Skype/Zoom/MSTeams/Facebook/WhatsApp - Contacts pirates, the lot of them

Like many people, we find ourselves using video conferencing and chat systems much more than not very long ago and in many cases loading new software to work with organisations and clients.
Most of these blithely attempt to steam in and ‘access your Contacts’. With Skype for example you have to firmly say ‘No’ quite early in the installation. Some seem to allow me to set up a limited list within the app, while others (WhatsApp) are pretty inconvenient without a way of linking numbers to names.
The thing is, my Contacts file extends to thousands of names and in many cases also includes personal, financial or other sensitive information in the Notes field and I am very wary about allowing free access (data mining) by all these applications and systems. Presumably they can access anything in Contacts addresses, notes, birthdays - even if they say they’re only looking for matching phone numbers (WhatsApp)
Am I being overcautious? What strategies do people use to address this issue? I would love some well-informed TidBITS guidance.


I don’t have a solution or details, but I have the same concern. I don’t think you are being overcautious.

My contact database contains thousands of names (mostly business related, and like you, also some sensitive information). WhatsApp is nearly impossible to use without giving it access to contacts, but I kept denying it anyway. I do not trust Facebook with any of my data.

Same here. I don’t think you’re over-cautious at all.

I simply refuse to grant these apps access. The only comfort I give up is that I first need to copy a phone number from contacts and then paste it into eg. Skype. That’s IMHO a small price to pay for the added security.

I don’t trust these companies one bit, especially those that offer “free” clients. The UC system has a corporate Zoom license that I use on my work MBP, but after the Facebook SDK thing I decided to delete it off my iPhone. Just not worth it. The only way these companies will be decent players is if they are essentially forced to do so at gunpoint. Lacking federal regulation, me voting with my wallet/feet is the only thing I can think of.

I’m glad someone brought this up.

That’s what initially attracted me to Jitsi Meet. The “client software” is just Google Chrome, or Chromium, or Brave, or I imagine the new Microsoft Edge. (On mobile, you need to download the free Jitsi app. You can even use desktop Safari if you install a WebRTC plugin.) There are no accounts and no passwords. It’s free and open source, so if you don’t want to use Jitsi’s server you can run your own.

I have never used “real” teleconferencing software so I can’t say how it compares feature-wise, but for me Jitsi gets the job done and the data never leaves my shop. Even more important is that it can’t leak data it doesn’t have.

Disclosure: elsewhere, when I was bashing Zoom, I commented that “I don’t have a pony in this race.” That changed the next day, when my sons’ school district announced that they were forcing students to install and use Zoom for their distance learning.

My problem with this, is even though I don’t upload contacts, I’d still be using a service where other people I know are encouraged to upload their contacts. And because we are acquaintances, friends, family, there’d be a huge amount of overlap between what is in their address book, and mine.

A local payment app (Beem It in Australia) also requests such access.

Another problem is, once agreed to, turning off such access is already too late, because the contents have already been extracted onto servers elsewhere.

Just a shout-out. My wife is using Zoom for a weekly group meeting. I’m retired so I haven’t had to learn it, but on Tuesday (April 7) Screencasts online will be publishing a free video tutorial that will, I think, discuss some of the privacy issues as well as teach the user interface. For those who don’t know Don McAllister’s Screencasts Online platform, it may be a good introduction to that as well.

I don’t have sensitive data stored in Contacts, but I understand your reticence to allow the connection and agree with it.

My general approach is to deny any app access to Contacts unless its entire point is to work with Contacts (like BusyContacts). I’ll occasionally make exceptions for situations where it might be helpful to me if contact info is available and I generally trust the company in question, like Flexibits for Fantastical.

But I never, ever let Internet-based tools access my contacts to let me know who my “friends” might be or anything like that.

Another security problem with Zoom:

The problem that I see is that so many that do this don’t make it clear that’s what they are doing. They ask you so vague question like, “Would you like us to organize your friends?” and then if you accidentally say yes to the subsequent “okay to share contacts?” you’ve just leaked all your contacts.

Sure, the power users among us can catch this, but naive non-technical people you’re inviting to a conference may not.

You should have told the school that you don’t allow Zoom on any computers in your household, and also supplied them with the massive list of data mining, anti-privacy, and other malware associated with Zoom.

Remember that 1970 film, Colossus? “There is another.”

It’s called Signal, and it apparently doesn’t monetize you or your data because it’s not supported by selling your data.

Yes, it does use phone numbers from your contacts, like WhatsApp. However, they ( say, “Signal is an independent nonprofit. We’re not tied to any major tech companies, and we can never be acquired by one either. Development is supported by grants and donations from people like you.”

