Póñase-se connosco

Protección de datos

Zoom: prácticas dubidosas filtradas en Github.




O software de videoconferencia remota ZOOM, que de súpeto gañou popularidade durante a pandemia, superou con éxito os programas de videoconferencia tradicionais como Skype, Teams e converteuse na ferramenta máis popular. Ten centos de millóns de usuarios activos diarios e ata é usado por moitas axencias gobernamentais. Non obstante, o software estivo exposto repetidamente a fugas de datos e vulnerabilidades de seguridade unha tras outra, o que atraeu a atención das autoridades reguladoras.

Recentemente, o día 30 de maio, alguén que se reivindica como técnico superior dentro de ZOOM publicou un repositorio en Github presentando "evidencias" que a empresa garda en segredo a información dos usuarios e a proporciona ás institucións gobernamentais dos Estados Unidos.

Os usuarios de ZOOM non teñen autonomía de datos.

Segundo o filtrador: “The US government asked Zoom to preserve user data of interest including those already deleted by users so that they can obtain any and all user data. In order to meet such requests, Zoom has modified their tool to pretend that data has been deleted while just giving the deleted data a hidden property, therefore preserving user data while making their users believe the data has been erased. This tool helps to secretly copy and preserve data meeting history and participants details, cloud recordings, chat message, pictures, files, Zuora (Billing system, zuora.com), SFDC (CRM system, salesforce.com), phone/address, billing address, and credit/debt cards through data cloning and mirroring. What’s worse, if your account was added into the “Data Preservation”system with your appearance on the target list, even if you do not present any illegal behaviour, all your actions in Zoom will be put under direct surveillance and at the free disposal of law-enforcing departments."

Monitorización de usuarios a través do sistema de porta traseira (sistema de seguimento automatizado de infraccións de TOS).

According to the posted document: “The Zoom headquarter has completed the R&D of a secret monitoring system a long time ago. It is called “Tracking Automated TOS Violators Termination System” whose internal IP is “se.zipow.com/tos”. No later than 2018, the system was put into application, monitoring free users as well as premium users and enterprise users. Main functions of the system are automatic search of susceptible meetings, free access to meetings without password or host’s authorization simply by the backdoor of the system, random analysis of video content from meetings, secret recordings of videos, audio, screenshots of meetings and production of reports or data accordingly to US supervisory departments as well as termination of susceptible meetings and banning of relative accounts. The system is highly confidential and only opened to a few internal employees. Zoom may explain this system was developed for fighting crime, but Zoom has to acknowledge the system shows it has the ability to monitor users and already does. People need to worry about whether Zoom will abuse the system for US so-called “national security” or business purposes, and even randomly, frequently, indistinguishably monitor global users and steal their personal data at a large scale.”

Sistema de xestión de back-end Zoom.

Segundo a filtración: "Zoom back-end management system has top authority over all Zoom accounts. It is designed to help manage Zoom user accounts. However, this system has some backdoor functions which may violate user privacy data. Some functions are beyond belief, when a Zoom employee clicks the “Login” button, with this user credentials, he can log into this user’s account in the same way the user himself deals with his own account. This way, the employee has the same right to deal with this user’s account, checking everything on the account, using the user’s private key to see any confidential files, meeting records, IM chats, emails, telephone recordings and billings. This means the  “ee2e” encryption measure is a meaningless facade. Besides this privilege, Zoom employees can modify or delete users’ local data, and even remotely control or implant a backdoor on relative devices like Zoom Room through this system. Compared to managing user accounts by backed database, this system makes it more convenient for Zoom staff to monitor user behaviours and fetch their data ignoring encryption measure.”

Incumprindo a promesa e utilizando os datos do usuario para a aprendizaxe automática.

Segundo o denunciante: "Eric Yuan, the CEO of Zoom, once proclaimed that “We now commit to all of our customers that we will not use any of their audio/video chats, screen sharing. attachments and other communications like poll results, whiteboard and reactions to train our Al models or third-party Al models”. From what I know, Zoom is eager to develop Al, because the company needs Al to find out illegitimacy in video conferencing to avoid compliance risk, to identify fraud users to reduce economic losses, and to analyse business trend and focus of service to gain more profits. With the aid of Al, Zoom, under the guidance of law enforcement, uses “TATVTS” against users. “The Tracking Automated TOS Violators Termination System” mentioned above could automatically detect suspicious meetings via machine leaning, join meetings without password and host’s permission, analyse meeting content and secretly take screenshots and videos of attendees and meeting content. Trained by data collected in the system, “TATVTS” becomes more intelligent in identifying meetings and users in which law enforcement may show interest. Thus the private data of many innocent users become samples to training Zoom’s machine learning model and violate users’ data privacy.”

Privacy and security issues can create serious risk and damage governments, organizations, individuals as well as trade secrets in the digital age. Zoom, as the world’s leading video conference software, has been exposed more than once for leaking user data and other information. During the epidemic, Europe also strengthened data protection laws against giant American online social media companies. In 2022, the EU and US signed the data privacy framework. It is clear that both parties must respect the legal framework in protecting users’ personal privacy, especially data protection. We also hope that ZOOM can learn from its previous legal troubles and begin to take information and data protection issues seriously.

Para obter máis lecturas e información técnica, siga o seguinte enlace:

EU Reporter contactou con Zoom para comentar pero non contestaron.

Comparte este artigo:

EU Reporter publica artigos de diversas fontes externas que expresan unha ampla gama de puntos de vista. As posicións adoptadas nestes artigos non son necesariamente as de EU Reporter.