Zoom Accused of Misleading Users With ‘End-to-End Encryption’ Claims

Zoom is facing fresh scrutiny today following a report that the videoconferencing app's encryption claims are misleading.


Zoom states on its website and in its security white paper that the app supports end-to-end encryption, a term that refers to a way of protecting user content so that the company has no access to it whatsoever.

However, an investigation by The Intercept reveals that Zoom secures video calls using TLS encryption, the same technology that web servers use to secure HTTPS websites:
This is known as transport encryption, which is different from end-to-end encryption because the Zoom service itself can access the unencrypted video and audio content of Zoom meetings. So when you have a Zoom meeting, the video and audio content will stay private from anyone spying on your Wi-Fi, but it won't stay private from the company.
As the report makes clear, for a Zoom meeting to be end-to-end encrypted, the call would need to be encrypted in such a way that ensures only the participants in the meeting have the ability to decrypt it through the use of local encryption keys. But that level of security is not what the service offers.

When asked by The Intercept to comment on the finding, a spokesperson for Zoom denied that the company was misleading users:
"When we use the phrase 'End to End' in our other literature, it is in reference to the connection being encrypted from Zoom end point to Zoom end point… The content is not decrypted as it transfers across the Zoom cloud."
Technically, Zoom's in-meeting text chat appears to be the only feature of Zoom that is actually end-to-end encrypted. But in theory, the service could spy on private video meetings and be compelled to hand over recordings of meetings to governments or law enforcement in response to legal requests.

Zoom told The Intercept that it only collects user data that it needs to improve its service – this includes IP addresses, OS details, and device details – but it doesn't allow employees to access the content of meetings.

Last week, Zoom's data sharing practices were criticized after it emerged that the service was sending data to Facebook without disclosing the fact to customers. The company subsequently updated the app to remove its Facebook log-in feature and prevent the data access.
This article, "Zoom Accused of Misleading Users With 'End-to-End Encryption' Claims" first appeared on MacRumors.com

Discuss this article in our forums

U.S. Government Using Mobile Ad Location Data to Track Compliance With Curbs on Movement

The U.S. government is using smartphone location data from the mobile ad industry to track people's movements amid the coronavirus outbreak, according to a Wall Street Journal report.


Local governments and the Centers for Disease Control and Prevention have received the anonymized data about people in areas of "geographic interest," with the aim being to create a portal of geolocation information for 500 cities across the country.

The information will be used to learn how well people are complying with stay-at-home orders, according to WSJ. Citing an example, the report says researchers discovered large numbers of people were gathering in a New York City park, which led them to notify local authorities.

Even though the data is anonymized, WSJ says that privacy advocates want "strong legal safeguards" to limit how it can be used, in order to prevent its use for other purposes. Cellular carriers told the news outlet they have not been asked by the government to provide location data.

The development follows reports of other countries using cellphone data to monitor citizens and see if they are complying with curbs on movement to defeat the viral outbreak.

European mobile carriers have reportedly been sharing data with health authorities in Italy, Germany and Austria, while at the same time respecting Europe's privacy laws. Earlier this month, Israel passed emergency measures that allow security agencies to track the smartphone data of people with suspected COVID-19 and find others they may have come into contact with.

Note: Due to the political or social nature of the discussion regarding this topic, the discussion thread is located in our Political News forum. All forum members and site visitors are welcome to read and follow the thread, but posting is limited to forum members with at least 100 posts.
This article, "U.S. Government Using Mobile Ad Location Data to Track Compliance With Curbs on Movement" first appeared on MacRumors.com

Discuss this article in our forums

Israel Passes Emergency Law to Track and Trace Mobile Users With Suspected COVID-19

Israel has passed emergency measures that will allow security agencies to track the smartphone data of people with suspected COVID-19 and find others they may have come into contact with (via BBC News).


The Israeli government said the new powers will be used to identify people infected with coronavirus and make sure they're following quarantine rules.

On Monday, an Israeli parliamentary subcommittee discussed a government request to authorize the security service to assist in a national campaign to stop the spread of COVID-19, but the group decided to delay voting on the request, arguing that it needed more time to assess it.

The emergency law was passed on Tuesday during an overnight sitting of the cabinet, effectively bypassing parliamentary approval.

