Zoom's Commitment to User Security Depends on Whether you Pay It or Not

Zoom was doing so well…. And now we have this:

Corporate clients will get access to Zoom’s end-to-end encryption service now being developed, but Yuan said free users won’t enjoy that level of privacy, which makes it impossible for third parties to decipher communications.

“Free users for sure we don’t want to give that because we also want to work together with FBI, with local law enforcement in case some people use Zoom for a bad purpose,” Yuan said on the call.

This is just dumb. Imagine the scene in the terrorist/drug kingpin/money launderer hideout: “I’m sorry, boss. We could have have strong encryption to secure our bad intentions from the FBI, but we can’t afford the $20.” This decision will only affect protesters and dissidents and human rights workers and journalists.

Here’s advisor Alex Stamos doing damage control:

Nico, it’s incorrect to say that free calls won’t be encrypted and this turns out to be a really difficult balancing act between different kinds of harms. More details here:

Some facts on Zoom’s current plans for E2E encryption, which are complicated by the product requirements for an enterprise conferencing product and some legitimate safety issues. The E2E design is available here: https://github.com/zoom/zoom-e2e-whitepaper/blob/master/zoom_e2e.pdf

I read that document, and it doesn’t explain why end-to-end encryption is only available to paying customers. And note that Stamos said “encrypted” and not “end-to-end encrypted.” He knows the difference.

Anyway, people were rightly incensed by his remarks. And yesterday, Yuan tried to clarify:

Yuan sought to assuage users’ concerns Wednesday in his weekly webinar, saying the company was striving to “do the right thing” for vulnerable groups, including children and hate-crime victims, whose abuse is sometimes broadcast through Zoom’s platform.

“We plan to provide end-to-end encryption to users for whom we can verify identity, thereby limiting harm to vulnerable groups,” he said. “I wanted to clarify that Zoom does not monitor meeting content. We do not have backdoors where participants, including Zoom employees or law enforcement, can enter meetings without being visible to others. None of this will change.”

Notice that is specifically did not say that he was offering end-to-end encryption to users of the free platform. Only to “users we can verify identity,” which I’m guessing means users that give him a credit card number.

The Twitter feed was similarly sloppily evasive:

We are seeing some misunderstandings on Twitter today around our encryption. We want to provide these facts.

Zoom does not provide information to law enforcement except in circumstances such as child sexual abuse.

Zoom does not proactively monitor meeting content.

Zoom does no have backdoors where Zoom or others can enter meetings without being visible to participants.

AES 256 GCM encryption is turned on for all Zoom users — free and paid.

Those facts have nothing to do with any “misunderstanding.” That was about end-to-end encryption, which the statement very specifically left out of that last sentence. The corporate communications have been clear and consistent.

Come on, Zoom. You were doing so well. Of course you should offer premium features to paying customers, but please don’t include security and privacy in those premium features. They should be available to everyone.

And, hey, this is kind of a dumb time to side with the police over protesters.

I have emailed the CEO, and will report back if I hear back. But for now, assume that the free version of Zoom will not support end-to-end encryption.

EDITED TO ADD (6/4): Another article.

EDITED TO ADD (6/4): I understand that this is complicated, both technically and politically. (Note, though, Jitsi is doing it.) And, yes, lots of people confused end-to-end encryption with link encryption. (My readers tend to be more sophisticated than that.) My worry that the “we’ll offer end-to-end encryption only to paying customers we can verify, even though there’s plenty of evidence that ‘bad purpose’ people will just get paid accounts” story plays into the dangerous narrative that encryption itself is dangerous when widely available. And I disagree with the notion that the possibility of child exploitation is a valid reason to deny security to large groups of people.

Matthew Green on this issue. An excerpt:

Once the precedent is set that E2E encryption is too “dangerous” to hand to the masses, the genie is out of the bottle. And once corporate America accepts that private communications are too politically risky to deploy, it’s going to be hard to put it back.

From Signal:

Want to help us work on end-to-end encrypted group video calling functionality that will be free for everyone? Zoom on over to our careers page….

Posted on June 4, 2020 at 6:24 AM42 Comments

Comments

Jonny June 4, 2020 6:46 AM

@Bruce – Nico Grant is a journalist for Bloomberg who exposed the fact that Zoom “won’t encrypt free calls so Zoom can work more with law enforcement.”

This is important for balance, as he’s not an “Advisor” for Zoom. When he broke the story, he got flooded with questions from users hence his replies.

