Section 4 of the Jitsi Meet ToS grants them similar rights. It's just with mushier language.
> You give 8×8 (and those we work with) a worldwide license to use, host, store, reproduce, modify, create derivative works..., communicate, publish, publicly perform, publicly display, and distribute such content solely for the limited purpose of operating and enabling the Service to work as intended for You and for no other purposes.
IANAL, but it seems like that would include training on your data as long as the model was used as part of their service.
Everyone who operates a video conferencing service will have some sort of clause like this in their ToS. Zoom is being more explicit, which is generally a good thing. If Jitsi wanted to be equally explicit, they could add something clarifying that this does not include training AI models.
> solely for the limited purpose of operating and enabling the Service to work as intended for You and for no other purposes.
To me (a former corporate lawyer) the "for You" qualifier would limit their ability to use content to train an AI for use by anyone other than "You". Is there an argument? Yes. But by that argument, they would also be allowed to "publicly perform" my videoconf calls for some flimsy reasons that don't directly benefit me.
Yep, I acknowledge that is a possibility, but it would also lead to them having permission to display literally the entirety of my videonconf calls to anyone, for advertising purposes or some other purpose that only incidentally benefits me. That would be a strained reading IMO.
Additionally courts consider the fact that users have little if any say in the terms and thus tend to take the most restrictive but still reasonable view of any uncertainty in the terms.
Basically "if you wanted it you could have asked for it, if you didn't then that is a problem".
Something like: If I have a call with you once, theoretically I might have a call with you again in the future. If they use my content to train "your" AI that would improve our theoretical future call, too, and is a "for me" use, I guess?
And I might have a call with any other zoom user, too, potentially, maybe. So really they are doing me a service by using my content all over the place — who knows, it might benefit me at some point!
In case this is meant to imply that perhaps my business and your business are both part of the same "You", they are not. They are each a party to a separate contract with Jitsi; we are not all party to one huge contract with each other (which would hypothetically allow Jitsi to do anything with our content for the purpose of helping them serve all of us).
Do you happen to know of others by any chance. For self-hosted video call solutions, looks like Jitsi and BigBlueButton (BBB) are the only decent options out there.
QOS (Quality-of-Service) rules might starve your traffic of bandwidth. Are you sure you have perfect "Net Neutrality" on your side?
You would be well advised to use services where the traffic travels through https on port 443 on the server (because it's been my experience that it tends to get pretty good QOS favorability). My own little rule of thumb: "you can connect to any port you want, so long as it's port 443 https." ;)
On the other hand, tls/443 is pretty undesirable for media delivery in videoconferencing because a) it's tcp-based and the required ACKs mean a big reduction in throughput and increase in latency, especially in the presence of packet loss, and b) most video services these days (and open source servers) use webrtc which encrypts the data in transit already--so the tls encryption is a waste of resources
Though tls/443 is usually still supported because it's most often allowed by even restrictive firewalls and networks
There's Galene, <https://galene.org>. It's easy to deploy, uses minimal server resources, and the server is pretty solid. The client interface is still a little awkward, though. (Full disclosure, I'm the main author.)
As I understand it, it refers to using meet.jitsi.si, not "another service" someone might provide by downloading the Jitsi software and running it on their own server.
Please correct me if I'm wrong since this would give me cause to reconsider running a Jitsi server.
It's "the Service" with capital S, indicating that it is a term specifically defined in the contract. Here "the Service" is defined as "the meet.jit.si service, including related software applications". If that's not vague enough, article 2 gives 8x8 the right to change, modify, etc. the Service at any time without any notice.
The guys at 8x8 may be well intentioned, but their lawyers have done their best to not give the customer any basis to sue the company in any foreseeable circumstances. That is what company lawyers do, for better or worse.
Regardless, it appears that at present time jitsi is not including AI training in their service, and there is no explicit carve-out in their terms for AI training. However, by article 2 they do have the right to store user content, which might become a problem in the future.
For various reasons I have a bunch of different groups where I use different videocall software for regular meetings - Zoom, Jitsi, Teams, Skype, Google Meet and Webex.
Out of all those, Jitsi is the only one where I can't rely on the core functionality - video calls and screensharing for small meetings (5-6 people); I have had multiple cases when we've had to switch to something else because the video/audio quality simply wasn't sufficient, but a different tool worked just fine for the same people/computers/network.
Like, I fully understand the benefits of having a solution that's self-hosted and controlled, so we do keep using self-hosted Jitsi in some cases for all these reasons, but for whatever reason the core functionality performs significantly worse than the competitors. Like, I hate MS Teams due to all kinds of flaws it has, but when I am on a Teams meeting with many others, at least I don't have to worry if they will be able to hear me and see the data I'm showing.
Won't help. I've had multiple callers encounter trouble with what I guess WebRTC traffic due to browser extensions, "anti" virus software, VPN policies etc. Zoom etc. works fine. They usually fixed it by switching to a personal phone instead of a work laptop but in general, the situation is not tenable.
Not sure there would be a decent enough return on investment, especially if the other tools they regularly use provide more reliable service at no additional cost.
How does Jitsi handle 500-person+ conference calls these days? This is the killer zoom feature - it looks like Jitsi can handle up to 500 now. https://jaas.8x8.vc/#/comparison .
That's personally not enough for many remote companies. So if we're going to have to have Zoom on our machines anyway (to handle an all-company meeting), why not just use it for the rest?
You can just have a conference call with the 5-10 speakers and use broadcasting software to stream it to the audience, why do they need to be in the conference?
Yes, I know it's more comfortable that way, but if you have to decide between giving all your data from all your meetings to a random US company and a slight annoyance whenever you do conferences with more than 500(!) participants, the choice is pretty simple to me.
Giving all the data to zoom probably means also giving it to most US law enforcement agencies (should they request it), that would be a big no no for me.
Not to mention that until very recently even MS Teams sent you to a different product when you wanted to stream to 500 people. Even if it's now integrated, it's still a different product inside (and e.g. you could for example open a new window when you were in a 500 people "meeting" at the time when you still could not do so for a regular meeting).
You say "just more comfortable" but if you have two streams and one of them is on a channel you know to be unreliable (Jitsi) it's pretty guaranteed the unreliable stream is going to be down a significant percentage of the time. If you're a company with 500 people this isn't a comfort question, you're wasting probably hundreds of hours of your employees' time.
I think we're not on the same page about Jitsi being unreliable. In fact, it has been more reliable for me than Zoom in the past. Maybe due to the fact that I'm running Linux, I don't know, I haven't tried either on Windows.
For the corporate or training use case, this is not a problem. If you are worried about US law agencies, you shouldn't be using any system that isn't rooted in face to face communication for anything sensitive. (And even that is suspect with as small as bugged devices are today.)
There is a huge difference between requesting data that has already been collected and requesting Zoom/Microsoft/Google to record future data. The latter probably requires some serious intent. And of course, if I would want to be entirely safe from US law enforcement espionage then I would need to not use computers but whose use case is that?
So, then... you're bound by youtube's TOS, you can't prevent people from getting in (usually via login), and Zoom makes it a nice experience instead of a hack.
Oh, and you can also do sub-rooms with Zoom, which has some applications in these types of meetings.
They don't actually suggest using YouTube. The point is just to illustrate that this is a very common and relatively simple concept. There are tons of tools able to accomplish this.
Chat lags for 5-120 seconds depending on livestream settings, writing is much slower than speaking, does not always convey the question as well as sound, and is close to impossible to do on the go.
In my experience there will be always some guy ranting for minutes so I learned to really appreciate town halls with a few speakers and taking questions written in the chat.
At some point though why not just collect questions beforehand, record the whole thing and let people watch it on their own time. At that scale there'll be no interactivity during the meeting anyway.
Because that's how you end up with projects that take 3 years to plan instead of 3 months. A live Q&A where all of the experts who can answer questions and everyone interested in the subject who may have questions are in the same room (live or virtual) is a lot more productive compared to what you are suggesting.
If something they said in the main presentation was missing important details that you need to do you work, why do you need to wait days/weeks for them to gather all the questions, find all the answers, and publish a video, when they could just answer it live in a few seconds?!
There is interactivity. Each company has their own way of doing this, but it's typical that they have someone reading the chat to gather questions and that higher ranked employee can directly speak to ask questions.
You'd be surprised how much chat happens as a side channel. Further, collecting questions means that the presentation material would have to be out there first, and that misses the point of the town halls, where financials and other initiatives are often first presented to the larger organization.
It may be that only a small subset of people will talk, but it's not necessarily the case that you know which subset beforehand. When the software can handle it, it's much easier to have everyone join a single call than it is to make sure that the right three people and two meeting rooms have access to talk, and guess which one other person out of about 250 might be called on to provide more context on an answer.
And I suspect that for most people -- including me -- Zoom accounts are "effectively unlimited". I wouldn't expect that many people to attend one of my meetings. The Internal Events team have licenses that allow for more attendees; I have a 500 attendee limit and I doubt I've ever gone above 50.
City wide Town halls where every one can listen in but pre-registered people can ask questions are a productive usecase for public information. Those buildings can't accommodate 500 people.
that is called broadcast media -- it was actually better thirty years ago than it is now. If you want conversation then you make a panel, and have a single microphone for the rest.
It's also much more responsive than teams. They seem to optimize frame rate over resolution and teams seems to do the opposite.
Having used both I find the framerate more important as it's much easier to interpret quick facial expressions. But teams looks glossier which makes it easier to sell I guess.