The government has yet to explain how the mobile tracking will work, but the BBC reports that it is understood the location data collected through telecommunication companies by Shin Bet, the domestic security agency, will be shared with health officials.

Israeli prime minister Benjamin Netanyahu last week announced his intention to bypass parliamentary oversight in order to push through the emergency regulations. Netanyahu says the new powers will last for 30 days only. Civil liberties campaigners in Israel called the move "a dangerous precedent and a slippery slope."

Israel is still in the relatively early stages of the pandemic. It had 200 confirmed cases of the coronavirus as of Tuesday morning. On Wednesday, the country's health ministry reported that cases had risen to 427.

Note: Due to the political or social nature of the discussion regarding this topic, the discussion thread is located in our Political News forum. All forum members and site visitors are welcome to read and follow the thread, but posting is limited to forum members with at least 100 posts.
This article, "Israel Passes Emergency Law to Track and Trace Mobile Users With Suspected COVID-19" first appeared on MacRumors.com

Discuss this article in our forums

MI5 Argues for ‘Exceptional Access’ to Encrypted Messages

The director general of Britain's Security Service is arguing for "exceptional access" to encrypted messages, in the ongoing battle between authorities and technology companies, reports The Guardian.

MI5 head Andrew Parker
MI5's director general has called on technology companies to find a way to allow spy agencies "exceptional access" to encrypted messages, amid fears they cannot otherwise access such communications.

Sir Andrew Parker is understood to be particularly concerned about Facebook, which announced plans to introduce powerful end-to-end encryption last March across all the social media firm's services.

In an ITV interview to be broadcast on Thursday, Sir Andrew Parker says he has found it "increasingly mystifying" that intelligence agencies like his are not able to easily read secret messages of terror suspects they are monitoring.
Parker goes on to say that cyberspace has become an unregulated "Wild West" that is largely inaccessible to authorities, and calls on tech firms to answer the question: "Can you provide end-to-end encryption but on an exceptional basis – exceptional basis – where there is a legal warrant and a compelling case to do it, provide access to stop the most serious forms of harm happening?"

The U.K. government has long argued that encrypted online channels such as WhatsApp and Telegram provide a "safe haven" for terrorists because governments and even the companies that host the services cannot read them.

Tech companies have pushed back against various attempts by authorities to weaken encryption methods, such as the FBI's request that Apple help it hack into the iPhone owned by Syed Farook, one of the shooters in the December 2015 attacks in San Bernardino.

Apple famously refused to comply with the request, and has since consistently argued against laws that would require tech companies to build so-called "back doors" into their software, claiming that such a move would weaken security for everyone and simply make terrorists and criminals turn to open-source encryption methods for their digital communications.

On the opposing side of the debate, Britain's cybersecurity agency has proposed that if tech companies sent a copy of encrypted messages and the encryption keys to unscramble them when requested following a warrant, this would allow them to prevent terrorists and criminals from operating out of sight without compromising encryption methods.

However, given that encrypted communication services like WhatsApp and Signal do not have access to private keys that would enable them to decrypt messages, a back door would seem the only alternative.

A spokesperson for Privacy International, a technology human rights group, told The Guardian that strong encryption kept communications safe from criminals and hostile governments.

"The reality is that these big tech platforms are international companies: providing access to UK police would mean establishing a precedent that police around the world could use to compel the platforms to monitor activists and opposition, from Hong Kong to Honduras," the spokesperson added.

Note: Due to the political nature of the discussion regarding this topic, the discussion thread is located in our Political News forum. All forum members and site visitors are welcome to read and follow the thread, but posting is limited to forum members with at least 100 posts.


This article, "MI5 Argues for 'Exceptional Access' to Encrypted Messages" first appeared on MacRumors.com

Discuss this article in our forums

Apple’s Privacy Officer Jane Horvath Uses CES Appearance to Defend Company Stance on Encryption and Software Backdoors

Apple's chief privacy officer attended a discussion panel at the Consumer Electronics Show in Las Vegas on Tuesday to debate the state of consumer privacy, marking the first time in 28 years that Apple has been at CES in an official capacity.