His Twitter has some more context:

https://twitter.com/NicoAGrant

Jeffrey Friedl June 4, 2020 7:00 AM

So long as they’re clear about privacy issues (or lack-of-privacy issues), it’s up to the user to choose whether they want to avail themselves of what’s offered for free. The tone of your comments, Bruce, toward the slippery communications is spot on, but there also seems to be an implication that it’s immoral to not to provide E2E encryption, even if for free.

One imagines that the infrastructure for a service like this isn’t cheap, and not every grandparent/grandkid video chat needs E2E encryption. It seems to me to be a reasonable thing to put behind a paywall….

… so long as they’re clear.

Q June 4, 2020 8:19 AM

“Zoom does not proactively monitor meeting content.”

So they passively monitor meeting content? How else could they “work together with FBI, with local law enforcement” if they don’t monitor meeting content?

It seems clear to me that the only reason to not allow for E2E encryption is to allow them to monitor and monetise/report your activity.

Andy June 4, 2020 8:26 AM

He may not say it loud but it’s possible that his Legal team is the one forcing Zoom not offer E2E to everybody. There’s such a thing as Liability from prosecution and they want to show that they at least know the customer. The same can’t be said for someone coming only with IP address and and email.

Jeffrey Friedl June 4, 2020 8:27 AM

Regarding “It seems clear to me that the only reason to not allow for E2E encryption is to allow them to monitor and monetise/report your activity”, it’s my (very basic, layman’s) understanding that E2E encryption is much more resource intensive with something like group video chat, relating to features such as highlighting who’s talking(?).

This may be completely off base; perhaps Bruce could add some comments on this?

Bruce Schneier June 4, 2020 8:28 AM

@Jonny:

Is there a mistake I made? I didn’t mention Grant’s name; he’s the author of that first link. I used the word “advisor” to describe Alex Stamos, who became an outside advisor to Zoom in early April.

Bruce Schneier June 4, 2020 8:29 AM

@Andy:

“He may not say it loud but it’s possible that his Legal team is the one forcing Zoom not offer E2E to everybody. There’s such a thing as Liability from prosecution and they want to show that they at least know the customer. The same can’t be said for someone coming only with IP address and and email.”

Possible. I doubt it, but maybe.

But if that’s true, then say it out loud. Don’t pretend.

Frankly June 4, 2020 8:30 AM

There is a class of criminals who will not pay the $20 per month, certain internet miscreants, the types who post videos of their low level crimes on Facebook, who use the internet for harassment, who don’t really plan ahead (or at all), and who won’t bother to secure their Zoom communications with a fee.

Bruce Schneier June 4, 2020 8:31 AM

@Jeffrey Friedl:

Yes. E2E encryption is complicated and resource-intensive for group video — that’s why it’s so hard. That GitHub page Stamos links to describes the problems.

Vesselin Bontchev June 4, 2020 8:46 AM

Stamos has prior experience with abuse from working for Facebook. He lists some valid concerns:

  • Malicious users joining the conference call with the intent to disrupt it in various ways, without a Zoom moderator being able to observe and intervene because of the E2E protection. Can be countered with strong user authentication and other security controls but isn’t exactly easy for inexperienced users. One possibility (used in WhatsApp) is to let the legitimate users report the abusive behavior after they have decrypted it.
  • Group of perverts creating a chat protected with E2E end sharing child abuse material. Very difficult to counter, because none of the participants will see it as abuse and won’t report it. Maybe something can be done with traffic analysis of the encrypted stream but it’s a damn hard problem.
  • Zoom accepts some forms of communication (e.g., joining from phones) which make E2EE very difficult and even impossible.

However, while these are valid concerns, providing E2E encryption only to paying users does not solve any of them. At best, it lowers the levels of abuse by eliminating those who are not willing or cannot afford to pay.

Zoom is a private company and they have the right to offer whatever services they deem necessary and for whatever price they consider appropriate – but I wish they’d just say “E2EE is a valuable service and we’re charging money for it” and not take us for fools.

Martin June 4, 2020 9:29 AM

I am hosting my own Jitsi-Meet instance for ~ 2 months now and it uses p2p for 2 participants (therefore it’s sort of e2e encrypted) but “only” transport encryption for conferences with more participants. But as I am hosting this myself on my own VPS I don’t see any hard requirement for e2e encryption although it would be nice to have.

In my opinion you should selfhost or use other trustworthy instances instead of relying on a company like zoom, especially when they are based in the USA.

