I can easily believe either. However, while the default assumption of laziness/incompetence works well for good faith discussions, it also provides cover for malicious actors. At some point, even though any given actor is likely to be non-malicious, there is no way to distinguish them from the malicious actors.
Hanlon's razor is a great principle to apply to personal relationships, but it falls apart in these situations.
You can explain away any deliberate malice or negligence using it, even when there are clear incentives to enage is such behavior, unless there's absolute evidence of malice. By then it's too late because you've already been swindled, and the principle ignores the lengths organizations will go to cover that evidence up.
If you're dealing with bigger threats, you need a more powerful weapon. Sheathe the Hanlon's razor, and unholster the Hanlon's handgun: "Never attribute to stupidity that which can be adequately explained by systemic incentives promoting malice."
I’d argue that laziness is worse in security/privacy situations than malicious intent. At least malicious intent only exposes me to Zoom and whoever they answer to. Their laziness, however, which would probably also reflect itself in other security situations, exposes me to them as well as basically the entire world of black hat hackers.
I wasn't able to find much of interest from their desktop client, as all of the data is encrypted and I'm not sure how to grab an SSL key from a desktop app for use in Wireshark decryption. If somebody clever wants to help, please let me know.
I did take at their privacy policy and didn't see anything that explicitly states they are collecting info about running applications. "and other" leaves room for interpretation... Regardless, my main concern after viewing this isn't that they are snooping my running processes and sending that back to home base. Its that they are openly keylogging and tracking everything under the sun, and can view every aspect of the meeting's content (audio, video, text, etc) and share it with 3rd parties like law enforcement and others.
> Device Information: Information about the computers, phones, and other devices people use when interacting with Zoom Products, which may include information about the speakers, microphone, camera, OS version, hard disk ID, PC name, MAC address, IP address (which may be used to infer general location at a city or country level), device attributes (like operating system version and battery level), WiFi information, and other device information (like Bluetooth signals).
> Meeting, Webinar, and Messaging Content and Context: Content generated in meetings, webinars, or messages that are hosted on Zoom Products, which may include audio, video, in-meeting messages, chat messaging content, transcriptions, written feedback, responses to polls and Q&A, and files, as well as related context, such as invitation details, meeting or chat name, or meeting agenda. Content may contain your voice and image, depending on the account owner’s settings, what you choose to share, your settings, and what you do on Zoom Products.
> Product and Website Usage: Information about how people and their devices interact with Zoom Products, such as: when participants join and leave a meeting; whether participants sent messages and who they message with; performance data; mouse movements, clicks, keystrokes or actions (such as mute/unmute or video on/off), and other user inputs that help Zoom to understand feature usage, improve product design, and suggest features; which third-party apps users add to a meeting or other Product and what information and actions the app is authorized to access and perform; features used (such as screen sharing, emojis, or filters); and other usage information and metrics. This also includes information about when and how people visit and interact with Zoom’s websites, including what pages they accessed, their interaction with the website features, and whether or not they signed up for a Zoom Product.
Does "whistleblower" apply to people not working directly for the company being reported? I've always understood it to be employee reporting against the employer. I could totally be limiting it from what other people use it though.
I think it's a generic definition for someone closely associated with the company to out them out something that they would like to keep secret because it would embarrass them or lead to legal redress.
I can easily believe somebody just wrote a chunk of naive code that grabbed all the running processes, and it worked, and they moved on.