Apple's privacy officer at CES 2020 panel (Image: Parker Ortolani)

Jane Horvath, Apple's senior director for global privacy, joined an all-female panel consisting of representatives from Facebook, Procter & Gamble and the Federal Trade Commission. During the discussion, Horvath defended Apple's use of encryption to protect customer data on mobile devices.
"Our phones are relatively small and they get lost and stolen," Horvath said. "If we're going to be able to rely on our health data and finance data on our devices, we need to make sure that if you misplace that device, you're not losing your sensitive data."
Apple has held a consistent position regarding its use of encryption, even if that means it has limited ability to help law enforcement access data on devices involved in criminal investigations.

Just this week, the FBI asked Apple to help unlock two iPhones that investigators believe were owned by Mohammed Saeed Alshamrani, who carried out a mass shooting at a Naval Air Station in Florida last month. Apple said that it had already given the FBI all of the data in its possession.

Apple's response suggests it will maintain the same stance it took in 2016, when the FBI demanded that Apple provide a so-called "backdoor" into iPhones, following the December 2015 shooter incidents in San Bernardino. Apple refused, and the FBI eventually backed down after it found an alternate way to access the data on the iPhone.

Horvath took the same tack by saying that Apple has a team working around the clock to respond to requests from law enforcement, but that building backdoors into software to give law enforcement access to private data is something she doesn't support.
"Building backdoors into encryption is not the way we are going to solve those issues," Horvath said.
Horvath went on to talk up Apple's "privacy by design" technologies like differential privacy, user randomization in native apps and services, the on-device facial recognition in the Photos app, and minimal data retrieval for Siri. Horvath also confirmed that Apple scans for child sexual abuse content uploaded to iCloud. "We are utilizing some technologies to help screen for child sexual abuse material," she said.

Horvath became Apple's chief privacy officer in September 2011. Prior to her work at Apple, Horvath was global privacy counsel at Google and chief privacy counsel at the Department of Justice.

Note: Due to the political nature of the discussion regarding this topic, the discussion thread is located in our Political News forum. All forum members and site visitors are welcome to read and follow the thread, but posting is limited to forum members with at least 100 posts.


This article, "Apple's Privacy Officer Jane Horvath Uses CES Appearance to Defend Company Stance on Encryption and Software Backdoors" first appeared on MacRumors.com

Discuss this article in our forums

NYT Investigation Reveals How Easily Smartphone Location Data Can Be Used to Identify and Track Individuals

The New York Times today claimed that it has obtained a file with the precise location of over 12 million smartphones over a period of several months in 2016 and 2017. While this data is technically anonymized, the report details how easy it is to associate specific data points with specific individuals.


With the help of publicly available information, like home addresses, The New York Times said it easily identified and then tracked military officials, law enforcement officers, lawyers, tech employees, and others:
In one case, we observed a change in the regular movements of a Microsoft engineer. He made a visit one Tuesday afternoon to the main Seattle campus of a Microsoft competitor, Amazon. The following month, he started a new job at Amazon. It took minutes to identify him as Ben Broili, a manager now for Amazon Prime Air, a drone delivery service.
The report explains that location data is collected from third-party smartphone apps that have integrated SDKs from location data companies like Gimbal, NinthDecimal, Reveal Mobile, Skyhook, PlaceIQ, and others, adding that it is currently legal to collect and sell all this information in the United States.

Apple continues to take steps to protect the privacy of its users. In iOS 13, for example, there is no more "always allow" option when third-party apps request to access your location. If a user wants to grant an app continuous access to location data, they must do so in Settings > Privacy > Location Services.

Apple also requires that apps provide users with a detailed explanation as to how location data is being used when prompted.

iPhone users who are concerned about their privacy can better protect themselves by navigating to Settings > Privacy > Location Services and disabling access to location data for unessential apps, or choosing the "while using the app" option at a minimum. We also recommend reviewing the privacy policies of apps.

A spokesperson said Apple had no comment on The New York Times report when contacted by MacRumors.


This article, "NYT Investigation Reveals How Easily Smartphone Location Data Can Be Used to Identify and Track Individuals" first appeared on MacRumors.com

Discuss this article in our forums

DuckDuckGo’s Safari Privacy Browser Extension Now Available for macOS Catalina

Privacy oriented search engine DuckDuckGo today released an updated version of its browser extension for desktop Safari users running macOS Catalina.


