Zoom Out: Why universities need autonomous technological capacities

Number 97: #USSbriefs97

critical business


Critical Business criticalbusiness <at> riseup <dot> net

Image credit: https://www.pxfuel.com/en/free-photo-qdmbd

On June 11, news broke that Zoom had shut down the accounts of human rights activists who organised events to commemorate the anniversary of the Tiananmen Square massacre. Zoom did this at the behest of the Chinese government. Following public pressure, Zoom reinstated the accounts.

This episode fits a long-standing pattern of privacy and security violations by Zoom, a company who some universities have entered into agreements with in the rush to online teaching. Zoom’s record indicates a business model that would expose the classroom to data analytics and surveillance.

In this USSbrief, we highlight Zoom’s history of privacy violations, what it means for university staff and students, and consider alternative platforms for online teaching. Rather than rely on external suppliers whose business models are driven by data harvesting, we call upon universities to implement in-house video call software built on open source, auditable code.

1. Zoom’s history of privacy violations

Zoom allowed hackers remote access to users’ webcams

In 2019, a security researcher discovered that installing Zoom on Mac devices also installed a hidden server without the user’s knowledge. The server allowed anybody to remotely activate cameras and microphones on the device without the user knowing this was happening. Millions of Mac devices were affected, but Zoom allowed the privacy breach to stay in place for 90 days after it was brought to their attention.

Security experts have compared Zoom to malware

In April, a security researcher noted that Zoom was still using some dubious installation procedures, “working around Apple’s regular security” by means of a “questionable technique” that “conditions users to blindly enter their password into any dialog that pops up”. Another expert summarised: “Let’s make this simple: Zoom is malware”.

Zoom misled users into thinking their calls would be private

When Zoom first claimed to provide an “end to end encrypted connection”, Zoom gained an edge over its rivals. But in fact Zoom (and any potentially spying middle-men) still had access to unencrypted video streams, a fact which Zoom had tried to obscure in its marketing material.

Then, in early June, Zoom announced that it would implement genuine end-to-end encryption, but for paying customers only. Zoom only amended this decision after the Tiananmen PR disaster, under pressure from digital rights campaigners.

Zoom tried to harvest and sell call data

Until earlier this year, Zoom’s privacy policy explicitly allowed them to harvest data from users’ video calls and sell it on to advertisers.

None of these issues were addressed by Zoom until the issue received significant media exposure. What Zoom vulnerabilities may not (yet) have been brought to light?

We should not entrust our communications to a company that has sought to harvest them for exploitable data, and that has shown such reckless disregard for the security of its users.

2. Zoom and universities

In the move to remote teaching amid the Covid-19 pandemic, many classrooms suffered “zoom-bombing”: outsiders entering the call and abusing the screen-sharing feature to broadcast racist, misogynistic and homophobic images.

Zoom’s response to this vulnerability was to sell “more secure” (and more expensive) Education licenses to schools, universities and other organisations. Universities also responded by instructing staff members to only conduct teaching via their institutional Zoom portal, believing that the extra security promised by these licenses would protect staff and students from abuse and ensure the university complies with its legal data protection obligations.

Zoom has repeatedly misled its users and shown disregard for their security. What further risks does the university-Zoom partnership bring for tutors and for students?

3. Surveillance risks for tutors

Tutors in the UK are in the middle of a long-running dispute with university management over pay, equalities, casualisation, workload and pensions. It is therefore crucial that video call software used via a university license provides tutors with an appropriate level of privacy and security.

Striking tutors in the USA have noted that Zoom provides managers with surveillance capabilities that could be used for strike-breaking, including the ability to view any meeting currently taking place, and advanced analytics facilities to rank and monitor staff. These features could also be used by university management to support expected redundancies and staffing cuts as a result of the knock-on effects of Covid-19.

By partnering with a disreputable firm such as Zoom amid a serious labour dispute, university managers arouse suspicions about their own motives.

4. Surveillance risks for students

Universities should be turning to more private and secure remote-teaching solutions, but have instead opted to normalise the recording of online seminars.

