Zoom Video Communications, Inc.

The BigBrotherAward in the Communications category goes to Zoom Video Communications, Inc., which as a US-based company is obliged to share data with intelligence services, but still claims to be in compliance with the GDPR. Since a relevant part of its development takes place in China, Zoom is also subject to Chinese control and censorship. The award also goes to all organisations, in particular those working on human rights, the environment and the climate crisis, who use Zoom and therefore expose their participants to surveilance, even though free and privacy-friendly alternatives are available.
padeluun am Redner.innenpult der BigBrotherAwards 2021.
padeluun, Digitalcourage

Humanity has been haunted by a manifold of epidemics. To name just a few:

  • 2500 BC and on and off since 1500: the plague

  • 1494: syphilis

  • 1870: smallpox

  • 1817 to this day: cholera

  • since 1901: typhoid fever

  • since 1918: influenza (yes, this was a thing even before Instagram)

  • 1980: AIDS, which snatched away some of my acquaintances

  • 1992: Windows 3.1

  • 2002: SARS, and

  • lately, in 2020: COVID-19,

and of course we now think that this last one is over, so we have filed it away under those diseases that we can defeat with regular vaccinations.

But this Covid, in addition to its sometimes catastrophic progression, has had another and mostly unknown side-effect, which is also quite hard to eradicate. This side-effect has a name. This side-effect is called, “Zoom”.

The BigBrotherAward 2023 in the Communication category goes to the video-conferencing system Zoom, or rather, to all people who use Zoom.

The name has even become a verb now. The meaning of the verb “to zoom” is: “to blabber out secrets, while being watched by secret services and companies from various countries, and disclose one’s complete relationship network at the same time.”

What is Zoom? And why is Zoom terrible?

Zoom is the attempt to pull people who want to communicate with each other in a videoconference into the vortex of surveillance capitalism.

Let me quote from Zoom’s privacy statement what data they actually store and process:

  • Information commonly used to identify you, such as your name, user name, physical address, email address, phone numbers, and other similar identifiers

  • Information about your job, such as your title and employer

  • Credit/debit card or other payment information

  • Facebook profile information […]

  • General information about your product and service preferences

  • Information about your device, network, and internet connection, such as your IP address(es), MAC address, other device ID (UDID), device type, operating system type and version, and client version […]

  • Other information you upload, provide. or create while using the service (“Customer Content”)

And they continue: “We collect this data to provide you with the best experience with our Products. Mostly, we gather Personal Data directly from you, directly from your devices, or directly from someone who communicates with you using Zoom services, such as a meeting host, participant, or caller. Some of our collection happens on an automated basis – that is, it's automatically collected when you interact with our Products.”

Inadequate data protection and flaws in IT security at Zoom have frequently been featured in media reports. And each time, here and there people were stitching together this legend that Zoom wasn’t so bad after all. True, some obvious security holes were plugged. But how about data protection? Zoom is trying to apply some magical white ointment made from fairy dust and snake oil instead. They even roped in Deutsche Telekom, the former state monopolist, as a European alternative.

Deutsche Telekom introduced the “Zoom X” project in a press release, alleging that this would make the use of Zoom in Germany compatible with the law.

I asked a friend for his opinion at the time. He looked at the press release and said:

  • This Zoom X is aimed at business customers only. Private customers still pay with their personal data.

  • Deutsche Telekom doesn’t actually seem to be involved at the technical level, apart from providing dial‑in numbers for “retro” customers.

  • An example quote from the Telekom press release: “all meeting data from participants in Germany are processed on servers located in Germany.”

  • This overly specific terminology, “meeting data”, does not address whether other personal data or meeting metadata still ends up at the Zoom headquarters. This has been the case for all available Zoom offerings so far, and it is unlikely to change.

  • Telekom does not say who actually operates these servers in Germany. This leaves open the possibility that they are nothing more than resellers of the “vanity URL” solution. A vanity URL, let me use the fictitious example domain “universitaet.de”, does not mean that the servers are actually located in Germany. They might just as well be in the USA, or perhaps in Bulgaria. And in any case, meeting data and user metadata always end up in the “Public Zoom Cloud” – which is located on US computers. It is impossible to use Zoom in Europe in accordance with the GDPR – and the place of jurisdiction is: California.

A company like Zoom, which is based in the USA, is subject to the Cloud Act, the Patriot Act, and the FISA Act (Foreign Intelligence Surveillance Act). And these laws effect that a company based in the USA must hand over all data about non-US citizens to the US intelligence agencies. No matter where the servers are that run the services. No matter what nice promises are made in the privacy statement. Companies are not even allowed to inform the people affected when their data has been shared.

