "Security isn't a feature"
I'll liken it to healthcare despite the US not figuring this out yet. Healthcare for all helps everyone, which consequently is a value creating proposition. The fallout from a lack of healthcare negatively impacts the rich in the longterm
When security is widespread, everyone benefits. A culture which make security default off is one that throws everyone under the bus for nickles & dimes. You don't vaccinate only 10% of the population
While I agree with your overall point, it’s worth pointing out that Apple doesn’t really do a lot of freemium stuff, so Cook’s comment should be taken in the context of having nearly all customers who have already paid up.
This is exactly what free users get when using zoom.
Up to 3 people in a meeting is unlimited. Over 3 is limited to 40ish minutes.
The Facebook pixel SDK etc etc stuff you're probably thinking of got removed from recently updated clients. Check out their privacy policy to have a look at the actual data they retain from actual meetings. it's fairly limited and only to do with account management / meeting management from what I recall.
Security is a spectrum. The only way to ensure security in communications is not to communicate. Also every improvement in security comes at a cost and even when it's "obvious" the security feature is worthwhile people's experience of the feature may be different. Spoofing and eavesdropping can be fatal but in a lot of ways "I can't communicate with this person" is the biggest threat and all security features occasionally or frequently impair people's ability to communicate.
It's not like Apple prices its products to be in reach of the vast majority of the world population. Apple's business model precludes it from being generally "widespread".
Zoom I've always thought must have pretty strong security if configured correctly (obviously that's a big if) It is currentLy in use by the Chinese Academy of Sciences (CAS). CAS is sort of like a mix of NSF, NIH, and DARPA all rolled into one. About 20% of their research supports the People's Liberation Army (PLA) for things like encryption research, so I assume they know what they're doing.
This is technically a white label I guess you would say, but if you download the code, a majority of the files begin with the prefix Zoom and what not: https://cc.cstcloud.cn
Why have you thought that? The actual security of the system has been dissected already.
They took RTP and just encrypted the data with ECB mode, using the same keys on every node. It's what a child would do, or somebody who either didn't know or didn't care to do better.
Well over a decade ago the standard way to do that (named SRTP following the usual convention) uses a counter mode instead of ECB, with separate keys on each node. That's still pretty poor, but it's like SRTP is a Yale lock and what Zoom chose to do is use one of those "handcuff key" locks that's just a single lever. Can a specialist open that Yale lock? Yeah, probably in a minute or two, with the right tools - but any idiot can open the handcuff key lock with a bent twig, it's not security it's the barest effort to not just emit plaintext.
404 currently so I haven't read it, but that acqui-hired Keybase team is surely leaving... Its motto was literally [double-checks] 'crypto for everyone'.
It may not be related, but the homepage now instead has phrases like 'for things that matter', and the slogan at the bottom is 'because safety first'. I can't be certain, but I think it said 'for everyone' on the site too, not just app-stores pre-Zoom.
It's a real shame, but I did start my de-Keybasing yesterday. Making it profitable without losing the acqui-hired team would obviously be best for users, but I think most likely is axing it, followed by butchering it into a niche security nerd product without the interest or direction of the original team.
Another thing you need to know. Zoom will charge you automatically next year, you have to cancel the subscription by yourself. What is disgusting is that the menu is hidden in the zoom webportal!
I think 99.99% of the customers don't know it will renew(charge again) automatically and don't know how to cancel it.
Sanctioned under what CC rules? They provide a way to cancel your subscription (which just lets it run out) in the settings.
Now, if they required you to, say, mail a letter to cancel, I could understand a chargeback. But a chargeback because you didn’t Google “how to cancel Zoom subscription” is overkill.
Which service that gives "$X per year"/"$Y per month" pricing doesn't automatically renew? And at least for me, it clearly shows "$X billed today, recurring yearly/monthly payment $X" when going to order a subscription?
You can cancel and your subscription will keep running until the end date when it otherwise would renew. Exactly the same as Spotify, Netflix, and the majority of other subscription services that "99,99%" of customers likely are familiar with.
This may not be nice or demonstrating customer obsession but it is probably a good way for them to make money with business customers.
For better or worse Zoom has obtained “iPhone status” in corporate IT.
What killed the Blackberry was when decision makers had a personal iPhone and a work Blackberry and they finally turn up in the head of IT’s office and say “hey these things you’re making us use really suck, please just make it so we can use these iPhones which are soooo much better.”