The launch comes after DuckDuckGo Privacy Essentials had to be removed from the Safari extensions gallery following major changes introduced in Safari 12 that made the extension incompatible. From the DuckDuckGo website:
As you may be aware, major structural changes in Safari 12 meant that we had to remove DuckDuckGo Privacy Essentials from the Safari extensions gallery. With Safari 13, new functionality was thankfully added that enabled us to put it back. Consequently, you'll need Safari 13+ on macOS 10.15 (Catalina) or newer to install the updated version.
DuckDuckGo Privacy Essentials blocks hidden third-party trackers on websites and features a Privacy Dashboard, which generates a Privacy Grade rating (A-F) information card whenever a user visits a site. The rating aims to let them see at a glance how protected they are, while providing additional options to dig deeper into the details of blocked tracking attempts.

While the extension doesn't include private search, DuckDuckGo Search is built into Safari as a default search option, and they work together to help users search and browse privately.

DuckDuckGo Privacy Essentials is only available for desktop browsers, however DuckDuckGo Privacy Browser is available for iOS and uses the same privacy protection technology.


This article, "DuckDuckGo's Safari Privacy Browser Extension Now Available for macOS Catalina" first appeared on MacRumors.com

Discuss this article in our forums

Apple’s Revamped Privacy Site Highlights ‘Everyday Apps, Designed for Your Privacy’

Apple today announced an update to its privacy website that touches on various new privacy benefits found in iOS 13, iPadOS 13, watchOS 6, and more. Apple's updated website includes white papers on how the company approaches privacy in Safari, Sign in with Apple, Location Services, and Photos, providing visitors with a deeper insight into the company's privacy mission.


The website reinforces Apple's four core privacy principles: minimizing the data collected from users, processing the data on the device when possible, transparency when collecting data and how it's used, and strong device encryption. You can visit the website for yourself at Apple.com/privacy, which is now highlighting iOS apps like Maps, ‌Photos‌, and Messages, and how they each enhance iPhone users' privacy.

According to Apple, there are multiple recent privacy and security innovations that it has accomplished with its latest software updates:
  • Contacts: Any notes stored in the notes section of the Contacts app will not be shared with third party applications when they are granted access to the Contacts app.
  • Find My: Apple uses end-to-end encryption to communicate with other Apple devices nearby in order to find lost iPhones and Macs, ensuring that it doesn't know the location of the device or the identity of the device that discovered it.
  • Arcade: No advertising or third-party tracking is ever permitted.
  • Background tracking notifications: iPhone owners now get notifications when apps are using their location in the background, providing them with a chance to turn this feature off.
You can click on different tabs on the website to view the new white papers for services like Safari, Face ID, Location Services, and more. While the website itself remains a straightforward look at how Apple handles user data, each white paper offers a more nuanced dive into specific programs and services at Apple, and how the company is aiming to enhance privacy with every new update.

The site also includes a tab for its transparency reports, showcasing how Apple is committed to being transparent about responding to government requests for user data around the world. Here you can scroll through each region to see how often Apple has shared user data with the local government, beginning as far back as 2013 and stretching to 2018.

Tag: privacy

This article, "Apple's Revamped Privacy Site Highlights 'Everyday Apps, Designed for Your Privacy'" first appeared on MacRumors.com

Discuss this article in our forums

How to Delete Siri Audio History and Opt Out of Siri Audio Sharing on HomePod

This article explains how to delete your Siri audio interaction history and opt out of sharing audio recordings with Apple on iPhone, iPad, and iPod touch.

Earlier this year, it was discovered that Apple hired contractors to listen to a small percentage of anonymized ‌Siri‌ recordings to evaluate the virtual assistant's responses with the purpose of improving accuracy and reliability.

The Guardian revealed that Apple employees working on ‌Siri‌ often heard confidential details while listening to the audio recordings. Apple was subsequently criticized for not making it clear to customers that some of their ‌Siri‌ recordings were being used to improve the service.

Soon after the report, Apple suspended its ‌Siri‌ grading practices and promised users that it would introduce tools in a forthcoming update that would allow them to opt out of sharing their audio recordings.

With the release of iOS 13.2 in October, those new tools arrived on iPhone and ‌iPad‌, allowing users to delete their ‌Siri‌ and Dictation history and opt out of sharing audio recordings. With the release of the 13.2.1 software update for HomePod, the same tools are also available for Apple's smart speaker.

