Teleconferencing Company Zoom Pitching End-To-End Encryption That Really Isn't End-To-End

from the some-sort-of-magic-happens-at-both-ends-so-probably-good-enough dept

As Karl Bode wrote what feels like a decade ago on March 19, 2020, privacy and encryption will be more important than ever during this pandemic and the future that succeeds it. Plenty of governments have been sacrificing citizens' privacy for better virus tracking and plenty of governments were already throwing shade at encryption well before the pandemic became a pandemic. That includes our government, which has been agitating against encryption for several years now and fighting against our privacy in federal courts for decades.

An influx of remote workers makes encryption and privacy even more important, as there's plenty of sensitive company business being done over open networks with minimal protections. The beneficiaries of this new normal are responding quickly to the unexpected demand, but protection of work-at-home employees and their employers seems to have been forgotten.

The field is crowded with lots of telecommuting software providers. Standing out is key if you're going to take advantage of the current health crisis. Video conference software developer Zoom, however, is playing fast and loose with terminology in an attempt to scoop up more market share. As Micah Lee and Yael Grauer report for The Intercept, words don't seem to mean what they normally mean when they're being used by Zoom.

Zoom offers reliability, ease of use, and at least one very important security assurance: As long as you make sure everyone in a Zoom meeting connects using “computer audio” instead of calling in on a phone, the meeting is secured with end-to-end encryption, at least according to Zoom’s website, its security white paper, and the user interface within the app.

Sounds comforting, but Zoom is apparently using a proprietary definition of "end-to-end encryption." Zoom explained that phrase means something else when used in marketing materials or when users hover over the green padlock on their session screens that delivers a pop-up saying "Zoom is using an end to end encrypted connection."

This is what "E2EE" means when Zoom says it:

[W]hen reached for comment about whether video meetings are actually end-to-end encrypted, a Zoom spokesperson wrote, “Currently, it is not possible to enable E2E encryption for Zoom video meetings. Zoom video meetings use a combination of TCP and UDP. TCP connections are made using TLS and UDP connections are encrypted with AES using a key negotiated over a TLS connection.”

Well, if it's not possible to do the thing people think you're doing when you say "end to end encryption," maybe you should stop saying you're using end-to-end encryption. All Zoom is doing is encrypting the endpoints, much in the way sites using HTTPS do. This protects you from outsiders wishing to eavesdrop on your internet connection. But it doesn't mean Zoom can't access the content of teleconferencing sessions. And it means anyone that can find a way to access what Zoom can access is going to be able to do access possibly-sensitive communications.

One offering is actually encrypted end-to-end: Zoom's text chat. But that's not a standout feature. There are plenty of encrypted messaging apps. There's been no increase in demand for those. But when privacy and security matter most, Zoom is misleading users about what it's doing to protect them.

Update: Zoom has since put out two fairly detailed blog posts, the first one much more clearly explaining the encryption issue, and then a more important one explaining what the company is doing to respond to recent security concerns, including freezing all feature development to focus solely on "trust, safety, and privacy issues." It remains to be seen how that plays out in practice, but it's much better than the typical defensive response that most companies have.

Hide this

Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.

Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.

While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.

–The Techdirt Team

Filed Under: encryption, end-to-end, privacy, security, video conferencing
Companies: zoom


Reader Comments

Subscribe: RSS

View by: Time | Thread


  • identicon
    Annonymouse, 2 Apr 2020 @ 4:11am

    So how long either Zoom or such get caught doing a little extra fund raising through either insider trading or just helping out prosecutors by listening in on lawyers teleconferences?

    link to this | view in chronology ]

  • icon
    That Anonymous Coward (profile), 2 Apr 2020 @ 4:30am

    Funny... now Zoom has stopped adding features & turned the tech team to securiing the product.

    link to this | view in chronology ]

    • identicon
      Anonymous Coward, 2 Apr 2020 @ 6:30am

      Re:

      They've had what 3 or 4 security/privacy issues come up in the last week alone?

      link to this | view in chronology ]

    • identicon
      Anonymous Coward, 2 Apr 2020 @ 12:31pm

      Re:

      There is a hell of a lot more scrutiny right now, what with them going from 20m to 200m people using it daily.

      They did a lot of shady things in the past to make it easier for "things to just work" without people needing to know how to do difficult setups. True End-to-end would also break features they tout, like their server-side meeting recording... but yeah, you can't build something one way and then market it as something else and not expect to get caught at some point.

      All in all, Zoom could and should be doing a better job. I just saw a new build/update today that actually required authorization and went thru a standard app installer process... which is a step in the right direction.

      link to this | view in chronology ]

  • identicon
    Anonymous Coward, 2 Apr 2020 @ 5:33am

    I've seem people demand "end to end encryption" for cloud storage (like iCloud). I understand what they mean by it, but that's not what the term is used for. It's meant to be used when talking about transmission.

    link to this | view in chronology ]

    • identicon
      David, 2 Apr 2020 @ 5:48am

      Re:

      You can have end-to-end encryption with cloud storage if you define your transmission not to end there. Namely if the cloud server stores encrypted data it does not have the key for.

      You'll find yourself unpopular with "free" cloud server providers when doing that.

      link to this | view in chronology ]

      • identicon
        Anonymous Coward, 2 Apr 2020 @ 6:06am

        Re: Re:

        But that's not what end to end encryption means. You're doing exactly what Zoom is doing.

        link to this | view in chronology ]

        • identicon
          David, 2 Apr 2020 @ 9:30am

          Re: Re: Re:

          It does. It means that only the producer and consumer have access to the unencrypted data. The problem with Zoom is that the server/service provider also has the means to decrypt the data.

          link to this | view in chronology ]

          • identicon
            Anonymous Coward, 2 Apr 2020 @ 11:18am

            Re: Re: Re: Re:

            But you've redefined consumer. When you upload to a cloud server, that's the consumer. That's the end point. You've turned end to end encryption into a marketing term. Just like Zoom.

            link to this | view in chronology ]

            • identicon
              Anonymous Coward, 3 Apr 2020 @ 11:19am

              Re: Re: Re: Re: Re:

              "When you upload to a cloud server, that's the consumer."

              When you upload to a cloud server, the consumer is the next person, most probably you, who downloads. The server is not an endpoint in a data communication sense.

              link to this | view in chronology ]

    • icon
      Bergman (profile), 2 Apr 2020 @ 12:18pm

      Re:

      And how, precisely, do you store something in the cloud or retrieve something from the cloud without transmitting it?

      link to this | view in chronology ]

  • icon
    Ben (profile), 2 Apr 2020 @ 6:02am

    Where's the law when you need it?

    Do the states not have any form of trades descriptions legislation that makes misleading, inaccurate claims like this illegal?

    link to this | view in chronology ]

    • icon
      Upstream (profile), 2 Apr 2020 @ 7:09am

      Re: Where's the law when you need it?

      I have said that many consider the Constitution to be a quaint anachronism. Same goes for the idea that false advertising is wrong or should be illegal.

      link to this | view in chronology ]

      • identicon
        David, 2 Apr 2020 @ 9:31am

        Re: Re: Where's the law when you need it?

        "false advertising" looks like a tautology.

        link to this | view in chronology ]


Follow Techdirt
Essential Reading
Techdirt Deals
Report this ad  |  Hide Techdirt ads
Techdirt Insider Discord

The latest chatter on the Techdirt Insider Discord channel...

Loading...
Recent Stories

This site, like most other sites on the web, uses cookies. For more information, see our privacy policy. Got it
Close

Email This

This feature is only available to registered users. Register or sign in to use it.