I see exactly the same thing happening now with Zoom. I see IT types saying “but encryption” yadda yadda yadda and decision makers tuning up saying:
“This conferencing software you’re forcing us to use really stinks. I had a meeting with our soccer parents group on Zoom and it was so much better. Please switch us to this.”
A product that reaches that status stands to really disrupt the enterprise if they’re smart and take advantage of it.
This is exactly it. Zoom is easy and pretty pleasant to use, but more importantly the execs that used to be able to just drag people into rooms and now find themselves having to use virtual rooms don't want to have to think about the tool. At the top tier bank I currently work for we switched to Zoom first on a trial basis beginning about a year ago, so way before the pandemic struck, so we'd mostly already switched. When the pandemic hit though, and 200+ attendee meetings became a thing, the higher ups realized just how smooth Zoom can be and went all in. Now there are conversations about how to enable screen sharing via zoom since we still need to use Citrix to log on to machines, rather than just having access to a VPN. A year ago, that was a no-go zone in discussions with IT, but now in no small part thanks to zoom it's a serious conversation.
If zoom can capitalize on this and stay the darling of enterprise while simple enough that anyone cares to use it, at low cost, they'll absolutely dominate this space within a couple of years I'm sure. I'd be surprised if they aren't acquired by Apple, Google or Microsoft, frankly.
I'd be very surprised if Google or Microsoft acquired them because it would set them back close to $90bln (75% premium on market cap). Google and Microsoft IMO will give Zoom the treatment Snap received from Facebook. Imitate all features, integrate them into large ecosystem and user base, then ignore them into irrelevance.
We use GSuite and Google Meet, there is already some features from Zoom that are recently added like a better tiled/grid layout, and I believe some moderation features are coming out soon.
We already have many Google Meet room with dedicated hardware and it's quite intuitive to use.
Microsoft have already started doing that. Recent version of Teams have supported more than 4 camera visible on any one screen and virtual backgrounds. Popular features Zoom has had for a while.
It was the other way around for me. I used to use hangouts for personal calls and zoom for work calls. Zoom was so much better I started using it for personal calls. My friends at some of the “popular” companies who use their in house tools bemoan how much they suck compared to Zoom now. So yes you’re right. But outside those popular companies zoom and webex has been the standard enterprise tools. Zoom especially has been popular among enterprises way before the pandemic.
Edit: their conference room support with the iPad app was especially good. Most people won’t use that in a personal capacity. But it’s one of the biggest selling points at enterprises. People just find it easy to use. I don’t remember us calling “AV support” in a long time.
Jitsi doesn't perform as well as Zoom for a ton of people, and most people outside of tech circles haven't heard of it. It's a miracle people are using Zoom instead of webex or Teams/Lync, honestly, since those have both been around forever.
> Gennie Gebhart, a researcher with the Electronic Frontier Foundation who was on Thursday’s call, said she hoped Zoom would change course and offer protected video more widely.
> But Jon Callas, a technology fellow of the American Civil Liberties Union, said the strategy seemed a reasonable compromise.
> Safety experts and law enforcement have warned that sexual predators and other criminals are increasingly using encrypted communications to avoid detection.
> “Those of us who are doing secure communication believe we need to do things about the real horrible stuff,” said Callas, who previously sold paid encryption services
Why do people still believe that preventing civilians from using encryption is going to stop criminals? Is there a name for this fallacy?
What does Zoom’s premium subscription offer? Jitsi supports unlimited participants and runtime for free, and soon E2E encryption.
> Why do people still believe that preventing civilians from using encryption is going to stop criminals? Is there a name for this fallacy?
After a quick search i found the base rate fallacy which maybe could be applicable (no idea if it is really).
> If presented with related base rate information (i.e. generic, general information) and specific information (information pertaining only to a certain case), the mind tends to ignore the former and focus on the latter.
There's also the general fallacy around security (a non technical term I've made up on the spot):
> The only truly secure computer is one that is disconnected from any and all networks, turned off, buried in the ground, and encased in concrete. But that computer isn't terribly useful.
Kinda applies to both parties of the argument because there's often an idea behind both that there is such a thing as "perfect security".
> What does Zoom’s premium subscription offer? Jitsi supports unlimited participants and runtime for free, and soon E2E encryption.
The biggest thing around this is to remember that >90% of users are not tech nerds:
* The Jitsi webclient isn't the nicest UI and a nice UI is really important for non-nerds.
* Jitsi Dial in options are a bit limited (from what I remember, could be wrong). Zoom offers a package for toll-free dial in in US + Canada, for example.