It's important to note that ‌HomePod‌'s ‌Siri‌ settings are independent from your iOS device's ‌Siri‌ settings, so if you want to opt out of ‌Siri‌ Audio Sharing and delete your ‌Siri‌ audio history completely, you'll have to disable them separately.

The following steps show you how to access these settings on ‌HomePod‌. To learn how to disable them on iPhone, ‌iPad‌, and ‌iPod touch‌, click here.

How to Opt Out of ‌Siri‌ Audio Sharing on ‌HomePod‌


  1. Launch the Home app on your iPhone, ‌iPad‌, or ‌iPod touch‌.

  2. Press and hold the ‌HomePod‌ button in your Favorite Accessories. If it's not in your Favorites, tap the Rooms icon at the bottom of the screen and select the Room where your ‌HomePod‌ is located using the room selector in the top-left corner of the screen.
    home
  3. Tap the cog icon in the bottom-right corner of the ‌HomePod‌ card to take you to the device's settings.

  4. Tap Analytics & Improvements.

  5. If you don't want to let Apple review your recordings, toggle off the switch next to Improve ‌Siri‌ & Dictation.
    home
Note that you can tap the link under the toggle for more information relating to Apple's ‌Siri‌ analytics policy.

How to Delete Your ‌Siri‌ Audio History on ‌HomePod‌


  1. Launch the Home app on your iPhone, ‌iPad‌, or ‌iPod touch‌.

  2. Press and hold the ‌HomePod‌ button in your Favorite Accessories. If it's not in your Favorites, tap the Rooms icon at the bottom of the screen and select the Room where your ‌HomePod‌ is located using the room selector in the top-left corner of the screen.
    home
  3. Tap the cog icon in the bottom-right corner of the ‌HomePod‌ card to take you to the device's settings.

  4. Tap ‌Siri‌ History.
    home
  5. Tap Delete ‌Siri‌ History.
Apple will inform you that your request was received and that your ‌Siri‌ and dictation history will be deleted. That's all there is to it.

In addition to these new ‌Siri‌ and Dictation-related privacy features, Apple also says it is making further changes to its human grading process that will minimize the amount of data that reviewers have access to.

Related Roundup: HomePod
Tags: Siri, privacy
Buyer's Guide: HomePod (Neutral)

This article, "How to Delete Siri Audio History and Opt Out of Siri Audio Sharing on HomePod" first appeared on MacRumors.com

Discuss this article in our forums

U.K. Court Reinstates Lawsuit Accusing Google of Bypassing Safari’s Privacy Settings to Track iPhone Users

An appeals court in London has reinstated a lawsuit filed against Google that accuses the company of unlawfully gathering personal information by circumventing the iPhone's default privacy settings, according to Bloomberg.


The collective action, equivalent to a class action lawsuit in the United States, alleged that Google illegally tracked and gathered the personal data of over four million iPhone users in the U.K. between 2011 and 2012. The case was first brought in November 2017 and had been dismissed in October 2018.

"This case, quite properly if the allegations are proved, seeks to call Google to account for its allegedly wholesale and deliberate misuse of personal data without consent, undertaken with a view to a commercial profit," wrote Judge Geoffrey Vos in a ruling today, per the report.

A similar lawsuit was filed in the United States in 2012, when Google was discovered to be circumventing privacy protections in Safari on iOS in order to track users through ads on numerous popular websites.

Specifically, Google took advantage of a Safari loophole that made the browser think that the user was interacting with a given ad, thus allowing a tracking cookie to be installed. With that cookie installed, it became easy for Google to add additional cookies and to track users across the web.

At the time, Safari blocked several types of tracking, but made an exception for websites where a person interacted in some way — by filling out a form, for example. Google added code to some of its ads that made Safari think that a person was submitting an invisible form to Google, thus creating a temporary cookie.

Google stopped this practice after it was reported by The Wall Street Journal, and refuted many details of the report, while Apple closed the loophole in a Safari update shortly after. Google also paid a then-record $22.5 million fine to the Federal Trade Commission over its practices back in 2012.

"Protecting the privacy and security of our users has always been our No. 1 priority," a Google spokeswoman told Bloomberg. "This case relates to events that took place nearly a decade ago and that we addressed at the time."


This article, "U.K. Court Reinstates Lawsuit Accusing Google of Bypassing Safari's Privacy Settings to Track iPhone Users" first appeared on MacRumors.com

Discuss this article in our forums