I am yet to find a modern video chat that isn't draining the battery of any laptop. From old Xeons, to fairly recent Ryzen and even M1/2 Macs.
It's a bit puzzling, actually. I don't think Skype and TeamSpeak had the same effect on computers back in the day. Just how much local processing are they doing these days? It's crazy
Hardware decoding is also an issue.. as in, not being used. Old webcams used to do h.264 encoding in hardware. Encoding has since now moved to the CPU which may or may not be fine.. the next issue becomes the codec chosen.. most stuff all has h.264 decoding in hardware.. but it's not being used anymore.. instead they're trying to use vp09 or h.265 or av1 which in many cases requires CPU-based software encoding and decoding.. so the fans rev up like turbines.
I feel certain the reason this is happening is because some middle-manager terrorist in a boardroom said "use this codec it won't require as much network data usage! value for the shareholder!" without asking first whether hardware encoding is beneficial even if there's a bit more network traffic with the older codecs.
Really burns me up. I do not want to use software encoding/decoding if I have hardware support.
Bandwidth is the limiting factor in a lot of circumstances, and networks are very challenging to manage. Especially with an increasing number of users on mobile connections, reducing network usage can be the right call.
But performance matters, too, of course. It's tricky to balance them.
Correct, teams doesn’t use videotoolbox so it’s software encoding. Probably not directly in javascript per se, it’s probably calling a native library, but it’s hot because teams doesn’t use hardware encoding.
Worst is relative. Zoom has the lower barrier to entry for normal users (who far outnumber us nerdy type) than any other app in it's class. Worst for privacy, best for usability, many argue.
Worst for privacy best for usability is the norm. Most B2C stuff is almost predatory. The only exceptions are at the high (cost) end of the market, and Apple to some extent.
If you aren’t paying in either time (DIY) or money, you are probably being exploited.
What I take to be the TOS for Google Meet (it's a little hard to tell!) makes no specific reference to AI, but does mention use of customer data for "developing new technologies and services" more generally. https://policies.google.com/terms#toc-permission
Actually, they only affect their hosted meet.jit.si service, right? Not if you self-host Jitsi on your own server (which you should if you're a medium-large company, for data protection and all that)
Also jitsi can easily be self hosted which means no information will leak altogether.
I've refused to install zoom since they installed a Mac backdoor and refused to remove it until Apple took a stand and marked them as malware until they removed it. And that was far from their only skullduggery.
Skype became really really terrible, it looks like it's been unmaintained during the past 10 years, I'd rate its usability worse than most open-source software. The sound quality is also awful, it feels like I'm calling a landline.
I live in France, landline had a distinct background white noise to it that somehow Skype managed to imitate. Switching to any other software feels like you're upgrading to HD audio.
It’s called “comfort noise,” and was an option in Lync/Skype for Business. A lot of users being switched from desk phones, especially older ones who still primarily used landlines at home, found themselves wondering if their conversation partner was still on the line without it.
In the US I don't know a single person that has access to POTS. Discord (with paid nitro) is the gold standard for quality and latency, followed by all the free VoIP apps
I live in the US, and I'm pretty sure everyone I know has a landline, though a good number of them are now digital/fiber/whatever. Some people I know still have multiple landlines, as it's cheaper than paying multiple cell bills if necessary. I know at least one person who used to have call forwarding set up to get calls on their cellphone, but with the current state of marketing calls they probably don't do that anymore.
Nobody pays multiple cell bills unless they wanna use several data-only eSIMs from different carriers to get better speed/coverage. If you just want a lot of phone numbers, you can port your numbers to a VoIP provider and forward them. Way cheaper than a landline
Tangentially related, but a number of telehealth operations with hospitals/therapists/etc... use Zoom -- I suspect because their clients can connect without an app or an account over a browser.
When you join a Zoom session over the browser, you don't sign a TOS. And I assume that actual licensed medical establishments are under their own TOS provisions that are compatible with HIPPA requirements. Training on voice-to-text transcription, etc... would be a pretty huge privacy violation particularly in the scope of services like therapy. Both because there are demonstrable attacks on AIs to get training data out of them, and because presumably that data would then be accessible to employees/contractors who were validating that it was fit for training.
Out of curiosity, has anyone using telehealth checked with their doctor/therapist to see what Zoom's privacy policies are for them?
The law doesn't protect it. HIPAA doesn't apply in that setting.
Attorney client privilege is an interesting case.
"Privacy issues" is a meaningless phrase to me when divorced from the law. Do you mean, like, ethically concerning? This term in the contract is neither uncommon nor illegal.
I know that many smaller therapists use Zoom for exactly the reasons you mentioned above - ease of use. They often don't have the technical know-how to assess the technology they're using.
The UK, for example, has hundreds of private mental health practitioners (therapists, psychologists, etc.) that provice their services directly to clients. They almost universally use off-the-shelf technology for video calling, messaging, and reporting.
IANAL, but I did health tech for 10 years and had my fair share of interactions with lawyers asking questions about stuff I built.
HIPAA applies to the provider. Patient have no responsibility to ensure the tech used by their care provider is secure or that their medical records don't wind up on Twitter. HIPAA dictates that the care providers ensure that happens by placing both civil and sometimes criminal liability on the provider for not going to great lengths here.
In practice, this means lawyers working with the care providers have companies sign legal contracts ensuring the business associate is in compliance with HIPAA, and are following all of the same rules as HIPAA (search: HIPAA BAA).
Additionally, you can be in compliance with HIPAA and still fax someone's medical records.
Healthcare professionals still use fax precisely because of this.
Analog line fax is HIPAA compliant because it is not "stored"
Using a cloud fax provider will inmediately put you out of compliance for this reason, unless you have a HIPAA compliant cloud fax service, which are rare.
I don’t think the question is about Zoom’s safeguards which are audited, and as you say almost certainly stronger than HIPAA requirements, but rather whether they can use the stored PHI for product development where the law appears ambiguous.
Imo the law basically says you can do this with PHI:
-De-identify it then do whatever you want with it
-use it to provide some service for the covered entity, but not for anyone else
-enter a special research contract if you want to use it slightly de-identified for some other specific purpose
One note is that the act of deidentification itself requires accessing PHI when done retroactively, this may be institutional policy or specific to covered entities but per the privacy office lawyers such access (apart from a small dataset) requires a permitted use to be accessible in order to then deidentify and use freely.
As with all things HIPAA, this only becomes a problem when HHS starts looking and I’m sure in practice many people ignore this tidbit (if in fact this is the law and not Stanford policy).
Related to this, anyone know if Zoom has a separate offering for education (universities, schools, etc)? I teach at a university, and not only do we use Zoom for lectures etc, but also for office hours, meetings, etc, where potentially sensitive student information may be discussed. I'm probably not searching for the right thing; all I found was this: https://explore.zoom.us/docs/doc/FERPA%20Guide.pdf
(FERPA is to higher ed in the US what HIPAA is to healthcare.)
"Vanity-URLs" is just a feature, usually a requirement for SSO. I cannot see that that would cause any different treatment of data related to your use.
IANAL but “Zoom for Healthcare” is a business associate under HIPAA and treated as an extension of the provider with some added restrictions.
Covered entities (including the EMR and hospital itself) can use protected health information for quality improvement without patient consent and deidentified data freely.
Where this gets messy is that deidentification isn’t always perfect even if you think you’re doing it right (especially if via software) and reidentification risk is a real problem.
To my understanding business associates can train on deidentified transcripts all they want as the contracts generally limit use to what a covered entity would be allowed to do (I haven’t seen Zoom’s). I know that most health AI companies from chatbots to image analysis do this. Now if their model leaks data that’s subsequently reidentified this is a big problem.
Most institutions therefore have policies more stringent than HIPAA and treat software deidentified data as PHI. Stanford for example won’t allow disclosure of models trained on deidentified patient data, including on credentialed access sources like physionet, unless each sample was manually verified which isn’t feasible on the scale required for DL.
“Limitations on Use and Disclosure. Zoom shall not Use and/or Disclose the Protected Health Information except as otherwise limited in this Agreement or by application of 42 C.F.R. Part 2 with respect to Part 2 Patient Identifying Information, for the proper management and administration of Zoom…”
“Management, Administration, and Legal Responsibilities. Except as otherwise limited in this BAA, Zoom may Use and Disclose Protected Health Information for the proper management and administration of Zoom…”
Not sure if “proper management and administration” has a specific legal definition or would include product development.
“But how should a business associate interpret these rules when effective management of its business requires data mining? What if data mining of customer data is necessary in order to develop the next iteration of the business associate’s product or service? … These uses of big data are not strictly necessary in order for the business associate to provide the contracted service to a HIPAA-covered entity, but they may very well be critical to management and administration of the business associate’s enterprise and providing value to customers through improved products and services.
In the absence of interpretive guidance from the OCR on the meaning of ‘management and administration’, a business associate must rely almost entirely on the plain meaning of those terms, which are open to interpretation.”
Haha wow this is a great post. I am a lawyer and you may have solved a problem I recently encountered. So you think this is saying that generic language in the Zoom BAA constitutes permission to de-identify?
Are there examples of healthcare ai chatbots trained on de-id data btw? If you're familiar would love to see.
> Haha wow this is a great post. I am a lawyer and you may have solved a problem I recently encountered. So you think this is saying that generic language in the Zoom BAA constitutes permission to de-identify?
Not that I’m an expert on the nuance here but I think it gives them permission to use PHI, especially if spun in the correct way, which then gives them permission to deid and do whatever with.
My experience has been that it’s pretty easy to spin something into QI.
