Zoom, the video conferencing service whose use has spiked amid the Covid-19 pandemic, claims to implement end-to-end encryption, widely understood as the most private form of internet communication, protecting conversations from all outside parties.
Zoom had falsely marketed one of its features as making meetings “end-to-end encrypted.” That would mean video call data is encrypted at all times in transit, such that not even Zoom could access it.
The company has since admitted that this is not the case, and now uses the word “encrypted” instead of “end-to-end encrypted” when meetings have the setting enabled.
Zoom can add comprehensive encryption only if everyone in a meeting is logged in through one of the company’s apps. If someone joins a Zoom meeting through a regular phone call, for example, Zoom can’t extend its encryption to the legacy telephony network.
The system does not meet the criteria of being end-to-end encrypted because of key management—the logistics of generating, using, and storing the keys that encrypt and decrypt data. The blog post says that Zoom currently manages and stores all of the keys involved in user data encryption in its own cloud infrastructure. By definition, this means that Zoom is not end-to-end encrypted, even if meetings remain encrypted on their whole route across the internet, because Zoom could use the keys it holds to decrypt the data during that journey.
The video meetings are not actually end-to-end encrypted becasue currently it is not possible to enable E2E encryption for Zoom video meetings. Zoom video meetings use a combination of TCP and UDP. TCP connections are made using TLS and UDP connections are encrypted with AES using a key negotiated over a TLS connection.
The encryption that Zoom uses to protect meetings is TLS, the same technology that web servers use to secure HTTPS websites. This means that the connection between the Zoom app running on a user’s computer or phone and Zoom’s server is encrypted in the same way the connection between your web browser and this article (on https://privacypriority.org) is encrypted. This is known as transport encryption, which is different from end-to-end encryption because the Zoom service itself can access the unencrypted video and audio content of Zoom meetings. So when you have a Zoom meeting, the video and audio content will stay private from anyone spying on your Wi-Fi, but it won’t stay private from the company.
Without end-to-end encryption, Zoom has the technical ability to spy on private video meetings and could be compelled to hand over recordings of meetings to governments or law enforcement in response to legal requests.
Comments are closed.