FA June 4, 2020 9:36 AM

People in ‘sensitive’ positions (journalists, whistleblowers, etc.) shouldn’t use anything like Zoom in the first place.

Even if it offers E2E encryption there is no practical way to verify that the encrypted stream doesn’t leak the session key.

The reason for this is the high redundacy of the source data (audio and video streams), not all of which will be removed by source coding (compression). So it should be fairly easy to manipulate the source data to create a hidden channel in the compressed and encrypted stream.

Compare this to e.g. a plain text message (no fonts etc., just plain ASCII). In that case it’s easy to verify that the encrypted data contains just the original text and nothing else.

Donald Brasco June 4, 2020 9:37 AM

All of these companies cooperate in one form or another. Hello? Crypto AG? Or what about RSA (the paragon of enterprise infosec) making an intrepid public stance against government spying while also making back room deals with the NSA? Or Microsoft giving the NSA first dibs on zero day bugs? Or…

https://www.theamericanconservative.com/articles/the-bogus-big-brother-big-tech-brawl-over-backdoors/

Any company that doesn’t bend the knee to NATSEC ends up like Lavabit. The rest have too much to lose. It works the same way in Russia, and China, where tech companies play ball or lose access to the market.

The idea that Zoom is somehow “doing a good job” is noise for rubes. Political theater pantomimed by celebrity crypto activists who need to read through the Vault 7 leaks one more time.

war59312 June 4, 2020 11:50 AM

Got to love it. Pay for privacy and security.

Just opening themselves open for a lawsuit. Just imagine a user gets hacked and it turns out would not have happened if Zoom took reasonable steps to secure but those steps are only for paid users. Yea good look defending that. Again, reasonable is the key here.

Norio June 4, 2020 12:59 PM

Thank you, Bruce Schneier, for your helpful summary. They were doing so well, and now Zoom spokespeople are beginning to remind me of cockroaches scurrying for cover each time a light is shone on them. And I agree, they seem really out of touch: “And, hey, this is kind of a dumb time to side with the police over protesters.”

SpaceLifeForm June 4, 2020 4:09 PM

@59312

“Got to love it. Pay for privacy and security.

Just opening themselves open for a lawsuit.”

You left out freedom of speech.

Lawsuits will get nowhere, parent in China.

Have you noticed teleconferencing glitches?

Is it packets dropped due to use of Unreliable Delivery Protocol, or is it due to packet censorship?

How can you tell?

Cimenny June 4, 2020 5:08 PM

Just opening themselves open for a lawsuit. Just imagine a user gets hacked and it turns out would not have happened if Zoom took reasonable steps to secure but those steps are only for paid users.

Remember that before Let’s Encrypt, it was normal to have completely unencrypted traffic, even sometimes while logged in. That wasn’t very long ago, and I don’t recall anyone getting in legal trouble for it. Even banks sometimes had unencrypted login forms that would transmit to an encrypted site—you know, if nobody modified the login page in transit to send it elsewhere, as tools like sslstrip had been able to do for like a decade.

The FTC may step in if Zoom has made false claims of security. Otherwise, nothing’s likely to happen. Did you get your $12 or whatever from Equifax yet?

Grima S June 4, 2020 5:39 PM

@ Vesselin Bontchev re: “group of perverts”… Substitute “group of dissidents conspiring to overturn a repressive regime”. What technical aspect changes? None. How can the first group be surveilled with out subjecting the second group to the identical risk? There is no “F” in “WAY”. You aren’t by any chance William Barr posting under a pseudonym, are you?

Grima S June 4, 2020 5:50 PM

@Jeffrey Friedl re: morality – In my opinion, however, it is immoral to use Marketspeak to try to portray or imply privacy equivalence between a paid and a free version of a product when no such equivalence exists. I know that is so common it is probably part of the Marketing 101 curriculum, but that doesn’t make it right. I’m unfond of all varieties of active liars…

Jake June 4, 2020 5:59 PM

Honestly it’s probably wise to just not trust Zoom, period. They’ve already shown that Privacy/Security is a secondary concern for them. Even if they touted End-to-End encryption for all, I wouldn’t trust their engineers to implement it correctly.

There are other alternatives to Zoom. Use them.

Jeffrey Friedl June 4, 2020 9:11 PM

@Grima S, literally the first and last words of my post, bookending what you’re replying to, are the words “So long as they’re clear” about privacy issues.

