If Zoom "takes its users' privacy extremely seriously" and their "customers’ privacy is incredibly important" then why would they be releasing software without a strong knowledge of what third party code they're adding in, and what exfiltration might be happening as a result? They hold user privacy in such high regard and yet are releasing a program without even hooking it up to a network monitor for five minutes?
This is absolutely common. Business will require tracking/authentication/etc, contracts will be signed, developers will implement the provided SDK. Nobody will inspect the data being sent.
> releasing a program without even hooking it up to a network monitor for five minutes
How many times have you seen anyone do that? Unfortunately that is the reality - my personal take is to simply try to avoid vendor libraries at all costs, but it's hard to sell.
Oh I don't doubt the practice is common, but for an organisation making their claims about privacy it is at odds with their slapdash approach to development.
I guess this is another under-recognized benefit of developing for the web - when doing so, you're staring at the Network tab all day, trying to grok what's going on over the wire and to whom. I don't remember doing this nearly as much on native.
Yeah, that's the thing. I do very little web development, but I inevitably find myself in the Network tab of dev tools debugging something. I do around as little mobile (Android) development, and I'm not even really sure how I'd watch network traffic coming from an Android app. (I'm sure it's possible, but I imagine it requires explicit setup, possibly with some third-party software and/or the assistance of a laptop.)
If you have a router running something like openwrt (or from a vendor that uses openwrt and lets you get a root shell on the router) you can just use tcpdump on the router with a filter to pick the host you want to monitor.
mitmproxy or Charles proxy on your laptop. Charles proxy also has an iOS version, I imagine there is something similar that can run directly on Android.
Take npm as another example, in a large corporation, any commercial product that relies on third-party npm packages will have to survive a long legal audit process.
>This is absolutely common. Business will require tracking/authentication/etc, contracts will be signed, developers will implement the provided SDK. Nobody will inspect the data being sent.
That's exactly the point. Zoom says they care deeply about privacy, but their actions demonstrate they don't. Doesn't matter how common it is, or the reasons why it happened, it's proof positive that their statement is untruthful.
I for one don’t think Zoom is being malicious here. I imagine plenty of other apps out there are doing the same right now, by naïvely making use of FBook’s SDK.
I don't yet have a comment on whether they acted maliciously by permitting user data to be exfiltrated to third parties without their permission, but to make categorical falsehoods about the importance they place on privacy is malicious in of itself.
While I think one shouldn't read too much into PR statements like those, I don't think it's useless to call them out either, especially when they use very strong words like "extremely seriously" and "incredibly important".
If the defense is the practice being common then there isn't anything special about Zoom regarding user privacy, is it.
Someone's lying here.