The real clincher there is “we can never be acquired by” any major tech company, unlike WhatsApp. I’ve installed it, and immediately it detected five bleeding-edge contacts who are using it. I’m comfortable with that.

Oh, yeah…and it has disappearing messages, and you can verify the status of end-to-end encryption (apparently “end” here actually means “end,” not “middle” the way Zoom uses it!).

1 Like

I did exactly that. They responded by giving me a list of anti-Zoombombing mitigations, apparently failing to even look at the list of articles I sent. In the mean time, Glenn’s excellent articles came out along with the news that NYC schools are banning Zoom. I sent those and a half-dozen or so other articles that were published in those few days. Friday they wrote to me that they were having a meeting next week to discuss their options (but I wasn’t invited).

1 Like

I use Signal for most of my telemedicine (Jitsi Meet for the rest). I like it, but isn’t it just 1:1? I’ve never tried, but I don’t think it supports group video chat which seems to be what most quarantined folks are looking for. There is also something kind of creepy about how they use phone numbers. I have two separate phones, one for telemedicine and one for personal use. But patients with whom I’ve had telemedicine visits pop up on my personal phone: “John Smith is on Signal!” even though they’re completely different phone numbers. I immediately block them, but it makes me worry that Signal is leaking personal information to my patients. I’m not too concerned, but I’ve had some veeery scary stalkers a couple of times in my 20+ year career, so it’s a cause of some concern.

1 Like

Eew, I agree, that does sound creepy. But maybe you could make two different Signal accounts with different user names based on the two different phone numbers?

Signal’s website says in part “The Signal service does not have any knowledge of your contacts. Data is all owned by your phone. Registration notifications are never transmitted by anyone in any direction at all; these notifications are created by your phone.” It’s open source, so you can verify that.

1 Like

Please let us know the outcome. What did they say about Zoom not being allowed in your household?

They didn’t address it directly, mostly suggesting I wait until after the meeting next week. Since distance learning commences on 13April, though, if they decide to keep using Zoom, I suspect they’ll then say “it’s too late to make a change now.” I had intended to specifically ask what provisions they would make for those unwilling to use Zoom, but it didn’t make it into my final edit. On the other hand, I did ask some very specific questions, for example “Is [district] going to ask students or their parents to agree to these draconian, harmful, and downright creepy terms?” They did not respond to any of my direct questions.

They are offering to loan Chromebooks to students “without access to a computing device,” which hardly applies to us with north of 50 computers in the house, but I anticipated that they would suggest we just use one of their Chromebooks. I tried to anticipate that by saying “Remember that having a compromised device in our homes and on our networks is dangerous even if that device is a District-owned Chromebook.”

If you are successful, you may find the “cure worse than the problem”. Zoom has arguably fixed all the most important security issues now, according to Glenn Fleishman and he has provided updated workarounds for most others here.

There’s very little evidence that any of the other solutions is any better and most are much more difficult to learn and administer. Only the strictest privacy advocates with something to hide should still be concerned over Zoom’s E2E methodology.

1 Like

I’m not aware that any of the other vendors deliberately and maliciously compromised their users’ machines (more than once!) and left them vulnerable to outside attacks, all for a slight competitive advantage. That kind of arrogance and incompetence tends to run bone-deep in a company’s culture. As far as I know, the people responsible for implementing and allowing and approving that crap are still working at Zoom. Presumably, so are they people who said “it depends on your definition of ‘sell’.” I see no evidence that the company has learned anything except how to make their mea culpa’s sound more sincere.

So they’ve fixed all the problems. Just like the last time. And the time before that. And the time before that. “Fool me once…”

This puts me in mind of how Adobe, when they were still desperately trying to defend Flash, would announce every few months that the current version is now perfectly safe to use, they’ve fixed all the problems at last. Right.

I ran out of gas! I got a flat tire! I didn’t have change for cab fare! I lost my tux at the cleaners! I locked my keys in the car! An old friend came in from out of town! Someone stole my car! There was an earthquake! A terrible flood! Locusts! IT WASN’T MY FAULT, I SWEAR TO GOD! --Jake Blues

And, yes, there absolutely are alternatives that have better security track records and/or have been well-vetted and/or can be deployed completely in-house and/or are open-source.

1 Like

Quite some time ago I finally tried LinkedIn, I resisted for quite some time. I was amazed at the list of people it suggested that I ‘friend’. It wasn’t just people in my contact file, but people with whom I had only one to two e-mail exchanges.

But like what someone else stated. If you’re on someone else’s list, and they have let the software access their list, the horse is out of the barn, so to say.

1 Like