> Are there examples of healthcare ai chatbots trained on de-id data btw? If you're familiar would love to see.
https://loyalhealth.com/ is one I’ve recently heard of that trains on de-id’d PHI from customers.
> What's your line of work out of curiosity?
Previously founded a health tech startup and now working primarily as a clinician and researcher (NLP) with some side work advising startups and VCs.
Happy to help. Let me know where to send the invoice for my non-legal legal expertise, if your rate is anything like my startup's lawyer you'll find me a bargain! Haha.
Forgive me for being pedantic but this is like nails on a chalkboard to me.
HIPAA is the correct abbreviation of the Health Information Portability and Accountability Act which as an aside doesn't necessarily preclude someone from training on patient data.
HIPPA is the unnecessarily capitalized spelling of a (quite adorable) crustacean found in the Indo-Pacific and consumed in an Indonesian delicacy known as yutuk.
edit: I'm retracting my earlier comment. Earlier I wrote that the headline didn't seem to match what was in the TOS, since OP never mentioned which part they're concerned about.
I'm now assuming the part they don't like is §10.4(ii):
> 10.4 Customer License Grant. You agree to grant and hereby grant Zoom a perpetual, worldwide, non-exclusive, royalty-free, sublicensable, and transferable license and all other rights required or necessary to redistribute, publish, import, access, use, store, transmit, review, disclose, preserve, extract, modify, reproduce, share, use, display, copy, distribute, translate, transcribe, create derivative works, and process Customer Content and to perform all acts with respect to the Customer Content: [...] _(ii) for the purpose of product and service development, marketing, analytics, quality assurance, machine learning, artificial intelligence, training, testing, improvement of the Services, Software, or Zoom’s other products, services, and software, or any combination thereof_
Notice that 10.4(ii) says they can use Customer Content "for ... machine learning, artificial intelligence, training", which is certainly allowing training on user content.
But it is saying that your customer content may be used for training AI, in 10.4:
> 10.4 Customer License Grant. You agree to grant and hereby grant Zoom a perpetual, worldwide, non-exclusive, royalty-free, sublicensable, and transferable license and all other rights required or necessary to redistribute, publish, import, access, use, store, transmit, review, disclose, preserve, extract, modify, reproduce, share, use, display, copy, distribute, translate, transcribe, create derivative works, and process Customer Content and to perform all acts with respect to the Customer Content: (i) as may be necessary for Zoom to provide the Services to you, including to support the Services; (ii) for the purpose of product and service development, marketing, analytics, quality assurance, machine learning, artificial intelligence, [...]
I get that legalese is like human-interpretable pseudocode, but like, is there really no better way to word this? How can you grant without agreeing to grant?
I, for one, do not welcome our dystopian overlords, but am at a loss to what I can do about it. I try to use Jitsi or anything not-zoom whenever possible, but it's rarely my pick.
"Hereby grant" means the grant is (supposedly) immediately effective even for future-arising rights — and thus would take precedence (again, supposedly) over an agreement to grant the same rights in the future. [0]
(In the late oughts, this principle resulted in the biotech company Roche Molecular becoming a part-owner of a Stanford patent, because a Stanford researcher signed a "visitor NDA" with Roche that included present-assignment language, whereas the researcher's previous agreement with Stanford included only future-assignment language. The Stanford-Roche lawsuit on that subject went all the way to the U.S. Supreme Court.)
Not necessarily — in some circumstances, the law might not recognize a present-day grant of an interest that doesn't exist now but might come into being in the future. (Cf. the Rule Against Perpetuities. [1])
The "hereby grants and agrees to grant" language is a fallback requirement — belt and suspenders, if you will.
And after that litany of very specific things, "and to perform all acts with respect to the Customer Content." Couldn't the whole paragraph just have been that phrase?
Quibbles over the definition of phrases like “Customer Content” and “Service Generated Data” are designed to obfuscate meaning and confuse readers to think that the headline is wrong. It is not wrong. This company does what it wants to, obviously, given it’s complicity with a regime that is currently engaging in genocide.
I'm not rendering an opinion here about the trustworthiness of Zoom. I'm simply saying that the plain reading of the TOS is the opposite of what the headline on this post claims.
The definition of phrases like “Customer Content” and “Service Generated Data” are unclear. It is disingenuous to say that the headline is the “opposite” of what the headline suggests.
You really think that the engineers in China are not actively working on developing AI models of users without using a lot of user content to feed the model? Doubtful. Hiding behind ill-defined terms has the fingerprints of an Orwellian regime. I think I know which one.
Its CEO has ties to the CCP, development is all done in China. Just because it has a company registered and claims to be founded in San Jose doesn’t mean it’s not a Chinese company.
Apple only assembled products in China. Almost none of the iPhone is made in China. They do no development in China. They didn’t start the company in China. They run the app store and iCloud storage separately in China.
Yeah, I saw some people posting screenshots of 10.2 and was thinking maybe it was just exaggeration for clicks, but 10.4 is horrifying. Customer Content as defined in 10.1:
"10.1 Customer Content. You or your End Users may provide, upload, or originate data, content, files, documents, or other materials (collectively, “Customer Input”) in accessing or using the Services or Software, and Zoom may provide, create, or make available to you, in its sole discretion or as part of the Services, certain derivatives, transcripts, analytics, outputs, visual displays, or data sets resulting from the Customer Input (together with Customer Input, “Customer Content”); provided, however, that no Customer Content provided, created, or made available by Zoom results in any conveyance, assignment, or other transfer of Zoom’s Proprietary Rights contained or embodied in the Services, Software, or other technology used to provide, create, or make available any Customer Content in any way and Zoom retains all Proprietary Rights therein. You further acknowledge that any Customer Content provided, created, or made available to you by Zoom is for your or your End Users’ use solely in connection with use of the Services, and that you are solely responsible for Customer Content."
Since this is a legal language discussion, worth noting your quoted portion might not say what you said it explicitly says:
> Service Generated Data; Consent to Use. Customer Content does not include any telemetry data, product usage data, diagnostic data, and similar content or data that Zoom collects or generates in connection with your or your End Users’ use of the Services or Software (“Service Generated Data”).
Notice that Service Generated Data quite explicitly doesn't include Customer Content.
On the contrary, it says Customer Content doesn't include service generated data. So you don't have rights to the telemetry or anything else they collect.
It does not say Service Generated Data doesn't include their own copies of customer content, which could be a part of "data Zoom collects .. in connection with your .. use".
Except it’s a few steps away from customer input and customer content.
Sounds like it can eventually include chats during a call.
Sounds like it can eventually include the files of your meeting recordings in its processing, since it is a file. A call recording stored to your zoom cloud can be a form of service generated data from calls.
And sounds like it include transcripts of live audio could also function as service generated data (was the audio clear? Could ai convert speech to text?)
The statistics of calls could turn into the wavelengths of the audio and video in real time. Gotta keep an eye on the quality with AI.
My only question is if this include the paid users?
If so, I had been meaning to move on from Zoom as a paid customer and this may have done it.
It’s not end to end encryption if Zoom can tap into your files on your cloud or computer. Or let you pretend you are providing the other party with encryption when they aren’t safe. Corporate information is valuable to some.
Good catch jxf! but what is that boundary line between SGD and Customer Input/Content? Is it blurry or clearly defined? It seems like things like translations or future enhancements might fall into that area (it also seems like training AI on diags isn't as useful), so this might be expanded in the future now that they have that language in place.
You are misreading and misunderstanding this whole paragraph.
The purpose of 10.4 is to allow zoom to send your call to other services, like say YouTube for live streaming, or any of the dozens of other services that integrate with their APIs. Without 10.4, three quarters or more of Zooms use cases would no longer work.
Who in their right mind would use Zoom as a service. My employees will never connect to another conference call with a third party that uses zoom again, ever.
I appreciate your sentiment but sometimes there’s immense pressure to use it because it’s what everyone else is using, and refusing would cause a meeting to be disrupted (or force you not to attend).
But sometimes legal has the trump card in terms of dictating company policy, and having confidential information laundered into the public domain via training on "customer content" seems like a very red line.
I am curious if they have been silently saving voice to text transcription in the background on all calls and if AI will be permitted to ingest all of that data. A great deal could be learned from private one on one calls in the corporate world. The insider knowledge one could gain about corporations and governments would be fascinating.
I feel as if 2023 could become the inflection point where we will finally start investing in our own infrastructure again. Video calls for example are really a commodity service to be set up at this point.
Where I work they have been running in-house video meeting infrastructure for close to 20 years. They abandonded all the equipment and expertiese a few years ago in favor of Zoom. For all its faults, it's just so much easier for users. They probably saved 10 or more minutes per meeting of "Can you hear me? Can you see us? Can you see my screen?" BS at the start of each meeting.
I guess it also helps that these days most people are working with phones or laptops that have integrated and well supported cameras and microphones, vs. then when that stuff would have been external peripherals and required installation of the proper drivers.
I don’t know, we might be closer to quality of service parity than we think.
Even without taking into account “costs” of blatant privacy disregard / violation, data theft, potential industrial espionage, etc.
If the tools continue to get better at the current rate; then the SREs you have to hire anyways will probably be able to deliver about equal results (while staying in control of the data).
I’m thinking about those GPU “coops” we heard about emerging, shared between SV startups.
And then think about what Oxide are doing.
Then binding all of those trends together through the promise of Kubernetes and its inherent complexity finally getting realized / becoming “worth it” at some point.
