❌ Software Removal | Keybase/KBFS acquired by Zoom #1894
Loading…
x
Reference in New Issue
Block a user
No description provided.
Delete Branch "%!s()"
Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?
Description
I know that it just was been added a few days ago but just this entered my feed: https://twitter.com/malgorithms/status/1258386143470653441
Why I am making the suggestion
Keybase has been acquired by Zoom. https://keybase.io/blog/keybase-joins-zoom
Zoom is terrible when it comes to privacy. They have been taking measures to ensure security but their privacy policy still leaves a lot of mysteries.
My connection with the software
I have no affiliation with Zoom or Keybase. I have been working on file sharing systems in the past for another vendor.
I would add disclaimer to the software website
@JanOstrowka I see now that also Keybase it self is listed under https://www.privacytools.io/software/real-time-communication/
That one should probably also be removed.
At this point I don't think we will do any removals as nobody really knows where it's going. We will wait and see how this pans out. It isn't like keybase has announced they're shutting down, nor has it been announced that it will not be developed in parallel with Zoom.
I would say that we have seen that we cannot trust Zoom when it comes to privacy. As @danarel mentioned on the other issue Keybase has been very vague on the future.
The amount of info that Keybase has on it's users is very worrying and I would recommend everyone to leave it asap. You can always rejoin if something seems to be okay, but it is not heading this direction.
Zoom is not keybase, they are two different products.
Nobody knows, not even the company.
Not any more information that they didn't already have.
Likewise, you don't know if things will get worse.
Edit: didn't mean to close this yet.
And I agree with this. We don't know much right now and I have a list of concerns but don't want to jump to a knee-jerk reaction. I think we can be cautious, slightly optimistic, but ready to remove once we learn more.
I was expecting to open this discussion. The company could have made an agreement on keeping Keybase open source for example and i think that is a missed opportunity. I am very happy that Zoom started to take it's security seriously, hopefully privacy is the next step. Keybase is now in control of a company with a very bad reputation and I think recommending it therefore is an issue as long as it's not clear what will happen. I also understand that removing them now would have impact but in the world of privacy and security, their is no such thing as benefit of the doubt in my opinion.
If we wanted alternatives keys.pub could be interesting.
It is probably not necessary to remove Keybase immediately, at least until more things are clear. But it would probably be good to mark it with an additional warning and/or put it on lower positions on page.
It's closed source server.
I agree with the removal.
We should wait a bit
https://github.com/keybase/client/issues/24105
The thing is, open source wouldn't really make it a lot better. Keybase is not federated so you'd still have individual pods that can't communicate with each other.
I don't imagine that would be much use for anyone outside of an organization. Retro-fitting federation into a protocol is virtually impossible and really needs to be something thought out from the beginning.
Signal/LibreSignal is a classic example of that, even being open source if you can't use the Signal servers you're still screwed.
Also, this is just a call from users to open source it, not a statement by Keybase or Zoom saying they will.
There's not reason to believe that Zoom purchased Keybase and would then just open source it.
I suggest we do a thorough background check of Zoom, since now Zoom is the background of Keybase.
The new CEO of Keybase (Zoom CEO) openly wants to work with FBI and other agencies.
https://techcrunch.com/2020/06/03/zooms-privacy-premium/
That did it for me too, i vote for removal.
My vote is for removal as well
Another vote for removal.
The CEO of Zoom clearly stated:
2.the unwilling to protect users' privacy
3.the urge for more money
No trust can and shall be given to such guys that owns Keybase.
And, really? Zoom think bad guys won't buy Zoom premium for keeping the meetings away from being listened by Zoom? That excuse is too stupid to make sense for me. I'm voting for removal.
Zoom censored activists after request from Chinese government:
https://in.reuters.com/article/zoom-video-commn-privacy-idINKBN23J08S
News:
https://www.theguardian.com/technology/2020/jun/11/zoom-shuts-account-of-us-based-rights-group-after-tiananmen-anniversary-meeting
Zoom's own blog about this:
https://blog.zoom.us/wordpress/2020/06/11/improving-our-policies-as-we-continue-to-enable-global-collaboration/
In this blog, Zoom writes:
Zoom owns users' metadata, and is actively using it to block legitimate users.
Acquired by a company with evil history doesn't necessary means KB is done, but leaders that actively collaborating with the gov of China?! No, if that's the company that owns KeyBase, I won't use it, forever. Now it's possible for Zoom to take down meetings based on local authorities' order (without even considering whether the request is proper or not, by themselves), after some time the same thing will happen on KeyBase users, too.
Considering Zoom's actions regarding privacy, oppressing freedom of speech by blocking users from holding online events about the 1989 Tiananmen Square protests and the intention to cooperate with parties that have proven to invade privacy like China, the FBI and other agencies I would deem the acquisition of Keybase to be questionable regarding privacy concerns and thus not belonging on privacytools.io.
It's worth noting all these articles are about Zoom, not Keybase where everything is E2EE anyway (even for free users).
The main issue would be that inside of Keybase they do advertise Zoom (Zoom bot etc), and this might lead people to using insecure software.
All these articles are about Zoom's leaders, which now became Keybase' leaders, too.
Not for metadata like login time and IP, which is quite easy if Keybase leaders decided to forbid some Chinese activists or someone else from using this service anymore based on FBI and local authorities. You have seen what happened to those activists who uses Zoom, why can't they replicate it on Keybase? At least it seems to me that Zoom leaders are quite willing to cooperate with gov. authorities.
While the articles are about Zoom, they reveal the companies open willingness to work with federal authorities and because they own Keybase, there is no reason to think that doesn’t apply to them as well.
A willingness to work with authorities within the confines of the law is one thing, a willingness to not allow users total privacy and security so that you can more easily work with the feds is another.
ill make a PR to remove keybase.
I know this issue is now sort of done with the pull request but I just got my eyes on this article:
https://theintercept.com/2020/04/03/zooms-encryption-is-not-suited-for-secrets-and-has-surprising-links-to-china-researchers-discover/
I thought you mind find it interesting.
That article is outdated, they use GCM mode now in zoom 5 apparently.
@dngray it was more about the fact that thy actually cooperated and also have links.
heh. https://blog.zoom.us/wordpress/2020/06/17/end-to-end-encryption-update/
My guess is that there would have been people at Keybase who were opposed to the "think of the children" argument for making it a paid-only feature.
I still think using a Matrix server in a friendly nation is a lot safer, if you actually care about metadata of which I doubt their E2EE will protect against.
For example what is illegal in one country may not be in another, and they've shown they're willing to help the CCCP with their oppression because they don't want to be banned in China. At the same time it's clear they're trying to pre-empt EARN IT legislation with the whole "child safety advocates" bit.
It's not like child safety advocates can actually offer any useful advice about E2EE. The E2EE either works or it doesn't. Those groups generally seek to make sure it doesn't in some way (if they have an opinion on encryption).