Mozilla, EFF, 19,000 Citizens Urge Zoom To Reverse End-to-End Encryption Decision

Mozilla, Electronic Frontier Foundation (EFF), and more than 19,000 internet users today urged Zoom CEO Eric Yuan to reverse his decision to deny end-to-end encryption to users of its free service end-to-end encryption, saying it puts activists and other marginalized groups at risk. Earlier this month, Zoom announced it will offer end-to-end encryption, but only to those who pay. From a statement: The pressure to reverse the decision comes as racial justice activists are using tools like Zoom to organize protests. Without end-to-end encryption, information shared in their online meetings could be intercepted -- a concern that has been legitimized by both recent actions by law enforcement and a long-term history of discriminatory policing. Mozilla and EFF today are presenting an open letter to Yuan, co-signed by 19,000 people, maintaining that privacy and best-in-class security should be the default, not something that only the wealthy or businesses can afford.

Re:

[sikiriki]

Zoom needs to earn money somewhere. Everybody uses their stuff for free, there is not much to sell except features like encryption.

Anyway, this is probably available in their trial accounts everybody uses.

Re:

[RandomUsername99]

"If Mozilla and the EFF actually cared about us they wouldn't be trying to bargain with a proprietary service"

Huh? It's the most popular service of its kind— an industry standard. How in the world would ignoring their imposed privacy restrictions show they "cared about us?" Since many of us don't have a choice but to use Zoom for events that other people put together, wouldn't ignoring them because they are closed-source show that they "cared about" free software more than they "cared about" us? Do yo

Re:

[guruevi]

Zoom is far from an industry standard. Cisco and GoToMeeting have a far more stable (paying) user base. If you include companies that focus only on business hardware setups, like Tandberg or Polycom, then Zoom is really a minor player.

Zoom is only huge now because it's one of the few that is free and easy to use and has a universal client. But before this, it was unlikely that anyone I got in contact with had ever used Zoom.

Industry standards would be based around XMPP, WebRTC and/or RTMP and clients do exi

Re:

[RandomUsername99]

Something being popular now that wasn't popular before doesn't negate it being an industry standard. Neither does it being a largely free service. A year ago, it was in 3rd place behind Microsoft and Cisco which easily qualifies it as an industry standard. Judging something's position in the marketplace based on long-term metrics when a recent large event completely changed the market just plain-old doesn't make sense.

> "Industry standards would be based around XMPP, WebRTC and/or RTMP and clients do exi

Re:

[Kjella]

Industry standards would be based around XMPP, WebRTC and/or RTMP and clients do exist. etc. etc. etc.

What people use decides this, not you. I'd very much prefer to see people use an open framework, but that's not, you know, what's actually happening.

Mozilla to users: We have open source standards with end-to-end encryption.
Users: Meh, we prefer Zoom.
Mozilla to Zoom: You should have end-to-end encryption.
Zoom: Meh, why should we listen to you when the users don't?

I wish Mozilla would get their head out of their ass and produce something worthwhile instead. I mean it's been 10+ years since they peaked, the only product of significance they've produced is Firefox which beat IE6 which was like beating a comatose quadriplegic. StatCounter now ranks them thi

Re:

[RandomUsername99]

What does Mozilla have to offer, here as an alternative? The purpose is to have a working videoconferencing tool, not to engage in an abstract exercise of using open standards and end-to-end encryption. Other than Firefox Hello, which was discontinued almost 5 years ago, I'm not aware of a Mozilla videoconferencing product.

End-to-end encryption isn't a hard problem to solve. Zoom solved it, they just don't want to give it to people who use it for free... which is a pretty shitty move IMO. Considering that m

Re:Don't like it?

[mark-t]

Barring any legislation to the contrary, if a company wants to offer better security and privacy features to paying customers than to non-paying ones, why is that a problem?

Re:

[SirAstral]

It is more likely to do with the fact that government allows businesses to escape responsibility by transferring the risk to the consumers.

We do not allow Auto Mfgs to transfer risks to consumers... they are required to meet minimum safety standards. There might be some justification for similar with software now.

Re:

[enigma32]

We do not allow Auto Mfgs to transfer risks to consumers... they are required to meet minimum safety standards. There might be some justification for similar with software now.

WTF are you talking about?

A car manufacturer would not be sued by the state if someone used their product to commit an act of terrorism, or to act in a subversive way toward an entrenched political party. You're comparing two completely different things here.

I'm all for end-to-end encryption being everywhere, but why should this company take on that legal risk for the benefit of people using its services for free? Anyone that feels strongly about it is welcome to start their own competing free service, incu

Re: Don't like it?

[Viol8]

Most of the kids on here are still going through their socialist faze and think everything should be free no matter how much work it entailed and profit is , like totally evil dude! They all grow up eventually when they have to leave home and pay their own bill's.

Re:

[SirAstral]

false dichotomy. I do not know of that many people that think things should be free. We all know the real complaint is usually that businesses have "over charged" for something and that because laws allow for monopolies they have no recourse but to pay for them.

Sure you can go and make your own... but you are taking the risk of being sued into a shit hole by competition with money, even if you are not breaking any copyright/trademark/patent laws.

Re:

[nevermindme]

Overcharge?