Jesse Thompson June 4, 2020 9:27 PM

I am throwing my hat into the “E2E behind paywall (cheap paywall too, it sounds like) is better than no E2E at all” camp. Whoever thinks E2E should be free should simply roll their own and put Zoom out of business already.

Zoom can’t even compete with you: you advertise “E2E free of charge” and they literally can’t put those words in that order. So all the customers will come to you, and you can hemorrhage all of your independent wealth giving it to them at no charge.

Or sell hats and fortnite dance animations to get by, what do I know? xD

Oh yeah, that and customers don’t even know what E2E means or why it should matter so good luck marketing it to them.

Ismar June 4, 2020 10:03 PM

I maybe missing something here, but I can also see this as a positive development to the computer security in general(I am bracing for some onslaught of comments here 🙂 ) as people tend to value that is not free (hard earned) more then any free (easily obtained) commodity.

It may also result in business models where software dev houses are encouraged to allocate more resources to security feature development as they bring in more cash.

BTW – This is completely Zoom unrelated as there are other better options for teleconferencing , both paid and free ones.

Phaete June 5, 2020 12:08 AM

I’m actually quite unperturbed by this.
A commercial company not offering free services to the public.
I can’t find an apt analogy at the moment, but we are expecting far too much for free nowadays.
And asking it from commercial companies, you know you or someone else gets shafted to pay for your free stuff.

And don’t even start talking about dissidents and other privacy needing groups, they (should) know better then to use Zoom.

Another Mouse June 5, 2020 3:16 AM

Actually the sad part about it is that we all give our services out of our hands.

In the past you could trust that noone at your servers hosting company would be interested in copying all of your stuff in real time to some agency. However everyone knew the admin can see everything, thus you knew it and the risk was limited.

Nowadays everything goes via mega corporations accumulating 80% of the worlds overall traffic (video conferencing in zooms case) making it an extremely attractive target to all sorts of data addicted parties. And worst of all it all is happening in a jurisdiction incompatible with your own.

That far we got that now everything has to be e2e to be reasonably safe for use, but often e2e is a hindrance, like you want pots call in? Not possible unless you leak your keys. And in the end e2e doesn’t help if you jave huge conferences who will realise if theres an additional silent participant? After all to keep ease of use the keys must be derived from some meeting id and a password at max, which is shared via email…

E2e is great bit key distribution goes against the way we are nowadays handling conferences. So we would have to make it similar to signal, having an integrated system managing keys and signalisation all under a basic e2e encrypted comms system avoiding leaking of the key material.

John Bryant June 5, 2020 4:28 AM

@Vesselin Bontchev the only cited concern that is even remotely valid is that Zoom runs on a bunch of deliberately crippled platforms (older web browsers- it’s not a valid concern for actual mobile phone applications where they can do the encryption in the app).

‘Malicious users’? The people joining publicly advertised or bruteforced deliberately unsecured Zoom calls aren’t using accounts or using throwaway accounts if they can. If someone is on a call they shouldn’t be on, why does any review need to be done at all? No need to employ some poor soul on minimum wage to see dicks or whatever else someone might be firing into some random Zoom meeting. Just time out or ban those reported frequently.

As for the idea that this could somehow protect kiddie fiddlers. These are notoriously antisocial people. What are they supposed to be doing on there? Raping kids live? I doubt it very much. Watching live cams of underage children exposing themselves? OK, maybe. But if they’re doing it through Zoom, they’ve exposed themselves to plenty of metadata collection for when someone reports the meeting addresses used to law enforcement.

In reality, providing encryption as a premium product is a good sign. Now, my preference is always going to be for a company based in Russia and China. I’m not an evil person, so there’s a good chance that the American occupational government might target me while those nations would not do so. But if there’s not a commercial motive to protect the reputation of a company’s encryption, then what does that really matter? The same people who control Donald Trump might simply pay the likes of Telegram to compromise their product, and frankly, that’s a reasonable concern.

Much safer to use something that you pay for.

Clive Robinson June 5, 2020 8:10 AM

@ ALL,

Whilst E2E encryption does provide some protection from people attacking the network communications it realy does not do that very well.

I’ve made the point about “End Point Security” many times on this blog since people got the mistaken idea the likes of encrypted messenger apps made them more secure, the reality is they don’t.

This is because of “end run attacks”… due to the “communications end point being able to reach beyond the security end point” on the “End Point Device, –like your “Smart Device” or “Personal Computer”– it can reach around the application to the “plaintex” Human Computer Interface (HCI).