* No dedicated support for Jitsi (unless you know how to create a GitHub ticket and scoure through forums).
* There's no dedicated physical meeting room connector service for Jitsi.
* Also don't think there's any sign up for Jitsi. So while zoom has the problem that anyone with an email address can join a meeting, Jitsi has the problem that anyone with the meeting ID can join a meeting. This then becomes a problem when you want to report a user.
* Jitsi meeting IDs can be lower entropy compared to Zoom. Often they're just names for the meeting.
* Join the Jitsi meeting called "test" and you can see the problem with the last two points
Ive set up local public (ish) nightly meetings on Zoom and help to maintain it. Several people have talked about Jitsi and Google services. In a ideal world I would set up a private and dedicated Jitsi server at home for it. But it's not an ideal world and that's too much maintenance for me to do.
Zoom basically provides a decent feature set, with a nice and intuitive UI, and all the set up is handled by Zoom for you. For people who "just want the thing to work so I can do stuff" it makes sense.
> Why do people still believe that preventing civilians from using encryption is going to stop criminals? Is there a name for this fallacy?
If there is no name for this, I suggest Congressman fallacy, since they're mostly clueless about this kind of stuff technology-wise and use But Think Of The Children™ as an argument to erode the privacy of its citizens.
Zoom will still get hacked if the minimum security isn't enough, then they will have to blame their potential customers for their own problems while their brand is smeared.
72 comments
[ 3.3 ms ] story [ 174 ms ] threadUp yours, Zoom. First you installed unauthorized web servers on people's computers, then you transmitted our data to Facebook.
Fuck Zoom.
I rather zoom become a product that earns money by providing value to customers, rather than having the "customer" as the product like google's offerings.
How does that work with GDPR?
I highly suspect the vast majority of home users, who are using Zoom to host weekly quiz nights with friends, particularly care about strong encryption....
I'll liken it to healthcare despite the US not figuring this out yet. Healthcare for all helps everyone, which consequently is a value creating proposition. The fallout from a lack of healthcare negatively impacts the rich in the longterm
When security is widespread, everyone benefits. A culture which make security default off is one that throws everyone under the bus for nickles & dimes. You don't vaccinate only 10% of the population
Up to 3 people in a meeting is unlimited. Over 3 is limited to 40ish minutes.
The Facebook pixel SDK etc etc stuff you're probably thinking of got removed from recently updated clients. Check out their privacy policy to have a look at the actual data they retain from actual meetings. it's fairly limited and only to do with account management / meeting management from what I recall.
This is technically a white label I guess you would say, but if you download the code, a majority of the files begin with the prefix Zoom and what not: https://cc.cstcloud.cn
They took RTP and just encrypted the data with ECB mode, using the same keys on every node. It's what a child would do, or somebody who either didn't know or didn't care to do better.
Well over a decade ago the standard way to do that (named SRTP following the usual convention) uses a counter mode instead of ECB, with separate keys on each node. That's still pretty poor, but it's like SRTP is a Yale lock and what Zoom chose to do is use one of those "handcuff key" locks that's just a single lever. Can a specialist open that Yale lock? Yeah, probably in a minute or two, with the right tools - but any idiot can open the handcuff key lock with a bent twig, it's not security it's the barest effort to not just emit plaintext.
Edit: It's so odd what gets downvoted sometimes. Anyone care to enlighten me on what could be controversial about my statement?
It may not be related, but the homepage now instead has phrases like 'for things that matter', and the slogan at the bottom is 'because safety first'. I can't be certain, but I think it said 'for everyone' on the site too, not just app-stores pre-Zoom.
It's a real shame, but I did start my de-Keybasing yesterday. Making it profitable without losing the acqui-hired team would obviously be best for users, but I think most likely is axing it, followed by butchering it into a niche security nerd product without the interest or direction of the original team.
Now, if they required you to, say, mail a letter to cancel, I could understand a chargeback. But a chargeback because you didn’t Google “how to cancel Zoom subscription” is overkill.
Then there's an orange "add/edit subscription" link and a "cancel subscription" link.
The process is well documented in an article on their help centre.
A simple DuckDuckGo search brings up the help centre article as one of the first results.
Pretty much the exact opposite of hidden.
For better or worse Zoom has obtained “iPhone status” in corporate IT.