In my day the org that I was working for paid $600,000 to add SSL suport to a IBM mainframe, for the first dam client connection outbound. Dump 10 bucks a month for a zoom subscription or better yet, set up an IRC server to decide what store your going to burn to the ground next.

Re:

[SirAstral]

that is still not material here. Lots of businesses make ignorant decisions in vacuums. Not even big businesses make decisions well.

It's easy for your to save 600k because you know how to do something different cheaper, but that is not the case all the time.

Re:

[enigma32]

I do not know of that many people that think things should be free.

Really? I suppose the vast majority of the internet provides free (ad-supported) services because The People rejected a model wherein they would pay for things and keep their privacy?

Re:

[SirAstral]

They gave up their privacy for that service... they paid for it... didn't they? You can put yourself in a position that says some is free and also no free depending on your position and need to make an argument.

I will stand by my comment that most people are not expecting things to be free. They do however expect things to have a fair price. And often times the reason people do not pay for security is because of their value model in association with it. There are foods out there you will never eat even

Re:

[enigma32]

They gave up their privacy for that service... they paid for it... didn't they?

They can give up their privacy as the cost of using Zoom for free, then. QED.

Re:

[bn-7bc]

You are right, the thing is most people do not consider data as payment, as long as $0 get deducted from there account they get stuff for free.

Re:

[mark-t]

That sounds more like an entitlement phase than a "socialist" phase. I consider myself to be fairly socialist in my own views, but I certainly don't think that everything or for that matter even most things need to be free.

Re:

[LenKagetsu]

Imagine for a moment that you had to pay extra for seatbelts in your car. E2EE is a basic security and safety feature.

Re:

[lactose99]

well then they deserve to be paid for their work, so stop whining.

I agree! Oh I thought we were talking about filmmakers and musicians.

Comment

[WallyL]

A service provider can provide whatever level of service they want to whomever they want, especially for free! For the paying customers, more features are available. This issue is not a reason I dislike Zoom...

Re:

[Anonymous Coward]

Zoom bending over for the Chinese government and lack of principles that implies. That's the reason to dislike Zoom.

Re:Comment

[tlhIngan]

Given Zoom's recent behavior, I suggest Mozilla would best be recommending other platforms and ignoring Zoom altogether.

Just drop them for other providers. Don't bother giving them time of day or any advertising other than blowing up their US company facade.

Mozilla, create WebRTC-plugin for firefox

[cybernns]

Given Mozilla's capability, they can easily publish a WebRTC based meeting plugin with end to end encryption. Since Webrtc can be done as peer-2-peer, less server resources, except for handshake. That can achieve many things that is good for society: - Mozilla is more trusted, so community buyin would be good - Small municipal govts will trust Mozilla rather than a CEO that can give in to China, or who knows potentially enabling something else?! - One more economic espionage vector reduced. - People in

moz://a

[Antiocheian]

You cannot be lecturing others about privacy while making deals with Google, the worst privacy abuser on the planet.

Mozilla being hypocritical as usual

[xack]

They offer vpns (and selling it as "encryption") to paying users as well. Also they fucked over Reddit on the url bar issue. People only put up with Mozilla's abuse because Google is an even bigger abuser.

Citizens?

[SuperKendall]

Heading: 19k Citizens.
Body: 19k "internet users".

Citizens of what? What does "internet users" even mean?

I'll tell you what it means to me, the 19k "Citizens" is one guy names Steve really good at scripting form submissions.

Re:

[lactose99]

Netizens?

So.. don't use zoom

[LordWabbit2]

It's not rocket surgery, if you have stuffs to hide and zoom doesn't want to hide it then don't use zoom.
Use something else, there are plenty alternatives that do offer end to end encryption.

Then just pay, or use something else

[GuB-42]

Not only Zoom has no obligation to provide you with anything but even less so if you are using a service that cost them money, for free.

If Mozilla is not happy, they can provide the service themselves, or pay Zoom or any other company for it. In fact there are pretty compelling arguments for it. Zoom is a for-profit company, they are here to make money, unlike Mozilla, which is a charity that accepts donations. Furthermore, Mozilla has the skills and a significant market share with Firefox. I'd rather have

VPN?

[Quatermass]

Stick a VPN on the end.
Problem solved.

Re:

[theurge14]

It's really not that simple. Videoconferencing apps tend to use TCP for control and signalling and RTP for video/audio streaming which is done over UDP. Most VPN protocols make you choose between TCP or UDP and split tunnel the rest, some other protocols don't but they're not nearly efficient at all for end-to-end, especially when conference calls get to be multiple endpoints.

Re: VPN?

[Quatermass]

Good to know. Thanks.

End-to-End Encryption is Useless ...

[fennec]

If the application is Chinese all data must be stored in china including private encryption keys, which the gov probably already have a copy. In any case, since Zoom is not P2P all data goes to the Zoom servers and can be intercepted there. Activists should not use Zoom at all.

Fix your side of the problem

[ptaff]

Dear Mozilla foundation,

Instead of complaining about Zoom's proprietary policies, instead of changing the URL bar for a nth-time, instead of wasting time on Pocket, could you please instead fix your Firefox browser so that Jitsi Meet, a FLOSS E2EE-encrypted video conference software, works reliably on it, and also implement the missing WebRTC parts?

I know, it's harder to work than to do "slacktivism".

Thanks,