Zoommorons — people who continue to use Zoom in spite of the company’s complete privacy and data protection failures. Not to be confused with Zoomorons who are the people you see at the zoo wearing tie dye panda t-shirts while eating Dippin Dots. I am only a member of the former — but trying to quit.
Everyone else is writing about Zoom and what an utter Icarus story their last 45 days has been, so why not pile on? It’s easy to pick on them though, for the most part, I’m not sure how much worse they are than any of their competitors. But they are in the zeitgeist as the video conferencing platform of choice right now and they did 10x their user base already this year. Perhaps the scrutiny is deserved. Let’s just recap Zoom’s sins of late. First, they were maligned for a rather insidious set of default settings which allowed the meeting host, and them, to capture quite a bit of user & meeting data. After that it was them selling user data to Facebook, which is really not uncommon but poor form if you ask me. Next we found out how easily Zoom meetings could be hijacked by a brigade of “Zoom bombers” executing the creative and IQ equivalent of the prank calls I used to do when I was twelve. There’s more, full Zoom meetings started showing up for download on Torrent sites. And last, but by far the most concerning, the University of Toronto discovered that Zoom uses key management servers in China. I’m going to set aside most of Zoom’s sins since I think a lot of communications platforms are similarly weak and sell user data. Actually, pretty much everyone sells user data but that’s a whole other Oprah. Using key management servers in China, though, is not just poor form, its willfully negligent, to use a term that probably has some legal meaning that someone will officiously point out in the comment section. Given the above, my conclusion is simple. No one should ever use Zoom. I feel that way about a lot of things that are likely not going away though, (e.g. WhatsApp, TikTok, Ring, Alexa, the IRS, and male Capri pants). Since Zoom is probably also not going away, and though no one asked me, I thought I would share some techniques to better interact with Zoom regardless of how the host has the meeting configured.
Before the how-to, let’s talk a little bit about what an epic bad decision it was to put key management servers in China. And to be clear, it’s such a bad idea that I don’t believe there’s any way it was done by accident or without full understanding of the fact that it is a breach of user trust. It would be like saying Thelma & Louise accidentally drove off a cliff. Think of the key management server like the shared bathroom key in a 3rd grade classroom. Zoom claimed that their platform facilitated end-to-end encryption. That’s like saying every student in the classroom has their own bathroom key and they can go to the bathroom without asking anyone, and, without anyone seeing what they did there. For the 3rd graders who want to smoke in the bathroom this would be an ideal set up. What Zoom actually had was a key at the teacher’s desk and everyone has to ask permission in order to use the key for the bathroom. The teacher has full control to allow, or intercept, review, and then allow access. The worst part about my absurd little analogy is that in Zoom’s case some of the teachers are in China.
So what? Internet traffic routes through servers all over the world — it’s not a point to point system. I’m sure at least some people think it’s histrionic to constantly make China the boogeyman in the corner opposite privacy. I think, however, their role in the degradation of privacy is actually understated. The Chinese “Great Firewall” is known to perform numerous intercept, filtering, and probing attacks against any data that flows through servers in the mainland, and especially servers that handle data originating outside of the mainland. Without getting into detail that I don’t really understand anyways, you can just assume that if packets ever route through any server in China it means that they were intercepted, decrypted, analyzed by their AI content filtering, and only then, and only if approved, will the data flow to its intended recipient(s). Now that Zoom is the default platform for corporate meetings, impromptu happy hours, home workout classes, and even AA meetings, we should think carefully about our collective exposure.
It’s obvious that handling proprietary intellectual property on Zoom is a bad idea. Or at least it is now. I’ve used Zoom for work related calls, and I regret it. I should have investigated the platform more before subscribing. Since I’ve given myself a pass, I think we can all get a pass. What is not acceptable is the continued use of Zoom given what we know now. Maybe it’s not a big deal to have idle chats about tigers and whether love is blind with your friends on Zoom, but doing any kind of sensitive communications over Zoom is folly. I’ve seen a couple articles written about how AA meetings have pivoted from church basements to Zoom over the last month and I think they are a good example of the risk at hand. It’s probably apparent that Boeing shouldn’t brief fighter jet designs over Zoom. The obvious cases are, well, obvious. But what about something like AA? I doubt there’s much discussion of corporate IP or state secrets in that community. But, if the meetings are anything like we saw in The Wire, there’s a lot of talk about past crimes & indiscretions, debauchery, and, thankfully, recovery and growth. You wouldn’t invite an outsider into the boardroom at Boeing, just like you wouldn’t invite a non-alcoholic to an AA meeting. In either case, when you do your meeting over Zoom, you’ve done just that and its worse since the meeting and your account are associated, in most cases, with your real name and your email address. Do you really want a digital record of your personal conversations filtered by AI?