To put it more simply the HCI that conveys “plaintext” from your fingers and mouth and to your eyes is on the same device as the application. The application is where the encryption is done, thus the application contains the “security end point”. Because there is no real issolation in the OS or the drivers etc and the “Communications End Point” (CEP) the HCI is in no way sufficiently issolated from the CEP. Thus an attacker can use the OS or drivers to reach around the application to the plaintext HCI, thus “end run” around the Security End Point. Thus even the best encryption in the world fails quite simply to this attack.

The solution is to “Effectively issolate the CEP from the SEP” thus the application needs to run in two parts each on a seperate device. That is the part of the application that deals with communications and other functions that do not leak information is located on the device that is connected to the LAN or other insecure communications path. It also issolates the actual CEP and sends the stripped communications data across a “Security choke point” to the second device. The second device is where the second part of the application carries out the cipher functions and functions in the HCI for presenting the plaintext to the human.

Importantly the security rests on the Security Choke Point beywenn the two devices and two parts of the application. Provided the Choke Point is correctly implemented and monitored, then the required red/black or red/green channel issolation can be achieved, and the attacker has no choice but to attack the encryption. I currently do not know if there is any such system for those that use “consumer devices” there have been some failed attempts for voice communications –ie jackpair amongst others– but untill there is demand for such systems they will not become available.

But it’s not just at the end point where it fails, as I’ve explained befor.

E2E encryption whilst complex can be done for two party communications where there is only the two data channels (TX/RX) between them. With the availabiliry of SSH type protocols to do KeyMan we tend not to think about what is actually involved at the nitty gritty levels. But SSH does not work well for multiparty communications except under certain insecure models.

Put simply you have three choices when it comes to N communicating parties (where N is three or more communicating at the same time),

1, A point-to-point topology, where there are 2(N-1) data channels at each end point, thus N^2-N data channels in total, which quickly becomes two much for each end point or LAN/WAN bandwidth capacity. You also have Key Managment (KeyMan) issues that can easily get out of hand.

2, A ring configuration topology where data gets sent from node to node in both directions. This is little different to 1 above in terms of bandwidth unless each node provides a “mixing function” which adds other issues that quickly get out of hand. And you still have the KeyMan issues.

3, A star configuration topology, with a central mixing hub. Due to the fact it only needs one mixer and that is at the hub, it considerably reduces end point capability requirments, bandwidth, and quite a few KeyMan issues. However it has a single point of failure at the hub, both for reliability and security. Security especially as nobody has designed an efficient mixing system that works on encrypted data. Realistically that is not expected to change any time soon so the central gub has to work on plaintex which means it has to know all the keys being used…

For the sake of cost reduction option three although potentially the worst from a security asspect is almost always used and that is not going to change any time soon.

So realistically for three or more party communications the system you use is from necessity going to be the least secure method, and if supplied by an external organisation that “supplies the hub mixer” than they will be privy to all keys and plaintext.

So the reality is you don’t realy get security no matter what the marketing bods may say.

I would say “pays your money takes your choice…” but in most cases people do not want to hand over money, so they have to pay in other ways such as by total loss of privacy..

Lawrence D’Oliveiro June 5, 2020 7:45 PM

Think of it as a way for them to make money. Companies offering “freemium” services are always trying to find ways to entice the punters to part with some money to step up to the “premium” service from the “free” level, hopefully without antagonizing them. This might work on that basis.

Users who care about security, but don’t want to pay for it, will just have to find some less trendy and fashionable alternative to Zoom.

Sancho_P June 6, 2020 5:12 PM

@Clive Robinson, Re: E2E encryption with N communication parties.

”1, A point-to-point topology, where there are 2(N-1) data channels at each end point, …
2, …
3, A star configuration topology, with a central mixing hub …
… [no] efficient mixing system that works on encrypted data.

Um,
A combination of P2P and star topology would reduce channels and completely avoid the central mixing function:

Each client sends (1Tx) to one distributor (hub), the full stream gets redirected 1:1 to all listed participants.
Each client reads (N
Rx) from all other distributor hubs (listed participiants).
The distributor is a simple function, could be one server or distributed for resilience.
So the “mixer” is at the client side.
KeyMan is, for good reasons, completely different a game.

Bandwidth is always limited by participants * quality, the bottleneck might be decryption of multiple input streams at the client (?).

