Teleconferencing Company Zoom Pitching End-To-End Encryption That Really Isn't End-To-End
from the some-sort-of-magic-happens-at-both-ends-so-probably-good-enough dept
As Karl Bode wrote what feels like a decade ago on March 19, 2020, privacy and encryption will be more important than ever during this pandemic and the future that succeeds it. Plenty of governments have been sacrificing citizens’ privacy for better virus tracking and plenty of governments were already throwing shade at encryption well before the pandemic became a pandemic. That includes our government, which has been agitating against encryption for several years now and fighting against our privacy in federal courts for decades.
An influx of remote workers makes encryption and privacy even more important, as there’s plenty of sensitive company business being done over open networks with minimal protections. The beneficiaries of this new normal are responding quickly to the unexpected demand, but protection of work-at-home employees and their employers seems to have been forgotten.
The field is crowded with lots of telecommuting software providers. Standing out is key if you’re going to take advantage of the current health crisis. Video conference software developer Zoom, however, is playing fast and loose with terminology in an attempt to scoop up more market share. As Micah Lee and Yael Grauer report for The Intercept, words don’t seem to mean what they normally mean when they’re being used by Zoom.
Zoom offers reliability, ease of use, and at least one very important security assurance: As long as you make sure everyone in a Zoom meeting connects using “computer audio” instead of calling in on a phone, the meeting is secured with end-to-end encryption, at least according to Zoom’s website, its security white paper, and the user interface within the app.
Sounds comforting, but Zoom is apparently using a proprietary definition of “end-to-end encryption.” Zoom explained that phrase means something else when used in marketing materials or when users hover over the green padlock on their session screens that delivers a pop-up saying “Zoom is using an end to end encrypted connection.”
This is what “E2EE” means when Zoom says it:
[W]hen reached for comment about whether video meetings are actually end-to-end encrypted, a Zoom spokesperson wrote, “Currently, it is not possible to enable E2E encryption for Zoom video meetings. Zoom video meetings use a combination of TCP and UDP. TCP connections are made using TLS and UDP connections are encrypted with AES using a key negotiated over a TLS connection.”
Well, if it’s not possible to do the thing people think you’re doing when you say “end to end encryption,” maybe you should stop saying you’re using end-to-end encryption. All Zoom is doing is encrypting the endpoints, much in the way sites using HTTPS do. This protects you from outsiders wishing to eavesdrop on your internet connection. But it doesn’t mean Zoom can’t access the content of teleconferencing sessions. And it means anyone that can find a way to access what Zoom can access is going to be able to do access possibly-sensitive communications.
One offering is actually encrypted end-to-end: Zoom’s text chat. But that’s not a standout feature. There are plenty of encrypted messaging apps. There’s been no increase in demand for those. But when privacy and security matter most, Zoom is misleading users about what it’s doing to protect them.
Update: Zoom has since put out two fairly detailed blog posts, the first one much more clearly explaining the encryption issue, and then a more important one explaining what the company is doing to respond to recent security concerns, including freezing all feature development to focus solely on “trust, safety, and privacy issues.” It remains to be seen how that plays out in practice, but it’s much better than the typical defensive response that most companies have.
Filed Under: encryption, end to end, privacy, security, video conferencing
Companies: zoom
Comments on “Teleconferencing Company Zoom Pitching End-To-End Encryption That Really Isn't End-To-End”
So how long either Zoom or such get caught doing a little extra fund raising through either insider trading or just helping out prosecutors by listening in on lawyers teleconferences?
Funny… now Zoom has stopped adding features & turned the tech team to securiing the product.
Re: Re:
They’ve had what 3 or 4 security/privacy issues come up in the last week alone?
Re: Re:
There is a hell of a lot more scrutiny right now, what with them going from 20m to 200m people using it daily.
They did a lot of shady things in the past to make it easier for "things to just work" without people needing to know how to do difficult setups. True End-to-end would also break features they tout, like their server-side meeting recording… but yeah, you can’t build something one way and then market it as something else and not expect to get caught at some point.
All in all, Zoom could and should be doing a better job. I just saw a new build/update today that actually required authorization and went thru a standard app installer process… which is a step in the right direction.
I’ve seem people demand "end to end encryption" for cloud storage (like iCloud). I understand what they mean by it, but that’s not what the term is used for. It’s meant to be used when talking about transmission.
Re: Re:
You can have end-to-end encryption with cloud storage if you define your transmission not to end there. Namely if the cloud server stores encrypted data it does not have the key for.
You’ll find yourself unpopular with "free" cloud server providers when doing that.
Re: Re: Re:
But that’s not what end to end encryption means. You’re doing exactly what Zoom is doing.
Re: Re: Re: Re:
It does. It means that only the producer and consumer have access to the unencrypted data. The problem with Zoom is that the server/service provider also has the means to decrypt the data.
Re: Re: Re:2 Re:
But you’ve redefined consumer. When you upload to a cloud server, that’s the consumer. That’s the end point. You’ve turned end to end encryption into a marketing term. Just like Zoom.
Re: Re: Re:3 Re:
"When you upload to a cloud server, that’s the consumer."
When you upload to a cloud server, the consumer is the next person, most probably you, who downloads. The server is not an endpoint in a data communication sense.
Re: Re:
And how, precisely, do you store something in the cloud or retrieve something from the cloud without transmitting it?
Where's the law when you need it?
Do the states not have any form of trades descriptions legislation that makes misleading, inaccurate claims like this illegal?
Re: Where's the law when you need it?
I have said that many consider the Constitution to be a quaint anachronism. Same goes for the idea that false advertising is wrong or should be illegal.
Re: Re: Where's the law when you need it?
"false advertising" looks like a tautology.