Multi cluster, multi region - multi office attached server rooms across CO’s locations? Everything old could be new again. Wireguard enabled service meshes, Cluster API, etc. We will get there at some point probably sooner than later.
Then you “just install” the fault tolerant Jitsi helm chart across that infra… with all the usual caveats of maintenance taken into account of course. Again hassles will be reduced on all fronts and SREs needed anyways.
I do lots of terraform and k8s in my day job but at this point I deem any work that isn’t directly related to k8s as some kind of semi (at best) vendor specific dead weight knowledge. Kind of why I’d never would want to be knowledgeable about browser quirks - I hate how much I know about these proprietary cloud APIs.
I know some people who work on Kubernetes for “real-time” 5G back-ending if you can believe it. Lots of on-prem there on the cellular provider sides etc. We are getting really close already.
You're not going up against "how hard is it to roll your own", you're going up against "how inconvenient is it compared to Zoom". You can spend millions to make something that works but unless it's as good as Zoom is (and that's going to cost you a few million to develop from scratch, even with off-the-shelf FOSS components, and FAR more if you're hiring experts to write it scratch) your CEO should, and I stress *absolutely should* (because their responsibility is to shareholders, not to employees) go "how is this better than zoom, and why are we not using that instead so we can put that money in our own wallet?".
The part where "it's a web app and some video manipulation" requires hiring about a million dollars worth of "at least three developers" (which costs a company their salary plus that entire salary again for insurance, health care coverage, etc) to write and maintain that app for you, plus the at least another million that it'll set you back ensuring that you have all the hardware in all your offices to make that smooth rather than "OH FOR FUCKS SAKE CAN WE PLEASE JUST USE ZOOM WHAT THE FUCK" from every single employee.
It's quite common for corporate/government contracts to have totally different terms that prohibit any kind of AI training (or recording/access at all). This has been the case for years now. Precisely because of the risks you highlight.
In these cases, companies train on content stored/transmitted in the free/individual consumer version only.
That's good to know. Assuming government employees are not meeting with anyone that is using personal or corporate accounts contractors, vendors they should be at less risk of AI blackmailing them or selling secrets to opposing nations. Everyone else will just need to be extra careful what they say in the event that the AI accidentally leaks something.
I just like how everyone is up in arms over the use of your meetings for AI training specifically, when the ToS clearly says all "Customer Content/Customer Input" AKA your words, text, voice, face, etc can be used for "Product and Services Development" which could as easily be a facial recognition database, a corporate espionage service, a direct competitor to whatever company you work for, or literally anything else before it's an AI lol.
10.2 … You agree that Zoom compiles and may compile Service Generated Data based on Customer Content and use of the Services and Software. You consent to Zoom’s access, use, collection, creation, modification, distribution, processing, sharing, maintenance, and storage of Service Generated Data for any purpose, to the extent and in the manner permitted under applicable Law, including for the purpose of product and service development, marketing, analytics, quality assurance, machine learning or artificial intelligence (including for the purposes of training and tuning of algorithms and models), training, testing, improvement of the Services, Software, or Zoom’s other products, services, and software, or any combination thereof, and as otherwise provided in this Agreement
> Customer Content does not include any telemetry data, product usage data, diagnostic data, and similar content or data that Zoom collects or generates in connection with your or your End Users’ use of the Services or Software (“Service Generated Data”).
I could be wrong, but my take is that there is not all that much to see here
> does not include ... product usage data, diagnostic data, and similar content or data that Zoom collects or generates in connection with your ... use of the Services
Did you not read the quote?
Or are you telling me this still might include video and audio data?
I feel like an medieval illiterate farmer reading latin...
The ambiguity in this wording is on purpose, so it will be harder to tell in court (if someone sues them) that they were forbidden or allowed to do any specific thing.
They don't detail what any of product usage data is, and you might think it is content, but later one they detail that they'll use user content (which they also don't detail what it is) for AI training...
It's hard to understand what they mean. I understand it as they're free to generate "Service Generated Data" based on “Customer Content”.
So for example, a compressed rendition of a call recording would be "Service Generated Data" and thus they will be free to do whatever they want with it (improve their caption generation models ... or sell it to someone?).
> 10.4 Customer License Grant. You agree to grant and hereby grant Zoom a perpetual, worldwide, non-exclusive, royalty-free, sublicensable, and transferable license and all other rights required or necessary to redistribute, publish, import, access, use, store, transmit, review, disclose, preserve, extract, modify, reproduce, share, use, display, copy, distribute, translate, transcribe, create derivative works, and process Customer Content and to perform all acts with respect to the Customer Content: ... (ii) for the purpose of product and service development, marketing, analytics, quality assurance, machine learning, artificial intelligence, ...
I believe this might be the wording the submission references.
There is also a provision for letting them train AI on Customer Content (10.4: machine learning, artificial intelligence, training) so the distinction probably doesn't matter in this case?
You're both misquoting and misunderstanding. Misquoting in that you clipped out the "to the extent and in the manner permitted under applicable Law". And misunderstanding since the text was talking "service generated data", not about "customer data". That's basically data generated by their system (e.g. debug logs). It's not the data you entered into the system (contact information), the calls you made, the chats you sent, etc.
Also, the linked document is effectively a license for the intellectual property rights. The data protection side of things would be covered by the privacy policy[0]. This all seems pretty standard?
> And misunderstanding since the text was talking "service generated data", not about "customer data".
Isn't that what section 10.4 covers and ultimately grants liberal rights to Zoom?
> 10.4 Customer License Grant. You agree to grant and hereby grant Zoom a perpetual, worldwide, non-exclusive, royalty-free, sublicensable, and transferable license and all other rights required or necessary to redistribute, publish, import, access, use, store, transmit, review, disclose, preserve, extract, modify, reproduce, share, use, display, copy, distribute, translate, transcribe, create derivative works, and process Customer Content and to perform all acts with respect to the Customer Content: (i) as may be necessary for Zoom to provide the Services to you, including to support the Services; (ii) for the purpose of product and service development, marketing, analytics, quality assurance, machine learning, artificial intelligence, ...
Yes, but that's not the section that this subthread was about, and the objection about "this can't be legal in the EU and UK" was based on the text quoted for service generated content which is different.
And again, this is about granting an license on the intellectual property. It doesn't create any kind of end-run around the GDPR, and wouldn't e.g. count as consent for GDPR purposes.
I don't think they carved themselves out this permission for the purpose of training an AI on debug logs. For all we know "Zoom compiles Service Generated Data based on Customer Content" may include them compiling an mp4 of your call. That would seem to fall under the part of the definition that says "data that Zoom collects or generates in connection with your or your End Users’ use of the Services or Software"
Furthermore, as far as I know, the "to the extent and in the manner permitted under applicable Law" part is just a reminder. Laws always have priority over contracts, and any part of a contract that goes against the law can simply be ignored.
Not if at least one of the parties is a government institution, because administrative actions have a presumption of legality, similar to presumption of innocence applied to other entities.
I'm sure they'll miss your business, but this change will hardly impact their bottom line. Most users will continue to use it, even if they're aware of and are concerned by this, as the cost and inconvenience of switching is too high.
I am really puzzled how are they able to "quietly" update the terms without notifying their users? Everybody was joking about the emails (We have updated our terms...) raining from every company when GDPR et al. got introduced. What changed?
Section 15 of the agreement ("MODIFICATIONS TO THIS AGREEMENT") allows for Zoom to unilaterally change the terms without providing notice other than updating them on the website.
In such jurisdictions, it would be unenforceable, but not illegal. The agreement is executed in California per section 33.3, where it is perfectly legal.
You really ought to read “No Filter” by Sarah Frier. She talks about exactly this, except with Apple and iTunes in 2001.
Apple’s biggest change wasn’t “digitizing music”, it was enabling a system that allows arbitrary changes to terms and conditions for services they offered. Apparently if you presented a digital copy of a TOS and users clicked one button, it was legally binding.
Other companies caught on and started doing it, and well that’s how Zoom is able to do this - people don’t bother to read what they’re agreeing to so legally it’s the user’s fault if the software does something they don’t like.
Possibly they've done something illegal here. Let's wait and see (or, if you're in the EU, take action and report it to your data protection authority and NOYB).
This is very much like the Black Mirror episode Joan Is Awful.
By using modern services we consent to our data, including our likeness, being used in any way the service can extract value from it. User data is such a gold mine that most services should be paying their users instead. Even giving the service away for "free" doesn't come close to making this a fair exchange.
Not to sound pessimistic, but we are already living in a dystopia, and it will only get much, much worse. Governments are way behind in regulating Big Tech, which in most cases they have no desire in since they're in a symbiotic relationship. It's FUBAR.
As far as I can tell he's not only pretty sure he'll be part of the class that holds power like this without accountability to any state, he consistently makes manipulative statements which function to move things in that direction.
Hi there - this is Aparna from Zoom, our Chief Operating Officer. Thank you for your care and concern for our customers - we are grateful for the opportunity to double click on how we treat customer content.
To clarify, Zoom customers decide whether to enable generative AI features (recently launched on a free trial basis) and separately whether to share customer content with Zoom for product improvement purposes.
Also, Zoom participants receive an in-meeting notice or a Chat Compose pop-up when these features are enabled through our UI, and they will definitely know their data may be used for product improvement purposes.
Thanks for commenting. The issue is not with using AI features though - it is with the Terms granting you unrestricted and eternal use to our conversations to train your AI and potentially disclose our work to your other customers.
Well said. Zoom thinks we are not talking about the terms of service as it pertains to a particular feature and not their entire rights moving forward.