We had a similar discussion before:
https://www.schneier.com/blog/archives/2020/04/security_and_pr_1.html#c6808811

Clive Robinson June 7, 2020 2:24 AM

@ Sancho_P,

As I noted the “mixing function” can be done at the clients but it’s problematic.

Firstly it requires a lot of CPU power and a lot of very high speed memory. Most clients like smart devices or work level PC’s just don’t meet the requirments.

Secondly the bandwidth (Bw) in to a mixer is aproximately N.Bw where as the output of the mixer is Bw. Thus having a mixer in every client is quite undesirable from a network point of view.

Whilst you can “serialize” the mixing across clients reducing bandwidth this requires a ring topology and suffers from accumulated time delays.

Thus at the end of the day the centralized “hub mixer” is realistically the only practical way to go as N increases.

That’s just the way “the cookie crumbles” and as we know from experience security takes a very distant back seat (think hanging out the back of a coach) to functionality even these days.

Another Mouse June 7, 2020 6:05 AM

@john what stops the crook taking money from you and the bad guys? What stops zoom, google you name them from taking your money and still acting on NSLs?

That paying customer attitude is just naive, nothing more, nothing less.

Sancho_P June 7, 2020 5:00 PM

@Clive Robinson

As always it depends on what we want to achieve. Unorganised conferencing of more than 10 participants doesn’t work in real life and can’t be improved by videoconferencing SW. Simultaneously handling of 6 HD porn streams doesn’t make sense either, 4 should suffice 😉

Likely there is no ‘one for all’ solution, but if encryption (kinda secrecy/privacy) is required, both, group and purpose are somewhat limited
(as you mentioned, a secret is best kept between one’s ears).

However, I don’t think the mixer itself would be the issue: Video needs separated streams, mixing isn’t useful, and audio mixing should be possible even with moderate HW.
Certainly the Internet connection is a limiting factor in some places.

But to encrypt / decrypt?
– If we only could trust in SSL transport KeyMan.

… What about a proxy between client PC and the Internet router, like a modified router, agnostic of content, just adding encryption / decryption to the packets’ content only?
Is home-brew “HW” encryption within standard SSL feasible?

John June 8, 2020 7:24 AM

“We do not have backdoors where participants, including Zoom employees or law enforcement, can enter meetings without being visible to others. None of this will change.”

But they record and play back your meetings later. None of this will change.

vtw June 8, 2020 9:16 AM

@Q,

I assume that “Zoom does not proactively monitor meeting content.” means that Zoom proactively monitors meeting metadata, and will only actually record the content if cops ask them to (storing bulk video isn’t cheap!). If they didn’t monitor meetings at all, they’d just say that “Zoom does not proactively monitor meetings.”

Humdee June 8, 2020 6:44 PM

I confess to being confused Bruce. I was under the impression that you and Alex were friends, at least of the professional sort, from his time at Facebook. I am glad to see you taking him on for his noxious behavior but I wonder what has changed that you so freely attack him thus. He was always a cad.

Agammamon June 12, 2020 12:07 AM

Does Zoom have an obligation to provide encryption for non-paying users?

I mean, it would be nice if they did, but why is there outrage that they aren’t? I mean, are you developing a communication app with end-to-end encryption and offering it for free?

If not, why not? Why would you not have an obligation to do so but Zoom does?

1&1~=Umm June 12, 2020 3:50 AM

@Agammamon:

“Does Zoom have an obligation to provide encryption for non-paying users?”

The answer is dependent on their marketing claims and promises and other information they have given out one way or another, with the intent of growing their business, irrespective of actual financial transaction.

Deceptive business practice of various forms is illegal in many parts of the world. Why the Internet should expect to be given a ‘Hall Pass’ on such behaviors is one of those things our political representatives should be addressing but do not for various reasons (think financial or other gain via lobbyists).

The fact that Silicon Valley big corporations effectively lie to anyone and everyone, and get away with deceptive practice, does not mean that it should be allowed to become normal behaviour.

Look at it this way, if unchecked many cancers will grow and consume the body’s recources untill the body is effectively killed.

Now replace cancers with ‘deceptive practices’ and body with ‘marketplace’ in the above paragraph to see why it’s a bad idea to let deceptive practices by any organisation continue.

Leave a comment

Login

Allowed HTML <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre> Markdown Extra syntax via https://michelf.ca/projects/php-markdown/extra/

Sidebar photo of Bruce Schneier by Joe MacInnis.