Teleconferencing Company Zoom Pitching End-To-End Encryption That Really Isn't End-To-End

from the some-sort-of-magic-happens-at-both-ends-so-probably-good-enough dept

As Karl Bode wrote what feels like a decade ago on March 19, 2020, privacy and encryption will be more important than ever during this pandemic and the future that succeeds it. Plenty of governments have been sacrificing citizens' privacy for better virus tracking and plenty of governments were already throwing shade at encryption well before the pandemic became a pandemic. That includes our government, which has been agitating against encryption for several years now and fighting against our privacy in federal courts for decades.

An influx of remote workers makes encryption and privacy even more important, as there's plenty of sensitive company business being done over open networks with minimal protections. The beneficiaries of this new normal are responding quickly to the unexpected demand, but protection of work-at-home employees and their employers seems to have been forgotten.

The field is crowded with lots of telecommuting software providers. Standing out is key if you're going to take advantage of the current health crisis. Video conference software developer Zoom, however, is playing fast and loose with terminology in an attempt to scoop up more market share. As Micah Lee and Yael Grauer report for The Intercept, words don't seem to mean what they normally mean when they're being used by Zoom.

Zoom offers reliability, ease of use, and at least one very important security assurance: As long as you make sure everyone in a Zoom meeting connects using “computer audio” instead of calling in on a phone, the meeting is secured with end-to-end encryption, at least according to Zoom’s website, its security white paper, and the user interface within the app.

Sounds comforting, but Zoom is apparently using a proprietary definition of "end-to-end encryption." Zoom explained that phrase means something else when used in marketing materials or when users hover over the green padlock on their session screens that delivers a pop-up saying "Zoom is using an end to end encrypted connection."

This is what "E2EE" means when Zoom says it:

[W]hen reached for comment about whether video meetings are actually end-to-end encrypted, a Zoom spokesperson wrote, “Currently, it is not possible to enable E2E encryption for Zoom video meetings. Zoom video meetings use a combination of TCP and UDP. TCP connections are made using TLS and UDP connections are encrypted with AES using a key negotiated over a TLS connection.”

Well, if it's not possible to do the thing people think you're doing when you say "end to end encryption," maybe you should stop saying you're using end-to-end encryption. All Zoom is doing is encrypting the endpoints, much in the way sites using HTTPS do. This protects you from outsiders wishing to eavesdrop on your internet connection. But it doesn't mean Zoom can't access the content of teleconferencing sessions. And it means anyone that can find a way to access what Zoom can access is going to be able to do access possibly-sensitive communications.

One offering is actually encrypted end-to-end: Zoom's text chat. But that's not a standout feature. There are plenty of encrypted messaging apps. There's been no increase in demand for those. But when privacy and security matter most, Zoom is misleading users about what it's doing to protect them.

Update: Zoom has since put out two fairly detailed blog posts, the first one much more clearly explaining the encryption issue, and then a more important one explaining what the company is doing to respond to recent security concerns, including freezing all feature development to focus solely on "trust, safety, and privacy issues." It remains to be seen how that plays out in practice, but it's much better than the typical defensive response that most companies have.

Filed Under: encryption, end-to-end, privacy, security, video conferencing
Companies: zoom

Google Moves End-To-End Email Encryption Project To GitHub

from the good-to-see dept

Back in June we wrote about Google's "End-to-End" project to enable full (real) end-to-end encryption in email via a Chrome extension. For years now, we've been among those arguing that Google should actually offer end-to-end encryption by default (which would make the company unable to read your emails). This isn't going that far, but making it much easier for individuals to truly encrypt their own emails (without any backdoors for the email provider) is definitely a big step forward. So it's good to see that the company has now moved the project to GitHub, and that Yahoo's Chief Security Officer, Alex Stamos, has been contributing to the project as well. Having two of the biggest webmail providers working together on an open source system for better encrypting emails end-to-end is a huge win for privacy and security. The project is still in its early days, and Google warns that it's not yet ready to release the extension in the Chrome Web Store, but it's great that things are moving forward. Of course, for those of you who can't wait, there already some extensions like Mailvelope that are pretty easy to use (though, some worry are not quite as secure as other options).

Filed Under: email, encryption, end-to-end, open source
Companies: google, yahoo

The Paper On Network Neutrality That Any Policy Maker Needs To Read

from the read-it-now dept

As regular Techdirt readers are surely aware, Tim Lee has been writing a series of posts here about issues having to do with network neutrality. The five part series, was based on research he was doing for a position paper for the Cato Institute on network neutrality. If you haven't read the series of posts, you can find them here:

• Censoring The 'Net Is Hard
• Ownership Doesn't Always Mean Control
• Changing The Internet's Architecture Isn't So Easy
• Revolving Door Undermines FCC's Watchdog Role
• A History Lesson For Those Advocating Network Neutrality Laws

Whether or not you've read those posts, you should absolutely read the finished product, which has now been released by Cato. While the document is long, it should be required reading for anyone interested in the issues surrounding network neutrality. It's well-researched, well-written and quite thought-provoking -- challenging many of the claims made by supporters of "both sides" of the debate, highlighting the fact that reducing network neutrality to "two sides" has always been a mistake.

Specifically, Lee, rips apart the arguments made by those who believe that various service providers need to violate network neutrality "end-to-end" principles, pointing out how it's based on faulty logic. He also dismantles faulty arguments from those who claim that the internet is not or never was "neutral." He also details why the concept of neutrality has been quite important to the growth and success of the internet, and he cites much of the innovation that came about because of it.

However, rather than supporting the efforts of "network neutrality supporters" (which is common in the tech world), he points out why we probably do not need regulations to enforce network neutrality -- highlighting non-regulatory methods that have, and will continue to, keep network providers honest. Yes, there may be encroachments at the margins -- but, for the most part they turn out to be unsustainable both due to the backlash of users and the fact that they often end up making very little business sense.

Finally, he points out the risks of unintended consequences from any network neutrality legislation, pointing to similar situations in the past in other industries, that resulted in "regulatory capture," where the industries being regulated were able to abuse the regulatory process to their own benefit. He also takes a look at the most likely proposed legislation, highlighting just a few of the more obvious problems that would crop up if it were turned into law.

Anyone who is making policy or supporting a particular policy around network neutrality is doing themselves a tremendous disservice if they do not take the time to read this paper. Whether you're advocating for network neutrality laws, or claiming that service providers have to violate network neutrality to stay alive, you need to take the time to read this paper, and either come up with the evidence to refute Tim's points, or perhaps recognize that the way this issue has been painted in the press does not give the complete picture.

Filed Under: end-to-end, laws, net neutrality, regulations