Teleconferencing Company Zoom Pitching End-To-End Encryption That Really Isn't End-To-End

from the some-sort-of-magic-happens-at-both-ends-so-probably-good-enough dept

As Karl Bode wrote what feels like a decade ago on March 19, 2020, privacy and encryption will be more important than ever during this pandemic and the future that succeeds it. Plenty of governments have been sacrificing citizens’ privacy for better virus tracking and plenty of governments were already throwing shade at encryption well before the pandemic became a pandemic. That includes our government, which has been agitating against encryption for several years now and fighting against our privacy in federal courts for decades.

An influx of remote workers makes encryption and privacy even more important, as there’s plenty of sensitive company business being done over open networks with minimal protections. The beneficiaries of this new normal are responding quickly to the unexpected demand, but protection of work-at-home employees and their employers seems to have been forgotten.

The field is crowded with lots of telecommuting software providers. Standing out is key if you’re going to take advantage of the current health crisis. Video conference software developer Zoom, however, is playing fast and loose with terminology in an attempt to scoop up more market share. As Micah Lee and Yael Grauer report for The Intercept, words don’t seem to mean what they normally mean when they’re being used by Zoom.

Zoom offers reliability, ease of use, and at least one very important security assurance: As long as you make sure everyone in a Zoom meeting connects using “computer audio” instead of calling in on a phone, the meeting is secured with end-to-end encryption, at least according to Zoom’s website, its security white paper, and the user interface within the app.

Sounds comforting, but Zoom is apparently using a proprietary definition of “end-to-end encryption.” Zoom explained that phrase means something else when used in marketing materials or when users hover over the green padlock on their session screens that delivers a pop-up saying “Zoom is using an end to end encrypted connection.”

This is what “E2EE” means when Zoom says it:

[W]hen reached for comment about whether video meetings are actually end-to-end encrypted, a Zoom spokesperson wrote, “Currently, it is not possible to enable E2E encryption for Zoom video meetings. Zoom video meetings use a combination of TCP and UDP. TCP connections are made using TLS and UDP connections are encrypted with AES using a key negotiated over a TLS connection.”

Well, if it’s not possible to do the thing people think you’re doing when you say “end to end encryption,” maybe you should stop saying you’re using end-to-end encryption. All Zoom is doing is encrypting the endpoints, much in the way sites using HTTPS do. This protects you from outsiders wishing to eavesdrop on your internet connection. But it doesn’t mean Zoom can’t access the content of teleconferencing sessions. And it means anyone that can find a way to access what Zoom can access is going to be able to do access possibly-sensitive communications.

One offering is actually encrypted end-to-end: Zoom’s text chat. But that’s not a standout feature. There are plenty of encrypted messaging apps. There’s been no increase in demand for those. But when privacy and security matter most, Zoom is misleading users about what it’s doing to protect them.

Update: Zoom has since put out two fairly detailed blog posts, the first one much more clearly explaining the encryption issue, and then a more important one explaining what the company is doing to respond to recent security concerns, including freezing all feature development to focus solely on “trust, safety, and privacy issues.” It remains to be seen how that plays out in practice, but it’s much better than the typical defensive response that most companies have.

Filed Under: , , , ,
Companies: zoom

Rate this comment as insightful
Rate this comment as funny
You have rated this comment as insightful
You have rated this comment as funny
Flag this comment as abusive/trolling/spam
You have flagged this comment
The first word has already been claimed
The last word has already been claimed
Insightful Lightbulb icon Funny Laughing icon Abusive/trolling/spam Flag icon Insightful badge Lightbulb icon Funny badge Laughing icon Comments icon

Comments on “Teleconferencing Company Zoom Pitching End-To-End Encryption That Really Isn't End-To-End”

Subscribe: RSS Leave a comment
Anonymous Coward says:

Re: Re:

There is a hell of a lot more scrutiny right now, what with them going from 20m to 200m people using it daily.

They did a lot of shady things in the past to make it easier for "things to just work" without people needing to know how to do difficult setups. True End-to-end would also break features they tout, like their server-side meeting recording… but yeah, you can’t build something one way and then market it as something else and not expect to get caught at some point.

All in all, Zoom could and should be doing a better job. I just saw a new build/update today that actually required authorization and went thru a standard app installer process… which is a step in the right direction.

Add Your Comment

Your email address will not be published.

Have a Techdirt Account? Sign in now. Want one? Register here

Comment Options:

Make this the or (get credits or sign in to see balance) what's this?

What's this?

Techdirt community members with Techdirt Credits can spotlight a comment as either the "First Word" or "Last Word" on a particular comment thread. Credits can be purchased at the Techdirt Insider Shop »