Imagine someone rigged a bingo game. Unsuspecting elderly are weekly haggled for their money in a resting home’s auditorium. Now imagine there’s some kind of crisis and internet and TV break down. Many people suddenly look for different distractions. The only event available is that bingo game. Suddenly, instead of two dozen 90-year olds, there are a few thousand people in the room. Immediately, several observant people spot the fraud, get angry, throw over the announcer’s table, and have the criminals be punished for their deceit.
Now imagine there are ‘free’ communication platforms. You know, online places that allow video contact between people. Though the majority of working people have face to face contact in the physical reality, a crisis like COVID-19 happens. Folks start working from home and start to massively use platforms like FaceTime, Skype, Webex and Zoom. What I am surprisingly happy to observe, is that in a very short time masses of people demonstrate how they value their privacy. Regardless of applicable law or jurisdiction. People start to look into the details of things, especially as their children are using the same stuff for school. Take Zoom:
Many, MANY findings follow each other in very short time. Few examples include: Dodging Facebook doesn’t help much as Zoom informs them about you anyway. GCHQ in the UK demands the prime minister stops using the platform. Then it turns out Zoom’s understanding of end-to-end encryption is not really what the rest of the world thinks that means. And that’s just the start, as only a day later it turns out contacts and images also never have been safe. Then there’s no transparency at all about connections to LinkedIn, and ‘the hits just keep on coming’…
It seems as if Zoom does not know what a data protection impact assessment (DPIA) is. Or transparency. Or even privacy. It seems they wanted to throw something out there in the world and make money, fast. In whatever way. It seems that cowboy-like data sharing and monetization has been going on in the shadows. It seems they got away with it in the dark for a long time. Then, the auditorium filled up with an abundance of new people.
Under stress of large adoption numbers Zoom seems to simply crowdsource privacy and security issues. As if betatesting can best be done in crisis situations. But there comes a point where I’m about to consider giving props to Zoom.
However, this could all have been prevented. Moreover, there is zero assurance of what else is potentially wrong, or that nothing is. Privacy, the actual value of people, their data and a safe conversation environment are not items to play dodgeball with. This is not something to test as long as you can, until you get called out for change.
And I don’t know about you, but when I find out who defrauded my parents out of money at a bingo night, and they say ‘we won’t do it that way anymore’, that does NOT get kudos.
(edit 6 April: Bruce Schneier wrote a more in-depth blog about the issues around privacy and security at Zoom)