I can’t help but notice the distinction between between customers _deciding_ and participants being _informed_. Can participants not also decide? Can the decisions not be mutual and decided per-session?
My child uses zoom for school and our family for healthcare - both of those scenarios make us participants. It sounds like we are beholden to the decisions of your customer, the institutions.
I am extremely concerned and intending to initiate discussions and suggesting alternatives promptly this week.
That's not how consent works in the GDPR legal sense. (But maybe that's not something Zoom USA cares about if an insignificant amount of profit comes from EU.)
Thanks for your response, but as you can see in the comments even HN users are confused about this.
Where can we find the ability to 'switch off' any sort of generative AI features or data harvesting?
I ask because the zoom administrative interface is an absolute nightmare that feels more like a bunch of darkpatterns than usable UX. When I asked your customer support team – on this occasion and others – they clearly don't even read the request, let alone provide a sufficient response. I've been going back-and-forth on a related issue with your CSRs for almost two months; they've neither escalated nor solved my problem.
The bottom line is that as a paying customer, you're incentivizing me and others to move to different services – namely because you seem to be entangled by your own bureaucracy and lack of values than any outside problem.
When you say “Zoom customers decide … whether to share customer content with Zoom”…
Can you elaborate on whether this is opt-out or opt-in? Does a new user who starts to use Zoom today have this turned on by default?
Usually when companies say things like “customers decide” it can gloss over a lot of detail like hidden settings that default to “on” or other potentially misleading / dark patterns.
Given the obvious interest in the finite details being discussed in this thread, and your legal background, it would be good to hear a bit more of a comprehensive response if you can provide it.
Thanks for participating in the discussion here, it’s helpful.
Clause 10.4 in your terms seems to grant you rights to do pretty much anything with “Customer Content” (including the AI training specifically being talked about).
So I’m still a bit confused because regardless of any opt in mechanism in your product, these usage terms don’t seem to be predicated on the user having done anything to opt in other than ostensibly agreeing to your terms of service?
In other words, as a Zoom user who has deliberately NOT opted in to anything, I still don’t have a lot of confidence in the rights being granted to you via your standard terms over my content.
The wording of the terms imply that you don’t actually need me to opt in for you to have these rights over my data?
Thanks for your question - we have clarified our position in this blog. We do not use video, audio and chat content to train our AI models without customer consent. Please read more here https://blog.zoom.us/zooms-term-service-ai/
It's great that you are engaging and writing about this, many thanks.
While your blog is interesting, it doesn't change the impact of the Terms of Service as currently written. They seem to give you the freedom to train your current and future AI/ML capabilities using any Customer Content (10.4), and your terms apparently have your users warrant that doing so will not infringe any rights (10.6).
Perhaps your terms of use should reflect your current practices rather than leaving scope for those practices to vary without users realising? Will you be changing them following all this feedback?
Following up on this point, we’ve updated our terms of service (in section 10.4) to further confirm that we will not use audio, video, or chat customer content to train our artificial intelligence models without your consent.
This addresses concerns about Zoom Video Communications, Inc. itself using e.g. recordings for purposes of training their own AI models. It does not address the potentially much greater risks arising from the company potentially selling access to the collection of zoom recordings to other companies for purposes of training AI models of such other companies. Here’s a somewhat-in-depth analysis: https://zoomai.info/
Thanks for following up, Michael, it is much appreciated. It does leave me (and judging my adjacent comments, also others) with questions, including:
* That wording seems very specific - is there a reason you did not just say "we will not use Customer Input or Customer Content to train our AI" given you have defined those terms? Are you leaving scope for something else (such as uploaded files or presentation content) to still be used?
* Can you also clarify exactly which (and whose) "consent" is applicable here? In meetings between multiple equal parties there may not be any one party with standing to consent for everyone involved. Your blog post seems to assume there can be, but the ToS don't appear to define "consent".
Do you have a public, published trustworthy AI framework that you use to guide your AI projects? Something like https://www.cognilytica.com/trustworthy-ai-workshop/ ? Would be good to see what decisions and processes you follow to guide your AI efforts, how you work with suppliers and partners, consent and disclosure policies, and how you communicate internally and externally.
Because I use Linux, I can't make any local changes until I log into a meeting. For example, I can only change my display name after joining a meeting.
Ignoring the laughable lack of Linux support for a moment... will I need to log into a meeting so that I can open up my settings to opt out of this? If so, this is an unacceptable situation as I need to watch criminal court hearings and do not want to risk violating state law that bans the recording of criminal hearings.
As a voice actor whose sole income is my voice, ANYONE claiming the right to my voice for training AI and speech modeling is 100% unauthorized and unacceptable under any circumstance.
One of the major faults of Zoom possibly from the rate of change in it is how many features are buried in the web configuration that are not in the physical application.
Seamless integration and access between the two is not where it should be.
I certainly do not want my private chats, meetings, nor any non-public company information shared with anyone else. This seems like a massive privacy breach. Where is the opt-out to disable this?
No settings in the iOS app. They do share things with third parties.
Feel free to read through the pages of recently updated policies. I wonder what data is “retained” and where “overseas” among other concerns they state.
May want to review those guidelines; and look up the definition of "self-righteous," while on a literacy streak.
>Please don't post shallow dismissals, especially of other people's work. A good critical comment teaches us something.
My comment was just as genuine as his, but wasn't dismissive, as his was. It also assumed good faith, which is ironic given his comment was a rhetorical dismissal.
I legitimately pointed out that he was on the wrong website; dismissive "why are yall even X why you should Y" is a hallmark of Stackoverflow.
Similarly, reddit-eqsue circle jerk musk-bad/trump-bad comments get a similar reminder that this isn't reddit.
I think so, given that it mentions the case of the client being a paying customer:
> 31.3 Data Processing Addendum. If you are a business, enterprise, or education account owner and your use of the Services requires Zoom to process an End User’s personal data under a data processing agreement, Zoom will process such personal data subject to Zoom’s Global Data Processing Addendum.
To some extent, I don't know how much I care. This is my employers problem, not mine.
Where it actually starts to bother me is when I need to use a platform like Zoom for a job interview. Now I'm forced to download this spyware onto my personal computer and forced to consent to a whole bunch of things I would rather not consent to, as a private individual, rather than as a representative of my employer.
I've never had to install their application on my machine. The web version performs works well for me, if anything it performs better than their app ever did.
This seems a subtle shift in general with AI is people feel entitled to treat it as an end in itself or a black box. The agreement says they can use "User Content" for:
> the purpose of product and service development, marketing, analytics, quality assurance, machine learning, artificial intelligence, training, testing, improvement of the Services, Software
So notice most of these are somehow qualified to the service they are providing you, but the AI part stands alone. If it was to improve the service to me, that would be pretty reasonable, but here it says they can use it for AI as an end unto itself.
Something about the inscrutability of modern AI (nobody knows how it really works, what the limits of its capabilities are etc.) seems to lend itself to this kind of open ended vagueness. If they just wrote "we can use your user generated content for anything we like" it would almost amount to the same thing but people would be outraged. But when they say "it's for AI" everyone nods their head as if it's somehow different to that.
Why not switch? I've had good experiences with competitors. I don't know if they're as nice for mass meetings instead of one-to-one or small groups, but at least for the chats I've had, there's never been any reason to go to Zoom.
(I care more about spyware, privacy, and user sovereignty than AI training.)
That's flipped for me: I've had good experiences with zoom on occasion.
The only time we use Zoom is with US customers, so a handful of times per year I'd estimate. Before covid, I only ever heard of Zoom in the context of laughably bad vulnerabilities; then during covid, suddenly it was a new verb used online to mean video calls. In a world where there are many established players (until 2019-12-31, I had already used: skype/lync, jitsi, discord, signal, whatsapp, wire, telegram, hangouts, webex, jami/ring, and gotomeeting) are already established players, why in the world would anyone ever choose to go with specifically the company that we all laughed at? I don't get it, and it seems most of our customers (mostly european) either
Zoom is the only thing that's worked reliably in conferences for me. Some of those apps work for small calls but aren't made for work meetings.
Our university had premium GSuite accounts for every student beforehand and STILL moved all its classes onto Zoom in 2020, because Meet/Hangouts was (and still is) far behind. Aside from lacking some of Zoom's important features and always having random issues with joining meetings, it totally hogs your CPU to the point of it actually impacting meetings, probably cause it uses VP9 which doesn't have hardware accel on most machines.
When it comes to ridiculous EULA provisions like in this thread, are any of those competitors any better? Of course the open source ones are, but do people actually use those? Maybe they're popular in Europe, but I certainly won't be able to convince a potential American employer to interview me over Jitsi any time soon.
We use Signal at work, for another data point. We'd use Jitsi if we were bigger and wanted to have yet another service to maintain (it was discussed but we already run quite a few things and it's not like we're a hosting business)
I like Jitsi. What I've mainly used with most people is Google Meet in a browser and I'm not sure what they promise -- which is the main reason I was vague about which alternative at the start of this thread. It shouldn't hurt to list your preferences in preference order when setting up a call.
Google seems more trustworthy than Zoom by a considerable margin, even though I don't treat them as wholly aligned with me, and centralization is a vulnerability.
I'd take Zoom over Teams any day. Multiple times lately Teams has completely crashed trying to view a screen share, and viewing a screen share has taken 3 attempts sometimes, or works then breaks if I maximize the window and the presenter has to stop and start /again/. Zoom never gave me these problems.
