from the some-sort-of-magic-happens-at-both-ends-so-probably-good-enough dept
As Karl Bode wrote what feels like a decade ago on March 19, 2020, privacy and encryption will be more important than ever during this pandemic and the future that succeeds it. Plenty of governments have been sacrificing citizens’ privacy for better virus tracking and plenty of governments were already throwing shade at encryption well before the pandemic became a pandemic. That includes our government, which has been agitating against encryption for several years now and fighting against our privacy in federal courts for decades.
An influx of remote workers makes encryption and privacy even more important, as there’s plenty of sensitive company business being done over open networks with minimal protections. The beneficiaries of this new normal are responding quickly to the unexpected demand, but protection of work-at-home employees and their employers seems to have been forgotten.
The field is crowded with lots of telecommuting software providers. Standing out is key if you’re going to take advantage of the current health crisis. Video conference software developer Zoom, however, is playing fast and loose with terminology in an attempt to scoop up more market share. As Micah Lee and Yael Grauer report for The Intercept, words don’t seem to mean what they normally mean when they’re being used by Zoom.
Zoom offers reliability, ease of use, and at least one very important security assurance: As long as you make sure everyone in a Zoom meeting connects using “computer audio” instead of calling in on a phone, the meeting is secured with end-to-end encryption, at least according to Zoom’s website, its security white paper, and the user interface within the app.
Sounds comforting, but Zoom is apparently using a proprietary definition of “end-to-end encryption.” Zoom explained that phrase means something else when used in marketing materials or when users hover over the green padlock on their session screens that delivers a pop-up saying “Zoom is using an end to end encrypted connection.”
This is what “E2EE” means when Zoom says it:
[W]hen reached for comment about whether video meetings are actually end-to-end encrypted, a Zoom spokesperson wrote, “Currently, it is not possible to enable E2E encryption for Zoom video meetings. Zoom video meetings use a combination of TCP and UDP. TCP connections are made using TLS and UDP connections are encrypted with AES using a key negotiated over a TLS connection.”
Well, if it’s not possible to do the thing people think you’re doing when you say “end to end encryption,” maybe you should stop saying you’re using end-to-end encryption. All Zoom is doing is encrypting the endpoints, much in the way sites using HTTPS do. This protects you from outsiders wishing to eavesdrop on your internet connection. But it doesn’t mean Zoom can’t access the content of teleconferencing sessions. And it means anyone that can find a way to access what Zoom can access is going to be able to do access possibly-sensitive communications.
One offering is actually encrypted end-to-end: Zoom’s text chat. But that’s not a standout feature. There are plenty of encrypted messaging apps. There’s been no increase in demand for those. But when privacy and security matter most, Zoom is misleading users about what it’s doing to protect them.
Update: Zoom has since put out two fairly detailed blog posts, the first one much more clearly explaining the encryption issue, and then a more important one explaining what the company is doing to respond to recent security concerns, including freezing all feature development to focus solely on “trust, safety, and privacy issues.” It remains to be seen how that plays out in practice, but it’s much better than the typical defensive response that most companies have.