For example, the University of Sussex recently instructed seminar tutors to “inform students in advance that their participation is assumed to indicate their consent to the sharing and recording of their input”.

This move has been met with strong opposition. It appears to open a new front in making call data available for harvesting.

Tutors and students everywhere need to be vigilant against such apparent collusion with a Zoom-type business model: if Zoom has sought to harvest call data at the expense of users’ security and privacy, there is a clear risk that universities will now seek to exploit students’ contributions at the expense of the security and privacy of students.

Any move towards recording seminars would have a detrimental impact on the ability to deliver high-quality teaching:

  • In the current political landscape, much of our curriculum covers topics that can be considered sensitive in the home countries of many students. How are universities supposed to effectively teach politics, environmental science, international relations, economics, gender studies, race studies, or health when students are unable to speak freely because their input is being recorded and shared?
  • Part of the point of university education is to “handle ideas that the family home renders unthinkable”. Many students learning from home will already be nervous about participating in remote-teaching, and this will only be exacerbated by the knowledge that their contributions are being recorded.
  • Even for less politically sensitive subject areas, the knowledge that seminar contributions are being recorded and shared will lead to a reduction in students’ meaningful participation in seminar discussions.

Classrooms must not become spaces for data extraction. Universities have a responsibility to provide students with a space where they can freely learn and contribute to seminars.

5. Alternatives to Zoom

Microsoft Teams

Over-reliance on Microsoft has left universities vulnerable to firms like Zoom. Each time universities have resorted to Microsoft, universities have divested from the skills and infrastructure required for swift adoption of open-source software like BigBlueButton. Meanwhile, Microsoft has been slow to implement needed functions, such as breakout rooms, which have long been standard features of BigBlueButton.

Google Meet

Dependence on Google would hardly provide an antidote to dependence on Microsoft. Google’s thirst for data is legendary, and ongoing. As noted above, the classroom must not become a space of data extraction, whether by Zoom or by Google.

Canvas Conferences

Canvas Conferences is built on the excellent open-source video-call software BigBlueButton. However, Canvas apparently failed to step up with adequate server hardware capacity to meet the needs of remote teaching amid the pandemic.

Moreover, Canvas’s parent company (itself recently bought by private equity for $2 billion) has declared its intention to use its huge hoard of data (i.e. our teaching and learning materials) as lucrative source material for the development of machine learning algorithms. Like Zoom and Google, Canvas betrays a strong interest in harvesting user data.

Universities should deploy BigBlueButton independently, thereby cutting out unreliable middle-men such as Canvas.

6. BigBlueButton

As open-source software, BigBlueButton (BBB) is demonstrably geared towards the needs of its users, and not geared towards corporate thirst for data or market-share.

BigBlueButton supports live captioning, screen sharing and breakout rooms. A session can support up to 100 participants. At a time when Zoom users were in fear of “zoom-bombing”, BBB users were able to report that the features and default settings of BBB already mitigated against such abuse.

Universities should immediately begin deploying BigBlueButton on servers under university control. Those servers could be located on campus or could be procured from a cloud provider, but must be operated by the university. In the short term this can provide a fallback service in the event of a Zoom outage, and in the medium term should provide a fully autonomous in-house video call service maintained by universities.

Universities must divest from proprietary platforms that harvest data at our expense. We call upon universities to invest in transparent, open source software that empowers tutors and students.

Further links

A respected technologist rounds-up Zoom’s failings and misdeeds.

YouTube video — critical analysis of Zoom’s reaction to the hidden server security flaw.

Civil Liberties Defense Center warns that Zoom shouldn’t be trusted for conference calls.

Twitter thread on Zoom’s “malicious” use of security loopholes.

This paper represents the views of the author only. The author believes all information to be reliable and accurate; if any errors are found please contact us so that we can correct them. We welcome discussion of the points raised and suggest that discussants use Twitter with the hashtag #USSbriefs97 ; the author will try to respond as appropriate. The author can be contacted directly at criticalbusiness <at> riseup <dot> net. This work is licensed under a Creative Commons Attribution-NonCommercial-NoDerivatives 4.0 International License.