It is known that Zoom has good relations with the People’s Republic of China. This is where their development section, with 700 employees, is located. This also used to be where cryptographic keys were generated, and it has come to light that the routing of conference content would sometimes take a detour through China as well. Also, conferences have been actively censored if “Tian’anmen square” was mentioned in the exchanges.

And now, let’s turn towards you, those who use Zoom and entice others to use it:

Everybody loves Zoom

I have to admit, shaking my head, that Zoom usage has spread extremely. Word has it that videoconferencing with Zoom is so very easy and always works. Which is why people are so willing to sell their souls – and their grandmothers’ souls – to the devil. If you send someone an invitation link to Zoom, you force them into the Zoomiverse.

If people are exposed to Zoom, it leads to the immediate loss of all tech skills. Just recently I received yet another invitation to an online meeting of projects supported by a large political foundation, nicely featuring a link to the videoconferencing platform BigBlueButton (a link and a five-digit room number). And then, lacking any critical attitude towards the powerful and mighty, there is this remark in large, bold letters: “In case the BBB conference doesn’t work, here is a Zoom link that we can switch to”, followed by ten lines of complicated instructions about the various ways of getting there safely.

All this so that these highly political projects, where people glue themselves to roads, occupy lignite excavators, bestow BigBrotherAwards and organise sea rescue missions, must disclose their mutual connections to the secret services of the “Five Eyes”. Because all this is of course sooo simple and everything else sooo complicated. And it’s not only political projects that do this. Companies, research labs, governments – the word “zooming” has become almost as ingrained as the word “googling”.

And it really works just like the legend that girls are supposedly bad at maths: Tell people that B is very complicated and never works, and that they won’t be able to use it anyway because they are incompetent. Then tell them that A is childplay and always works. And the illusory miracle happens: While for people like me, B (meaning Jitsi and BigBlueButton – self-hosted videoconferencing systems without secret services or surveillance capitalism) always works, the Zoombies fail at using it as if they had been hit by a curse. Suddenly the microphone fails, so does the webcam, the laptop falls off the table. But with Zoom, everything, allegedly, works like a charm.

For these people – oh, what a miracle – it is only A, Zoom, that works. This is largely down to the psychology of marketing, not technology. The motto is: “If the commercial solutions don’t work, it is the users’ fault. If the alternative solutions don’t work, it is the software …”

And even the certification by Germany’s Federal Office for Information Security (BSI) has no significance about privacy standards. The BSI have only audited the frontend – not the backend, where the actual magic happens.

Read my lips: No matter what a Zoom contract says; Zoom cannot be used in accordance with the law in Germany or Europe, just like Microsoft, like Google services, or Facebook. And you actually know this.

It is true: You are not cool if you continue your zooming against your better judgment. You are not very grown-up if you do things that you actually never wanted to do, “but it was not possible any other way”. Oh yes, there is another way. Even if Zoom does make things a little bit easier, it is not okay to use it.

Personally, I don’t yield to this group pressure and I refuse to join Zoom conferences. That is not always easy, because it excludes me from conversations and sometimes causes me to lose money, as I have to forego earning a fee. If you use Zoom, you act in a self-harming, exclusionary way, and without solidarity.

Using Zoom is not sustainable, it drains us financially and mentally

Where will we get IT skills if we don’t teach these skills? Why do universities buy expensive (and illegal!) Zoom licenses, instead of self-hosting videoconferencing systems based on Free Software, and contribute to their development? If we are in a communication society and have to feed our families from communication, then we must educate many, many IT professionals. And really educate them, not just teach them to spend hours listening to the busy loops of the support helplines for some bought product. Those numerous security holes that we keep hearing about in the media are partly due to the fact that we use Zoom, instead of installing, maintaining, and developing our own.

Let’s view it from a market perspective: To build self-sovereign, mature, decentralised structures in a peaceful society free of overbearing power, we need well-educated people that do not shy away from setting up servers, administrating them and keeping them operational and secure. And in order to have these people, we must refrain from selling our maturity and sovereignty for a mess of pottage.

Ah, I can see that the business people among us have understood it already. ;)

Yes, I have addressed you personally. I know that many of those in this room and watching the video will not touch Zoom and other such poisoned candy. But I can also sense how many of those that talk about privacy, of sovereignty, who read books on surveillance capitalism, who engage in politics – how they ultimately don’t give a hoot about actually changing things for the better. I do have to be harsh with you: You’re slowing down the progress of all mankind. No matter what great digital events you organise, how you talk about the future, join up one buzzword after another, plan smart surveillance cities, and – sorry – wank off on the other baddies who are even worse than yourselves.