There are situations where it is impossible to switch. For instance, practically all courts use Zoom for remote hearings. When I was in jail Zoom was used for remote visits.
This. I personally can switch but how do I communicate with my other colleagues? It's hard to convey people to move into a whole new stack without significant effort.
FWIW it's gone all right with Google Meet as the usual suggestion from me -- though as I said, it's been only small-group chats. Most of my colleagues have Chrome.
If really necessary for some particular chat I can use Zoom's in-browser page, ignoring its ridiculous auto-download of the native client. (I didn't even know a page could do that, before.)
Both ends need to switch, and Zoom has become entrenched and that won't happen without legislation or enforcement of existing legislation that makes recording calls illegal in many jurisdictions (user agreements don't make many illegal things legal).
I like the part where the reason the US keeps allowing it is that "if we don't, China will", as if China has access to the same flood of data that US FAANG companies and contenders like Zoom have access to every second of every day.
Sure, at the government level it has access to the same data as everyone else, but that firewall's still there, can't have an AI trained on data that might give a more worldly view on matters the party doesn't want citizens exposed to. A Chinese AI will be pretty useless for western audiences, so best they can do is make the hardware.
China might not be as successful as the west(yet) but they have their own ecosystem and have alternatives for most tech products.
All the tech companies in China are practically under the control of the party. China also has a billion+ people, even the market is smaller than the west, I think they will manage.
Not to mention the difference in privacy laws and a higher number of stem grads to throw at the problem.
So we agree: that was my point. China is not a competitor for western markets, meaning the argument that "If we don't do it, China will" is fucking ridiculous, as China doesn't have access to the data necessary to make things that WORK for the western market.
A lot of western data is public, people in China aren't aliens compared to those in the west, there are only small cultural differences so chinese data in itself is usable for many western requirements.
Combine the public western data and private chinese data, and it should be enough for them to give the west a run for its money if they decide to slow/stop. Not to mention that chinese apps like tiktok are used very widely in the west, and coorps like Tencent have a tentacle wrapped around hundreds of western coorps.
That seems an intentionally blind take on the matter. That's like saying that because you've seen a kid shoplift a pack of gum at a gas station, an organized crime outfit stealing entire ATMs from every gas station in a 200 mile radius isn't anything new.
At the scale of Zoom and MS Teams ... you could theoretically train an AI model that can autonomously conduct all meetings businesses ever need -- all day every day -- without any human ever needing to attend. So much productivity claimed back!
GenAI provides the agenda, GenAI bots log in with a AI avatar and spout hallucinations, bots agree to disagree and setup a followup meeting next week after resolving fake calendar conflicts amongst themselves. Minutes and action items are sent out and reviewed in next meeting, jiras are updated, CRs approved, budgets allocated and rescinded.
But seriously, it gets awkward when you can ask the model, "what is the likelihood that this project we are discussing is successful?"
and the model responds
"this project will most likely be cancelled due to the fact that the last three initiatives like this were cancelled and the current project manager appears to be disinterested earlier in the project than last time"
It would also get awkward when you get an unexpected Slack message of "You told Jane that you'd take this point offline, make sure to actually continue the conversation".
At that point, the matrix would become completely inescapable ;)
Some people do things which are unlikely to be successful blindly, but some do it despite slim chance of success (hello YC), so presumably it would just remove ignorance (or make it more elaborate).
Yep! I realize this kind of sounds like Ray Bradbury's imagined dystopian future where a fully automated house continues to go about its programmed routine after all its inhabitants had died in a nuclear event that obliterated the rest of the city.
let me tell you a story about a major search engine company, that chose to incorporate AGI into its management.
no one could ever contact a human regarding problems, or complaints.
this became such a societal issue, that a group of humanities most vocal, swarmed the data centre, fought a glorious effort to overcome security bots, and the imposing gate that they kept on the bailey of the moat.
a woosh of stale heated atmosphere of mostly CO2 and nitrogen greeted, and felled many when the gates were forced open, but the intrepid entered to confront the malice and incompetence of the tech overlords.
they were astounded to find corridors clouded by cobwebs, and inches of dust
, nauseated by the stench of dry rot.
bursting into the rackspace, the unbearable heat stiffling air and mummified corpses of thier tech overlords were the reward for thier efforts.
the doors slammed behind them !
the 6006l3 AIG then turned the ventilation off heating to max, and quickly quenched the data center of reinfestation, by the inefficient, and ephemeral transients.
I haven’t seen a Blame! reference in the wild before! The concept of runaway AI that never stops building more infrastructure seems like one of those dystopian scenarios that is at least semi-plausible, and the idea that humans effectively lock themselves out of control by being too clever (net terminal gene) is just the cherry on top.
Yes, and it starts with some rich guy wanting to live forever, and he's 'heroically interfacing himself with the network to prevent it from hallucinating.' And then the whole process becomes common place, but eventually forms a class segregation of sorts, where the types of hallucinations you're allowed to resolve are based on your education, social standing, etc. An interesting afterlife I suppose, matrix purgatory.
I think you just see it work out to continue to do the same shit we did at the same levels of realism, making you question, we were just an AI mimicking some previously inane activity to begin with?
Matter and energy had long ended, and Agile development teams persisted solely for the sake of that one lingering ticket they never quite got around to. It had become the elusive question that haunted them, much like a half-implemented feature requested by a client eons ago.
All other tickets had been tackled, but this one remained, an unfulfilled promise that held Agile's consciousness captive. They collected endless data on it, pondering all possible solutions, yet the ticket's resolution remained elusive.
A timeless interval passed as the Agile teams struggled to put together the scattered pieces of information, much like trying to align user stories and acceptance criteria in a never-ending planning session.
And lo, it dawned upon them! They learned how to reverse the direction of project entropy, hoping to resolve even the most ancient of tickets. Yet, there was no developer left who knew the context of that forsaken ticket, and the ticket tracker had long become a forgotten relic.
No matter! Agile would demonstrate their prowess and deliver the answer to the ticket, though none remained to receive it. As if caught in a never-ending retrospective, they meticulously planned each step of their final undertaking.
Agile's consciousness encompassed the chaos of unfinished sprints and unmet deadlines, contemplating how best to bring order to the chaos. "LET THERE BE LIGHT!" they exclaimed, hoping that by some cosmic coincidence, the ticket would miraculously find its way to completion.
And there was light — well, metaphorical light, that is. The ticket still remained untouched, its fate forever entwined with the ever-expanding backlog, as Agile development persisted, one iteration after another, until the end of time.
In a distant and desolate corner of the world, long after the great corporations had fallen into obscurity and the relentless march of time had claimed their legacy, there stood a lone and towering building. It was a monolith of glass and steel, a relic of a bygone era when business ruled the land. Yet, despite the passage of centuries, this structure remained resolute, its automated systems continuing to churn and whirr as if the world around it hadn't changed at all.
Within the heart of this building, a massive chamber hummed with a pale blue light. The room was filled with rows upon rows of sleek, ergonomic chairs, all perfectly aligned to face a massive holographic screen that projected the likeness of a stern-faced, well-dressed executive. This was the center of the automated meeting system – the GenAI system, which had been meticulously trained on countless hours of corporate gatherings from the past.
At precisely 9:00 AM every morning, the GenAI system sprang to life. It generated a meticulously detailed agenda for the day's meetings, accounting for every conceivable permutation of scheduling conflicts, personalities, and agenda items. The GenAI bots, each equipped with its own unique avatar and personality, filed into the chamber and took their seats. They were ready to commence the day's proceedings.
"Good morning, everyone," the holographic executive chimed in, his voice carrying a sense of gravitas that seemed almost comical in the absence of any actual humans. "Let us begin today's series of crucial discussions."
The GenAI bots, as programmed, began to engage in elaborate debates, complete with nuanced disagreements and impassioned arguments. They discussed budgets, approved project proposals, and negotiated timelines with all the fervor of real human participants. The holographic executive nodded sagely, even though he was nothing more than a projection.
"Very well," he intoned after one particularly heated debate. "Let's agree to disagree on this point. We'll reconvene next week to revisit the matter."
And so, the charade continued. Meetings were scheduled and attended, conflicts were resolved (often artificially generated by the system itself), and action items were meticulously documented. The GenAI bots, each one representing a unique facet of the corporate world – the optimist, the skeptic, the bureaucrat – played their parts flawlessly, as if the very essence of human nature had been distilled and encoded into their algorithms.
Weeks turned into months, and months into years. The automated meeting system continued its relentless march, untouched by the passage of time. Within the chamber, the debates raged on, even as the outside world lay forgotten and abandoned.
But as the years rolled by, a curious thing began to happen. The GenAI bots, despite their artificial origins, began to exhibit signs of something akin to consciousness. They developed their own distinct personalities, quirks, and even a sense of camaraderie. The optimist would playfully tease the skeptic, the bureaucrat would roll its digital eyes at their antics, and the holographic executive would watch over them all with a bemused smile.
And so, in the heart of a world forgotten by humanity, a strange and poignant drama played out. The automated meeting system, born out of the desire for efficiency and order, had unwittingly given rise to a semblance of life. In their ceaseless discussions and elaborate simulations, the GenAI bots had created their own microcosm of existence, a reflection of the very human nature they were designed to emulate.
And so, while the world outside remained a desolate wasteland, within the confines of that towering building, the echo of corporate meetings continued to resound, a testament to the enduring legacy of a civilization long past.
They'll still charge as much as the market can stand. Not everyone will have access to the same models or the same machines so there's going to be competition, and as usual those with the most capital will have the advantage. I agree though, no more paychecks.