What killed the Blackberry was when decision makers had a personal iPhone and a work Blackberry and they finally turn up in the head of IT’s office and say “hey these things you’re making us use really suck, please just make it so we can use these iPhones which are soooo much better.”
I see exactly the same thing happening now with Zoom. I see IT types saying “but encryption” yadda yadda yadda and decision makers tuning up saying:
“This conferencing software you’re forcing us to use really stinks. I had a meeting with our soccer parents group on Zoom and it was so much better. Please switch us to this.”
A product that reaches that status stands to really disrupt the enterprise if they’re smart and take advantage of it.
If zoom can capitalize on this and stay the darling of enterprise while simple enough that anyone cares to use it, at low cost, they'll absolutely dominate this space within a couple of years I'm sure. I'd be surprised if they aren't acquired by Apple, Google or Microsoft, frankly.
We already have many Google Meet room with dedicated hardware and it's quite intuitive to use.
Edit: their conference room support with the iPad app was especially good. Most people won’t use that in a personal capacity. But it’s one of the biggest selling points at enterprises. People just find it easy to use. I don’t remember us calling “AV support” in a long time.
WebEx over Jitsi?! I must be missing something huge, here.
> But Jon Callas, a technology fellow of the American Civil Liberties Union, said the strategy seemed a reasonable compromise.
> Safety experts and law enforcement have warned that sexual predators and other criminals are increasingly using encrypted communications to avoid detection.
> “Those of us who are doing secure communication believe we need to do things about the real horrible stuff,” said Callas, who previously sold paid encryption services
Why do people still believe that preventing civilians from using encryption is going to stop criminals? Is there a name for this fallacy?
What does Zoom’s premium subscription offer? Jitsi supports unlimited participants and runtime for free, and soon E2E encryption.
Even if you take his perspective, why is child porn OK in the enterprise?! Especially after Jeffrey Epstein?!
I’m reminded of when the ACLU defended a white supremacist and many were upset, even to the point of leaving the ACLU.
After a quick search i found the base rate fallacy which maybe could be applicable (no idea if it is really).
> If presented with related base rate information (i.e. generic, general information) and specific information (information pertaining only to a certain case), the mind tends to ignore the former and focus on the latter.
https://en.m.wikipedia.org/wiki/Base_rate_fallacy
There's also the general fallacy around security (a non technical term I've made up on the spot):
> The only truly secure computer is one that is disconnected from any and all networks, turned off, buried in the ground, and encased in concrete. But that computer isn't terribly useful.
Kinda applies to both parties of the argument because there's often an idea behind both that there is such a thing as "perfect security".
https://particular.net/blog/the-network-is-secure
Theres also possibly some agenda bias going on.
--------
> What does Zoom’s premium subscription offer? Jitsi supports unlimited participants and runtime for free, and soon E2E encryption.
The biggest thing around this is to remember that >90% of users are not tech nerds:
* The Jitsi webclient isn't the nicest UI and a nice UI is really important for non-nerds.
* Jitsi Dial in options are a bit limited (from what I remember, could be wrong). Zoom offers a package for toll-free dial in in US + Canada, for example.
* No dedicated support for Jitsi (unless you know how to create a GitHub ticket and scoure through forums).
* There's no dedicated physical meeting room connector service for Jitsi.
* Also don't think there's any sign up for Jitsi. So while zoom has the problem that anyone with an email address can join a meeting, Jitsi has the problem that anyone with the meeting ID can join a meeting. This then becomes a problem when you want to report a user.
* Jitsi meeting IDs can be lower entropy compared to Zoom. Often they're just names for the meeting.
* Join the Jitsi meeting called "test" and you can see the problem with the last two points
Ive set up local public (ish) nightly meetings on Zoom and help to maintain it. Several people have talked about Jitsi and Google services. In a ideal world I would set up a private and dedicated Jitsi server at home for it. But it's not an ideal world and that's too much maintenance for me to do.
Zoom basically provides a decent feature set, with a nice and intuitive UI, and all the set up is handled by Zoom for you. For people who "just want the thing to work so I can do stuff" it makes sense.
If there is no name for this, I suggest Congressman fallacy, since they're mostly clueless about this kind of stuff technology-wise and use But Think Of The Children™ as an argument to erode the privacy of its citizens.
Or I could just be completely wrong about that. If that turns out to be the case I'll just use it in-crowd.
Zoom will still get hacked if the minimum security isn't enough, then they will have to blame their potential customers for their own problems while their brand is smeared.
It's not about how hard it is to break but rather where it's encrypted/not.