Get out of your hell, and most of all: Don’t force others to enter your hell by inviting them to Zoom conferences. Because it is hard to resist group pressure. Too many will then click that link against their better judgment. Because you don’t want to be “the spoilsport” all the time.

And stop clicking those Zoom links, too. You can find charming ways of saying that you don’t use Zoom and that your counterpart will have to find another solution. Digitalcourage has asked people during one focus week how they would react. We have posted a collection of responses online.

You don’t actually need role models? You have enough understanding and creativity? Then you will be able to find your own words in order to stand up against the Zoomicalypse.

And then I can finally say: “Congratulations, Zoom, on the BigBrotherAward in the Communication category.” – But, to be honest, I hardly care about the Zoom company. This award actually goes to all those who have yielded to the side-effects of the Covid plague and use Zoom. And I hope that this BigBrotherAward will boost your immunity and that you will never, never use Zoom again.

Congratulations to you, on the BigBrotherAward in the Communication category. I’ll see you. But not on Zoom.



padeluun am Redner.innenpult der BigBrotherAwards 2021.
padeluun, Digitalcourage

[mostly German]

1. Alternatives to Zoom

There is a whole range of privacy-friendly software and platforms that are hosted in Germany (or in your preferred country).

Take a look at Jitsi, BigBlueButton and OpenTalk, for example! These Open Source software products are actively developed. We have a (German) article with base information on video meetings.

2. A coffee cup …

… that reminds you and your colleagues why they you should not use Zoom.

“Zoom” has even become a verb by now.

The name has even become a verb now. The meaning of the verb “to zoom” is: “to blabber out secrets, while being watched by secret services and companies from various countries, and disclose one’s complete relationship network at the same time.”

Ein Kaffeebecher mit einem Wörterbucheintrag zu "zoomen".

You can order this cup in the shop now!

3. Sources on Zoom’s security issues and links to China

Citizen Lab Toronto, 3.4.2020: Move Fast and Roll Your Own Crypto A Quick Look at the Confidentiality of Zoom Meetings by Bill Marczak and John Scott-Railton (Web Archive link) A PDF of the report by Citizen Lab. It includes information on links to China.

The Intercept, 3.4.2020: Zoom’s Encryption Is “Not Suited for Secrets” and Has Surprising Links to China, Researchers Discover (Web Archive link)

The researchers also found that Zoom protects video and audio content using a home-grown encryption scheme, that there is a vulnerability in Zoom’s “waiting room” feature, and that Zoom appears to have at least 700 employees in China spread across three subsidiaries. They conclude, in a report for the university’s Citizen Lab — widely followed in information security circles — that Zoom’s service is “not suited for secrets” and that it may be legally obligated to disclose encryption keys to Chinese authorities and “responsive to pressure” from them.

Washington Post, 18.12.2020: Federal prosecutors accuse Zoom executive of working with Chinese government to surveil users and suppress video calls (Web Archive link)

Reuters, 12.6.2020: U.S. lawmakers ask Zoom to clarify China ties after it suspends accounts (Web Archive link)

Toronto-based internet watchdog Citizen Lab said in April it had found evidence some calls made in North America, as well as the encryption keys used to secure those calls, were routed through China. Zoom said it had mistakenly allowed Chinese data centres to accept calls.

Zoom says it has many research and development personnel in China. Its founder Yuan grew up and attended university in China before migrating to the United States in the mid 1990s. He is now an American citizen.

Bill Bishop, editor of the China-focused Sinocism news letter, wrote on Friday that “Zoom should no longer get the benefit of the doubt over its China-related issues and given how many people, organizations, government bodies and political campaigns now rely on its services the company must err on the side of transparency.

brand eins, November 2020: Zoom: Boom oder Doom? (Web Archive link)

Forbes, 3.4.2020: Warning: Zoom Makes Encryption Keys In China (Sometimes) (Web Archive link)

4. Literature

Sektoruntersuchung Messenger- und Video-Dienste. Abschlussbericht des Bundeskartellamts unter Mitwirkung des Bundesamts für Sicherheit in der Informationstechnik (PDF). Bericht gemäß § 32e GWB. Az. V-28/20. Mai 2023.

About BigBrotherAwards

In a compelling, entertaining and accessible format, we present these negative awards to companies, organisations, and politicians. The BigBrotherAwards highlight privacy and data protection offenders in business and politics, or as the French paper Le Monde once put it, they are the “Oscars for data leeches”.

Organised by (among others):

BigBrother Awards International (Logo)

BigBrotherAwards International

The BigBrotherAwards are an international project: Questionable practices have been decorated with these awards in 19 countries so far.