Zoom, the video meeting service, has seen a spike in its usage ever since the coronavirus pandemic has led to a work from home policy in many parts of the world. But it would appear that some of the claims that Zoom has made about being end-to-end encrypted as a service are simply not true. The issue was first highlighted in a report by The Intercept, and Zoom has since responded to the same, admitting that currently end-to-end encryption (E2E) is not possible on its video calls.
The report comes after the company was recently sued by a user in the US, who claimed the company was illegally disclosing personal information with third-parties, including Facebook. The lawsuit was filed in San Jose, California.
So what is the issue with Zoom’s end-to-end encryption?
According to the Intercept report, Zoom’s security white paper uses the term end-to-end encryption, but it appears to be false advertising. The paper, which is available on the Zoom website, notes, “Zoom E2E chat encryption allows for a secured communication where only the intended recipient can read the secured message. Zoom uses a public and private key to encrypt the chat session with Advanced Encryption Standard (AES-256). Session keys are generated with a device-unique hardware ID to avoid data being read from other devices. This ensures that the session can not be eavesdropped on or tampered with.”
However, as the report shows this is not the case. Zoom’s service does not support end-to-end encryption for video and audio content, at least if one were to go by the definition applied by other players such as Apple, WhatsApp, Signal, etc.
When Zoom is talking about end-to-end encryption, it is using TSL protocols, which are used to secure HTTPS websites, and as the report notes, this only offers “transport encryption.” The big difference to understand here is that while a third-party might not be able to access a Zoom call, Zoom itself can access the video and audio content. In a true end-to-end encrypted call, neither Zoom or nor anyone else should be able to access the content other than the intended recipient.
What has Zoom said in response?
Zoom has admitted that it is not possible to enable E2E encryption on calls. “Currently, it is not possible to enable E2E encryption for Zoom video meetings. Zoom video meetings use a combination of TCP and UDP. TCP connections are made using TLS and UDP connections are encrypted with AES using a key negotiated over a TLS connection,” is what a company spokesperson told The Intercept.
Express Tech is now on Telegram. Click here to join our channel (@expresstechie) and stay updated with the latest tech news
What does the Zoom security paper claim?
The Zoom white paper does mention E2E chat encryption. The part notes, “End-to-End Chat Encryption allows for a secured communication where only the intended recipient can read the secured message.” Do note that it does not specifically mention that Zoom cannot read the secured message.
Work from Home appears to be the norm for many of us. We at Indian Express tech have some articles which could help make this easier. First, how to optimise your WiFi, which is really important. Read on that here. Next, we explain how to save data on WhatsApp given we might be using a lot more of this. Then we explain how you can balance screen time while doing work from home. Also these video calling apps can be useful when relying on work from home. Don’t let it be all about work, you can rely on these fitness apps to continue that workout during the lockdown. And finally some general tips to keep in mind while working from home.
It also goes on to say, “Zoom uses both asymmetric and symmetric algorithms to encrypt the chat session. Session keys are generated with a device-unique hardware ID to avoid data being read from other devices. This ensures that the session can not be eavesdropped on or tampered with.”
Further the white paper also says that recordings of a Zoom session can be stored on the host’s device or “Zoom’s cloud with the Cloud Recording option”, though this is only available to paying customers.
So what does this mean? Why does end-to-end encryption matter?
Well given more and more companies are using Zoom for their daily work and discussing key work-related matters on these calls, the lack of end-to-end encryption will certainly cause problems, especially given the service makes an entirely different claim in its white paper.
E2E encryption ensures that no one can read or tamper with a video call or access it, and this would include the service or the platform providing it. For instance, on Apple’s FaceTime all videos calls are E2E encrypted, which means even Apple cannot access the data. The decryption keys lie with the user’s device and is known as the private key. Only this can decrypt the message. FaceTime merely facilitates the message or the call to take place and Apple cannot access the call.
Same goes for WhatsApp’s Group video calls or calls made by apps like Signal, Wire, which have E2E encryption enabled by default. WhatsApp or Signal or Wire cannot access or decrypt the messages or calls being shared, nor can any third-party.
The lack of E2E encryption on Zoom raises concerns given the app has suddenly become so popular and many companies have no choice but to use it to conduct their team meetings and calls.
📣 The Indian Express is now on Telegram. Click here to join our channel (@indianexpress) and stay updated with the latest headlines