Maybe Zoom will clean up their act, use a better version of AES encryption, enable end to end encryption, and revoke the key management servers in Beijing. I doubt it though. They have 700 employees in China. Unless they repatriate all of those jobs to sunny Duluth, Zoom will continue to have adverse exposure. I also think it’s unlikely that all 200 million Zoom users will collectively walk out and find a better option. We have a choice then. We could just decline any call or meeting on Zoom from way up on our moral high ground, or we could approach Zoom more deliberately. The trick is to use some attribution management in your personal interaction with the Zoom platform. It won’t solve the content problem, but at least your attendance won’t be known, and your account won’t tie strongly back to your identity.
Now for the how-to part. If you must join a Zoom meeting, please take the 30 minutes out of your morose, quarantined day to set up a new Zoom account with the following technique:
1. Get an email alias service. These services allow you to generate single purpose email aliases that route to your actual inbox. I use AnonAddy. It works by giving you the option to generate random email addresses like email@example.com or ownership of all aliases within a certain domain. Either way AnonAddy creates a hop and layer of obfuscation between the sender and your actual inbox. For instance, you might get the domain @whinniethepooh.anonaddy.com and then all emails regardless of what precedes the “@” will route to your primary inbox. In that case I might create an alias like Zoom@whinniethepooh.anonaddy.com and just use that for my Zoom account. The point here is that we never give our actual email address to Zoom. And we never use the address we give to Zoom anywhere else.
2. When you go through the sign-up steps, be sure to generate a unique password for Zoom. Just like with the email account, you only use it with Zoom, and you store it in your password manager.
3. Don’t refer friends or colleagues when Zoom asks you on step 3. C’mon guys.
4. Don’t use your full name on your account. Use your initials if you must, or a fun moniker like “Joel Osteenager.”
5. Before you connect to any Zoom meetings engage a VPN. Make sure that VPN was purchased anonymously. I like Mullvad or ProtonVPN. Let’s consider Mullvad though. They give you the option to pay with Bitcoin or Bitcoin Cash. Don’t pay with Bitcoin Cash. It’s the dunce hat of cryptocurrencies. Bitcoin, however, allows you to pay pseudonymously. I would always at least pay from a Coinjoin wallet like Samurai, but the really savvy move is to pay with Monero using xmr.to to route the payment. I know you are thinking that this is a tall order for the average person. That’s why I picked Mullvad as an example. They also let you mail them cash for your account. I’m pretty sure we can all handle that.
6. Lastly, and this is going to really blow your minds, put a small piece of painter’s tape over your camera. Keep it there unless you definitely want to use the video function. As we’ve seen with some of the hilarious Zoom outtakes of people working from home naked without realizing their camera is on, it’s easy to make mistakes. Use the painter’s tape.
The above is not a perfect defense. It does, however, limit your identifiable exposure to Zoom so that you can join a few Zoom meetings without having to sit on the sidelines scolding everyone in your head for how unenlightened they are. If you have the option, though, use better platforms like Signal for peer to peer conversations, Skype (since they use the Open Whisper crypto libraries developed by the Signal community), or host your own Jitsi server. We just rolled one on our own secure infrastructure for our Halo Privacy clients and it works great so far.
*Note — Zoom has definitely been trying to respond to criticism and has implemented some fixes as well as agreed to pen testing among other technical solutions. Also, they donated a massive number of accounts to K-12 schools to facilitate remote education in the US. Their C.E.O. admits fault and at least seems contrite which is nice to see given that most executives these days prefer to have their PR rep read prepared remarks from their Chief Counsel. So maybe Zoom isn’t the devil, like, say, Google.