Blog post

How the COVID-19 Crisis Shows Privacy is a Foundational Value

By Bart Willemsen | April 03, 2020 | 2 Comments

Imagine someone rigged a bingo game. Unsuspecting elderly are weekly haggled for their money in a resting home’s auditorium. Now imagine there’s some kind of crisis and internet and TV break down. Many people suddenly look for different distractions. The only event available is that bingo game. Suddenly, instead of two dozen 90-year olds, there are a few thousand people in the room. Immediately, several observant people spot the fraud, get angry, throw over the announcer’s table, and have the criminals be punished for their deceit.

Now imagine there are ‘free’ communication platforms. You know, online places that allow video contact between people. Though the majority of working people have face to face contact in the physical reality, a crisis like COVID-19 happens. Folks start working from home and start to massively use platforms like FaceTime, Skype, Webex and Zoom. What I am surprisingly happy to observe, is that in a very short time masses of people demonstrate how they value their privacy. Regardless of applicable law or jurisdiction. People start to look into the details of things, especially as their children are using the same stuff for school. Take Zoom:

Many, MANY findings follow each other in very short time. Few examples include: Dodging Facebook doesn’t help much as Zoom informs them about you anyway. GCHQ in the UK demands the prime minister stops using the platform. Then it turns out Zoom’s understanding of end-to-end encryption is not really what the rest of the world thinks that means. And that’s just the start, as only a day later it turns out contacts and images also never have been safe. Then there’s no transparency at all about connections to LinkedIn, and ‘the hits just keep on coming’…

It seems as if Zoom does not know what a data protection impact assessment (DPIA) is. Or transparency. Or even privacy. It seems they wanted to throw something out there in the world and make money, fast. In whatever way. It seems that cowboy-like data sharing and monetization has been going on in the shadows. It seems they got away with it in the dark for a long time. Then, the auditorium filled up with an abundance of new people.

Under stress of large adoption numbers Zoom seems to simply crowdsource privacy and security issues. As if betatesting can best be done in crisis situations. But there comes a point where I’m about to consider giving props to Zoom.

At least they fix stuff. It’s good that skeletons get uncovered. It’s even more satisfying (at least to my gullible heart) that publicly there’s enough scrutiny to privacy matters to force these changes at scale and speed. Part of these changes are demoed in Zoom’s ‘message to our users’. In short; ‘In a blog post  helping users guard against “Zoombombing”. They actioned toremove the Facebook SDK in our iOS client‘, and eventually the encryption issue gets clarified (somewhat). Eventually the privacy policy was updated (which usually reflects more what happens, but doesn’t make what happens always right).

However, this could all have been prevented. Moreover, there is zero assurance of what else is potentially wrong, or that nothing is. Privacy, the actual value of people, their data and a safe conversation environment are not items to play dodgeball with. This is not something to test as long as you can, until you get called out for change.

And I don’t know about you, but when I find out who defrauded my parents out of money at a bingo night, and they say ‘we won’t do it that way anymore’, that does NOT get kudos.


(edit 6 April: Bruce Schneier wrote a more in-depth blog about the issues around privacy and security at Zoom)

Comments are closed


  • Frankly, I think it shows exactly the opposite. Here is the analogy: TSA in the US relaxed some rules such as now it is “OK to carry a sanitizer > 12 ounces [>300 ml]” and many perhaps realized that the rule was BS in the first place.

    Now, to save lives, some privacy rules (like US HIPAA rules) are being relaxed, and I bet people realize that they were silly in the first place and need not be reinstituted…

    #letsfight 🙂

    • Bart Willemsen says:

      Hi Anton,
      Frankly I don’t think these rules are silly at all. In fact, we can see something like the GDPR in the EU needs no adjustment and stands tall, simply because it’s principle-based and not rule-based. It would be silly to think ‘privacy’ opposes ‘saving lives’. Proportionality and subsidiarity remain key items here, and if one can’t protect the data they’re processing, they shouldn’t collect it in the first place.
      #letsnot #keepthepeace