‘Misleading marketing’: Zoom video meetings may not be as secure as you think
- Despite claims, Zoom’s video and audio meetings don’t support end-to-end encryption, according to a recent report from The Intercept.
- End-to-end encryption is an especially strong form of security that, in theory, scrambles online data so that it’s decipherable only to the sender and receiver.
- Zoom also faces a class-action lawsuit after a Motherboard report showed how the platform passed on user data to third parties.
The video conferencing platform Zoom has become wildly popular as millions of people have switched to remote work during the COVID-19 pandemic. The platform offers high-quality streaming, an easy-to-use interface, and end-to-end encryption (E2E), which scrambles data so that it’s decipherable only to the sender and receiver. In theory, end-to-end encryption would prevent the government, internet providers, and even Zoom itself from eavesdropping on users’ meetings.
But a new report from The Intercept shows that Zoom’s audio and video meetings don’t seem to actually support end-to-end encryption, at least as that term is commonly defined.
“Currently, it is not possible to enable E2E encryption for Zoom video meetings,” a Zoom spokesperson told The Intercept. “Zoom video meetings use a combination of TCP [Transmission Control Protocol] and UDP [User Datagram Protocol]. TCP connections are made using TLS [Transport Layer Security] and UDP connections are encrypted with AES [Advanced Encryption Standard] using a key negotiated over a TLS connection.”
In other words, Zoom does encrypt video meetings, but it does so through transport encryption. This means Zoom has the ability to access users’ private meetings. One concern among privacy advocates is that the government could someday compel Zoom to hand over recordings of users’ meetings, which were advertised as being encrypted end to end.
The Intercept
Speaking to The Intercept, a Zoom spokesperson described the platform’s definition of “end to end”:
“When we use the phrase ‘End to End’ in our other literature, it is in reference to the connection being encrypted from Zoom end point to Zoom end point…The content is not decrypted as it transfers across the Zoom cloud.”
Although Zoom might not decrypt data as it transfers across the platform’s cloud, it certainly has the ability to do so. “They’re a little bit fuzzy about what’s end-to-end encrypted,” Matthew Green, a cryptographer and computer science professor at Johns Hopkins University, told The Intercept. “I think they’re doing this in a slightly dishonest way. It would be nice if they just came clean.”
In a recently published open letter, the human rights group Access Now called on Zoom to publish a transparency report that includes the following information:
- The number of government requests for user data you receive by country, with compliance rates, and your procedures for responding to these requests
- The circumstances when you provide user information to government authorities
- Policies on notice to potentially affected users when their information has been requested or provided to government authorities, or exposed by breach, misuse, or abuse
- Policies and practices affecting the security of data in transit and at rest, including on multi-factor authentication, encryption, and retention
- Policies and practices affecting freedom of expression, including terms of use and content guidelines for account holders and call participants, as well as statistics on enforcement
Other privacy concerns
Zoom is also facing criticism for passing user data on to third parties. Last week, Motherboard published a report showing that the Zoom iOS app was sharing user data with Facebook — even if Zoom users didn’t have a Facebook account. On Monday, a Zoom user filed a class-action lawsuit against the company, alleging:
“Upon installing or upon each opening of the Zoom App, Zoom collects the personal information of its users and discloses, without adequate notice or authorization, this personal information to third parties, including Facebook, Inc. (“Facebook”), invading the privacy of millions of users.”
Looking for a video-conferencing platform that does offer end-to-end encryption? Consider looking into Microsoft Teams, Signal, Clickmeeting, and Wire.