What do you do when your product isn’t encrypted? Change how encryption to is commonly understood.
End-to-end encryption on Zoom is what the world is criticising Zoom for. After all, your top concern for online meetings is that no one spies your meeting, right?
You may be more concerned if you’re doing a confidential company or government discussion on a Zoom meeting, which I’d recommend you to not do.
Nevertheless, your privacy is more valuable today than it was a few decades ago. And Zoom was never designed to be privacy-focused. Their aim was user-friendliness and feature richness. And in both categories, they are what they say “Industry leaders”. Well, not always are they what they say. Because Zoom isn’t “end-to-end encrypted” at least in the sense these terms are commonly used.
Before we dive into why Zoom isn’t encrypted, why do we need Zoom to be encrypted in the first place, and why most of us can still use Zoom even if it isn’t encrypted among other questions, there are two things you need to understand.
Let’s take the case of a WhatsApp message. Assume you send a message to someone, say X.
The message, you sent, is encrypted and uploaded to a data centre. We’ll talk encryption a bit later.
X’s device, if online, checks for any new messages continuously. When it sees the message you sent, it shows it the X. This is all happens in a blink.
Let some illustrations help you understand.
Illustration by Kunal Mishra
If you’re curious why the message isn’t sent to the recipient’s device directly, it’s because in case X’s device is offline, the message would not reach.
Why the message is sent to a server and not directly to the receiver’s phone. // Illustration by Kunal Mishra.
As to sum up, you need to understand the data that that is sent from your phone goes to a server before being received at the destination device.
Encryption means encoding data while in transmission from one device to another. This ensures that if someone accesses the data while it’s travelling, he can not use it.
Let’s understand it with an example of cash and credit card.
Your cash is un-encrypted. That means anybody who holds it can use it — be it you or a burglar who stole it.Your card, on the other hand, is encrypted. Meaning not everyone can use it unless he knows the PIN, which can be any of 10,000 unique PINs.
That’s how encryption works.
In WhatsApp, you might have noticed a yellow box that tells you your chats are end-to-end encrypted. That means only you and the person who the message was sent to can read it.
WhatsApp’s encryption message
No one in between, even if he gets access to the message, can read it. Not even WhatsApp staff.
Illustration by Kunal Mishra
Think of it like changing your texts to another language which only your phone and the receiver’s one can understand. So for anyone who steals your message while it’s travelling to the receiver, it’d be useless for him.
This is End-to-end Encryption, the standard encryption for any widely used digital product.
Zoom’s marketing claims say the product is “end-to-end encrypted”. This can be seen from various places within Zoom’s interfaces.
The top-left icon in Zoom’s desktop app.
Zoom’s “end-to-end encryption capabilities” should mean no one other than the participants of the meeting can spy the meeting.
But rather it means no one, who steals the data while being transported between your phone and Zoom’s data centres, can eavesdrop your meetings because they’re encrypted. Though, Zoom itself or government of the country the servers are located in can have access to your meetings. This denies the right to privacy.
The keys, used to decrypt the data, are also stored in Zoom’s data centres. Most of which are located in China, where governmental authorities can ask Zoom to give them access to the data, unencrypted. And Chinese laws make Zoom undeniable.
This creates a problem if you do a highly confidential discussion over a Zoom meeting. The Chinese might be spying on you.
An example is when a photo showed the Indian defence minister using Zoom to communicate with chiefs of the army.
Indian Defence Minister Rajnath Singh using Zoom for meeting with the chiefs of Army, Navy and Air Force. // Twitter/@Vijaita
While writing this article, Zoom pushed out a new update letting paid users choose which data centre they want the data to go through. Free users are given no such option.
Zoom’s chief product officer Oded Gal wrote:
“Zoom has always strived to use encryption to protect content in as many scenarios as possible, and in that spirit, we used the term end-to-end encryption. While we never intended to deceive any of our customers, we recognize that there is a discrepancy between the commonly accepted definition of end-to-end encryption and how we were using it.”
‘They don’t’ doesn’t mean ‘they can’t’.
Zoom spokesperson said, “We encrypt all video, audio, screen sharing, and chat content at the sending client, and do not decrypt it at any point before it reaches the receiving clients.”
This sounds like end-to-end encryption, right? But they say “they don’t decrypt” not “they can’t decrypt”.
For a fully end-to-end encrypted Zoom meeting,
This is what end-to-end encryption actually means.
Mathew Green, a cryptographer points out on The Intercept that video conferencing is hard to encrypt.
That’s because Zoom needs to figure out which participant is talking so as to act as a switchboard, allowing high-quality audio only from the person speaking at the moment. While rest all’s audio quality will be decreased a bit to optimize the data usage.
This optimization helps Zoom consume less battery and data, enhancing the overall quality of the meeting. This is easier when Zoom’s systems can see the data — to see who’s talking — in unencrypted form.
“If it’s all end-to-end encrypted, you need to add some extra mechanisms to make sure you can do that kind of ‘who’s talking’ switch, and you can do it in a way that doesn’t leak a lot of information. You have to push that logic out to the endpoints,” he told The Intercept. This isn’t impossible, though, Green said, as demonstrated by Apple’s FaceTime, which allows group video conferencing that’s end-to-end encrypted.
Though, it’s worth noting that it took Apple years to get end-to-end encryption to work with 32 participants on FaceTime while meetings on Zoom have 100–1000 participants.
Companies like Microsoft, Google and Facebook have transparency reports that describe how many government requests for user data they receive from which countries (governments) and how many of those they comply with. Zoom doesn’t have any.
Isedua Oribhabor, U.S. policy analyst at Access Now, pointed out that Zoom could be compelled to hand over data to governments that want to monitor online assembly or control the spread of information as activists move protests online. The lack of a transparency report makes it difficult to determine whether there’s been an increase in requests and unclear how Zoom would respond.
Independent technologist Ashkan Soltani, who formerly served as the FTC’s chief technologist, said, “If Zoom claimed they have end-to-end encryption, but didn’t actually invest the resources to implement it, and Google Hangouts didn’t make that claim and you chose Zoom, not only are you being harmed as a consumer but in fact, Hangouts is being harmed because Zoom is making claims about its product that are not true”
Zoom is deceptive when it says it is End-to-end encrypted. But not when it says its the industry leader. We talked about how misleading Zoom is. But you need to see both sides of the coin.
Let’s admit it: Zoom has a lot to dislike. But the likeable things can’t be ignored as well. We can’t judge Zoom on just one ground, can we?
Zoom even made it free for educational purposes.User-friendliness. Despite advanced features and aggressive pricing, you don’t need to be a tech geek to configure Zoom.
But I agree with a post on WIRED that says, “It’s absolutely fair to put public pressure on Zoom to make things safer for regular users.”