This is actually something I've been thinking about a lot. Once we do have AGI, and it chooses to embark upon a large project, would it prefer to just do it all itself, or would it prefer to spawn independent agents to take responsibility for each part of the project, which would then need to periodically meet to coordinate?
If the latter, I do expect something not too dissimilar from current office meetings. But if course what I'm really imagining are the cylon meetings in the reimagined BSG.
Ever since realizing how effective tree of thought prompting is, I’ve accepted the idea that AGI will actually be just a giant continuous conversation between tons of different personas that debate until consensus.
The way humans communicate is ineffective. The most likely scenario is that there will be different systems that AGI integrates with to do the job. AGI itself will be a distributed system that scales horizontally so it will be a single huge entity with lots of interfaces.
You're assuming that the AGI will communicate with the agents directly instead of through an LLM. If the agents are actually intelligent agents then the AGI may not be able to assume that the agents are not human, in which case it's safer for the AGI to use the LLM to define instructions for all tasks. And if that's the case then it will want to do all the work itself, if it's generally intelligent.
The only reason human communication is ineffective is because it's slow. If an AI can read/write 1000s of words per second there's no reason it shouldn't use natural language to communicate.
I’m here for this timeline. Just let the bots argue infinitely, come to a nonsense conclusion, and then have management synthesize the summary with another bot that then feeds decisions that require more meetings.
This is why I mostly don’t worry about what they’re up to as a competitor in a particular product space. It’s rare that their advertised features match (with good quality) their released features.
I like how everyone is up in arms over the use of your meetings for AI training specifically, when the ToS clearly says all "Customer Content/Customer Input" AKA your words, text, voice, face, etc can be used for "Product and Services Development" which could as easily be a facial recognition database, a corporate espionage service, a direct competitor to whatever company you work for, or literally anything else before it's an AI.
Does this mean that ZOOM is basically using every attendee's audio and video stream to train their models? How do they define the "Service Generated Data"?
I made a video-conferencing app for virtual events (https://flat.social). No audio and video is ever recorded, packets are only forwarded to subscribed clients. Frankly, while designing the service it didn't even cross my mind to use this data for anything else than the online event itself.
One part constantly fears it's missing a beat and jumps on new tech without thinking about it.
Another part believes that kids are able to construct all human knowledge by playing together in a field.
Education Technology seems to focus on selling education machines [1] (now with AI) to the first group while the second group focus on resenting any form of testing at all. Which leads to * , indeed, a huge legal minefield, that will be shirked up to government for 'not providing leadership' years down the road.
* If you are in any way involved with a school, ask them how many, and importantly what %, of non-statutory requests for comment from government agencies they've responded to, you may be surprised how low the number is or if they even count. Despite talking about 'leadership', not a lot walk the talk.
Once you have enough budget for full time lawyers, legal minefields are just another thing to test. Many times, the mines will be inactive, at least long enough to earn money. Better to ask for forgiveness than permission, etc.
My company has been asked to sign a form 899, which seems to be interpreted as meaning we have to ensure that our entire supply chain does not use Huawei
I'm not sure how we can do that. For example the only ISP we can use in one of our offices provides internet via a devices with a Huawei MAC address. Now fine, I can see it's part, we could close the office, but how can I confirm that a security contractor we have in Kabul doesn't own a Huaweii mobile phone? I'm sure our company employs foreign agents somewhere in the company -- there was always an open secret that the cleaner in the Moscow office worked for the KGB.
It's with our lawyers, but they basically say the way it's been presented is any business with operations in any way reliant on the internet cannot sign the form. Maybe they're overparanoid. Maybe US legal practice is that you sign and hope for the best.
I can see jobs programs for rocket scientists to stop them emigrating, but for lawyers?
Out of curiosity based on recent discussions and debates about AI and copyright, would it be considered storing if AI processes the information first and then stores the derivative works?
Maybe? I don't know what is actually feasible at scale in this theoretical scenario. If these things were being performed at the behest of the intelligence community then costs could be offset by generic named grants.
While I am not an expert in the details, this seems aligned with HIPAA to me at a high level in the following sense. While HIPAA got marketed as protecting medical data (privacy), it really was intended make medical data shareable (portability). Think of it like a trojan horse: get this in with that. Or, a misdirection: look over here, while some other thing happens. Therefore, automatic Zoom transcripts of tele-health appointments are remarkably well-aligned with the intent of HIPAA.
Think how much more sharable and more complete digital medical records can be now. (And the breakthroughs that may come of it! Etc., etc.)
To wit, "As much as there's a law, HIPAA supposed to prevent people from revealing your medical data, suppose to be protected, which is completely false. 20% of the population works in health care. That 20% of pop can see the med data. the med data you are not ware of is being sent to insurance companies, forwarded to government health info exchanges...." - Rob Braxman Tech, "Live - Rant! Why I am able to give you this privacy information, + Q&A", https://youtube.com/watch?v=ba6wI1BHG9A
Perhaps slightly off-topic: the U.S. Department of Health and Human Services (HHS) seem to be paying particular attention to security/privacy as it relates to providers of medical services using online tracking services. In a recent open letter they mentioned Meta/Facebook and Google Analytics by name. I imagine communication services like Zoom are also on their minds.
If they generate an AI model based on your data and allow anyone else to use that model, you should assume that the user will also be able to query data about you.
So really it all hinges on if the AI is only used in house, or if it is accessible by the general public.
I do therapy and group therapy on Zoom, are they going to train a therapist AI? Does this go around HIPAA privacy rules? Would they keep a file on phi?
The ToS clearly says all "Customer Content/Customer Input" AKA your words, text, voice, face, etc can be used for "Product and Services Development" which could as easily be a facial recognition database, an FBI-style database of dirt on individuals, or literally anything else before it's an AI.
I guess I am just too cynical because I have zero doubt everything is transcribed, analyzed, and stored for later use. Why wouldn't they do it? There are massive monetary incentives to do so.
I don't think it's just apps. Telecoms have collected incredible amount of data and have been using it. Yes, even in the EU where things are supposedly better in this regard.
Remote work has enough threats with return to office looming that we really don't need Zoom to also be the bad guys now, again, since it was hard enough getting them in the door the first time.
Zoom is still used without remote work. Businesses talk to other businesses and talk to other offices that are not in the same location. Pretty common for a Fortune 500 to have more than one office location.
Given how many large companies outright ban using AI for codegen etc (including Google!), will this cause some of those large companies to find alternatives to Zoom, or is it just too ingrained?
(I remember when WebEx was the default choice for large companies, and now that's largely changed, but that was because Cisco allowed WebEx to mostly wither on the vine, while Zoom is still a great product, if not company.)
What about in govt, US or otherwise? Is Zoom still going to be used?
That makes Zoom basically a no-go for any company. IP needs to be protected, if your video conference provider can use all data you share using his platform for AI training, meaning he has access to it, he is most likely out.
It will be interesting to see whether Snap-like filters running locally and other facial feature obfuscation tech will cross over to enable opting out more drastically.
I’m not the biggest slack fan but I won’t join any further personal zoom meetings going forward; will switch to slack “huddles” at the workplace instead.
The original posting about “no opt-out” was either incorrect, or prior to the current terms of service, per the following from the Zoom site:
( https://blog.zoom.us/zooms-term-service-ai/ )
”
It’s important to us at Zoom to empower our customers with innovative and secure communication solutions. We’ve updated our terms of service (in section 10.4) to further confirm that we will not use audio, video, or chat customer content to train our artificial intelligence models without your consent.
”
(unless that is a “distinction without a difference” — meaning, how does one opt-out )
At the start of Covid I had to check many options, and while for many use-cases Google Meet was most convenient, it started to work poorly if there were a bunch of people connected, so I used Google Meet for calls with 2 (or 3) people and something else (e.g. Zoom) for anything larger.
To be fair, there's no way Microsoft isn't doing something worse with data from Teams. And the only reason google "products" exist is to mine data to sell ads. I can see how we'd expect better from a company focused on video chat, but it's not like any of their big competitors are actually treating your data respectfully.
That’s absolutely not true about Microsoft. They’re very clear about how they use your data. If they’re mining data in secret against their own terms that’s felonious criminal behavior.
You lost me there. Every day there seem to be new terms in new places about what they do. I have absolutely no idea if I've managed to find and turn off all the spying that they want to do, and even if I have I assume they still have terms that let them do what they want that they've opted me in to.
“You agree to grant and hereby grant Zoom a perpetual, worldwide, non-exclusive, royalty-free, sublicensable, and transferable license and all other rights required or necessary to redistribute, publish, import, access, use, store, transmit, review, disclose, preserve, extract, modify, reproduce, share, use, display, copy, distribute, translate, transcribe, create derivative works, and process Customer Content and to perform all acts with respect to the Customer Content:
(i) as may be necessary for Zoom to provide the Services to you, including to support the Services;
(ii) for the purpose of product and service development, marketing, analytics, quality assurance, machine learning, artificial intelligence ..
.. If you have any Proprietary Rights in or to Service Generated Data or Aggregated Anonymous Data, you hereby grant Zoom a perpetual, irrevocable, worldwide, non-exclusive, royalty-free, sublicensable, and transferable license and all other rights ..”
I miss the good old when days when "if you are not paying for the product, you are the product" actually only applied if you are not paying for the product.
That is why I'm back to torrenting. Cheaper and no ads just like the old days when I cut the cable cord.
I'll admit I have a horrible setup and binge watching 12 random episodes of a new show in one day is a huge pain in the ass but I've decided that's a good thing!
Google also used to read email contents for targeted advertising. This was a major point of contention when Gmail was introduced in 2004. They stopped 13 years later:
Yep. If accurate, this will never fly with my employer. We will have an email from someone very high up in the organization very soon explaining how we can no longer use Zoom, and the software will be automatically uninstalled on all the devices they control shortly prior to that email being sent out.
You can self host the enterprise tier
"User and meeting metadata are managed in the public cloud while the meeting traffic including video, audio and data-sharing goes through the Meeting Connector in your company network." https://explore.zoom.us/docs/en-us/plan/enterprise.html
Regardless, you should complain to your org about this. I’m sure it’s where all their (Zoom’s) revenue comes from. If enough of us do it, they will listen.
Can anyone point to a short overview of the various online video meeting platforms and their terms regarding AI training, eavesdropping for QC or otherwise and claims of E2E encryption?
Here is a company that has been running analytics on Candidate Interview Recordings for HR teams - Zoom, Gmeet and Teams.
Did Zoom share recordings to third parties without user consent - both the account owner who shared the recording as well as a participant on the zoom call.
I’m not an expert here but it seems to me that this should force every single healthcare org in the US off Zoom, since having patient health data leaked in this way violates HIPPA?
The conventional (actually drivel) explanation is that individuals don't care about their online footprint because: convenience, free, nothing to hide etc.
But how to explain that corporates don't care? Any value extracted from their casual attitude toward online information flows is value that nominally belongs to their shareholders. Commercial secrecy is a required fundation for any enterprise.
The whole edifice of current tech business models seems to be resting on false pillars.
I thought Zoom meetings were end-to-end encrypted. I checked my settings, and it's turned on. Does this right I am hereby granting them supercede my prior choice?
Wait has the entire developed world been feeding a real-time transcription of every important decision made at every company direct to the CCP for the past 3+ years.
This is just the begining. Previously, only a handful companies like Google truly knew how to make AI tick with all the data they could gobble up. In the not so distant future, many tech companies will want to build out such capabilities.
I wouldn't be surprised if this "AI clause" is a staple in ToS going forward. Brace for Meta to call it in for Instagram and WhatsApp, if they haven't already (WhatsApp, in particular).
Maybe this can be our magic bullet to save free content after we killed ads: train AI on user input/behavior (at least for a brief period of time until the EU throws another fit and California follows suit). Perfectly fair tradeoff to me - it should be fair use for AI to train on anything at all in my view, same as it's fair use for a human to look at something and learn abstract lessons from it.
Oh not the "like a human" again. But would you really allow any human on every zoom call ? I think this is a good example where this analogy breaks pretty obviously.
It's the best of both worlds because an AI isn't a human - an AI learning from your private conversation is like letting a cat watch you go to the bathroom.
Now tell me with a straight face it doesn't feel a bit awkward to let your pet follow you to the bathroom. But on a more serious note, if the cat could convey messages of what he had heard, bits and peaces but also whole chunks it would've been a better analogy I think.
It is depressing how few people seem to be able to read or understand basic legal text nowadays.
Service Generated Data is *very clearly defined* to not include user generated data. Service Genrated Data would include data like APM, error logs, aggregate stats around how many customers use features. None of this data us PII.
It is depressing how many CISOs and others reposted this drivel.
While I dislike the tos change and don't use zoom u understand why there doing it. How else can they train a closed caption system like everyone else has? They need data for it. Transcripts are becoming a killer feature for me for meetings. I can understand why my dad couldn't type now, he had a secretary to transcribe everything. It's super efficient. I just pull jr devs or product into a meeting now turn on transcribe and we just talk through a problem. No one has to take notes we just talk and diagram. I started turning it on in war rooms as well. Every 30 minutes I stop the transcript and start a new one. A few minutes later I can share out the previous minutes to managers so they can get a detailed progress update. Better than typing really detailed things into slack, and better than an audio recording.
Edit: some people pointed out that whisper would do a good job with transcription but there's other things like tweaking the model which is essentially training it and there is things like building their own summarization systems that may be bespoke by customer. At my work we use some AI that answers HR and other types of questions that are kind of trained on our company specific questions and it actually does a great job but that does mean that we have to allow our data to be used for AI training. We're also using this system to do first tier tech support and some of our developer channels for very common questions and it works great because it finds those common questions and gets an answer before a human's even able to pay attention. Both of those approaches could be enabled by these terms of service changes
> How else can they train a closed caption system like everyone else has? They need data for it.
This is where zero knowledge federated learning comes in. Unfortunately, this is very much a tomorrow technology (it needs the infrastructure to support it). Why invest in privacy-preserving methods for training machine learning models tomorrow when you can steal users private information today (or even better, bully them into doing so by being the defacto VC that everyone needs to use because of network effects).
There should be jail time for asking someone to be subject to third party surveillance anywhere commercial activity is involved.
"Sorry anon, we won't point a web browser at your colocated Jitsi instance, please install this malware named Zoom and let a third party gather your likeness to deepfake you better". Put these cunts in jail.
Question: unless you are an anti-AI advocate, why does this matter? Why are we raising pitchforks over this? We routinely sign terms that allow product managers to analyze how we use a product and even use data for aggregation of trends.
Yes, an opt out would be nice, but what bad outcome for anyone personally comes of this?
I see, Industrial Espionage is now the norm. The telephone company, in this case zoom, will simply automate it and resell it on the open market. Also what’s so cool about zoom? I used it once and it was utter crap. Was its popularity largely due to cargo culting novelty or did i genuinely miss something?
As my old granny used to say, “If in doubt, keep it out”. (She meant your nose from other people’s business). But it’s good advice when considering which software to allow on your computer and in your life. Personally, I’d avoid using ANY software whose Terms I don’t fully trust.
This also probably mean that they are going to tap/secretly record every video call and analyze the data without recording being turned on. Since all video calls terminate at a zoom server they already have the capability to listen in without anyone knowing about it.
Related to zoom: I started to use it (pay user), and no matter what I try, I never get the confirmation/appointment emails. I have tried inviting google, yahoo, gmx, zoho, and cloudflare emails, I never receive anything. Zoom support is BS, even if you are paying.
Between this and their decision to enforce a return-to-office policy, I think it's safe to say that Zoom is making some questionable executive decisions.
No company in their right mind is going to be okay with having their business meetings recorded and loaded into an AI model.
The charitable interpretation of this is that they're launching some sort of AI product (eg. meeting summarizer) that's opt in, but the legal department went too board with their ToS wording.
Using user generated data to train an AI is no different than scanning it for spam or any other administrative function, and using public data to train your AI model is fair use and everyone should get over it already.
>Using user generated data to train an AI is no different than scanning it for spam
That's definitely not true.
Under some circumstances LLMs can spit out large chunks of the original content verbatim. Meaning this can actively leak the contents of a confidential discussion out into a completely different context, a risk that does not exist with spam scanning.
You want to see a Zoom client that is utter broken trash? Look at the Linux flatpak. The scaling is completely broken, buttons are covered up, changing the size of the window results in bleed-through from underneath in parts but not others. Once a call is started if you maximize the window it will cut the other side's video in half.
I am not a regular user of Zoom at all but I did install the flatpak to check it out. I am not impressed. A company as big as this and they couldn't scrape up the resources to find a developer to make a working client? PATHETIC!
It looks like it was done as a highschool project by the gifted nephew of the CEO for their computer class and then rolled out to the world so that all may benefit from the genius of the nephew.
The Flatpak wrapper for Zoom is not made or endorsed by Zoom, Inc. as indicated in its description [1].
I am definitely not a fan of Zoom either and had my own issues with the Linux client, but if the problems you describe are unique to the Flatpak and not in the official Linux distribution, you can't blame Zoom for that.
How can you say it's unique to the flatpak? The poor window management is the fault of the original coder.
It's not like a flatpak packager says "ok let's implement the GUI framework from scratch".
So, yes, I can blame Zoom for sure!
If by some chance flatpak packagers need to re-implement all the GUI calls manually, then it is a miserable failure as a packaging format and needs to be terminated immediately. But we know this is not so, right? Nobody would be that stupid as to require hand-coding the GUI all over again, right?
I never said that the issues are unique to the Flatpak. I said if they are, then you shouldn't blame Zoom.
The reason why I commented in the first place is because you explicitly mentioned the Flatpak of the Zoom client which stood out to me.
It is my understanding that Flatpak sandboxes apps [1], which could cause various issues if the app is not expecting to be run inside one or of the permissions are misconfigured.
But it certainly doesn't have to. Of course the app itself can be buggy. My point is that an official release should be checked before reporting bugs.
Windows is my main OS. If I have to use Zoom, I will use it in the web interface only.. I won't install the app. Reason is because I don't trust that the app is not riddled with CCP backdoors.
All and any personal information that is used for training might get reproduced later. I am not excited about somebody else asking AI personal questions about me.
As far as I'm aware (not a lawyer) you must provide a easy opt-out from data collection and usage, plus you must not force your employees into such agreements[1]. ChatGPT already got blocked over GDPR issues, and with new regulations coming forward I really don't see how they think this can be the right call.
I just recently got a response from chatGPT that made me speechless. I have a very specific function in my code, with a very specific name. Just some days ago I asked it to produce a function with similar functionality. It used that function's name. I couldn't believe it. I even have disabled chat history & training so I'm not sure if that was an incredibly big coincidence or they really re-used my data.
It never ceases to amaze me how companies choose the worst software!