paint-brush
Are Zoom's Encryption Claims Deceptive? by@kunal

Are Zoom's Encryption Claims Deceptive?

by Kunal MishraMay 28th, 2020
Read on Terminal Reader
Read this story w/o Javascript
tldt arrow

Too Long; Didn't Read

What do you do when your product isn’t encrypted? Change how encryption to is commonly understood.

People Mentioned

Mention Thumbnail

Companies Mentioned

Mention Thumbnail
Mention Thumbnail
featured image - Are Zoom's Encryption Claims Deceptive?
Kunal Mishra HackerNoon profile picture

What do you do when your product isn’t encrypted? Change how encryption to is commonly understood.

End-to-end encryption on Zoom is what the world is criticising Zoom for. After all, your top concern for online meetings is that no one spies your meeting, right?

You may be more concerned if you’re doing a confidential company or government discussion on a Zoom meeting, which I’d recommend you to not do.

Nevertheless, your privacy is more valuable today than it was a few decades ago. And Zoom was never designed to be privacy-focused. Their aim was user-friendliness and feature richness. And in both categories, they are what they say “Industry leaders”. Well, not always are they what they say. Because Zoom isn’t “end-to-end encrypted” at least in the sense these terms are commonly used.

Before we dive into why Zoom isn’t encrypted, why do we need Zoom to be encrypted in the first place, and why most of us can still use Zoom even if it isn’t encrypted among other questions, there are two things you need to understand.

1. How Your Data Travels To The Ones You Send It To?

Let’s take the case of a WhatsApp message. Assume you send a message to someone, say X.

The message, you sent, is encrypted and uploaded to a data centre. We’ll talk encryption a bit later.

X’s device, if online, checks for any new messages continuously. When it sees the message you sent, it shows it the X. This is all happens in a blink.

Let some illustrations help you understand.

Illustration by Kunal Mishra

If you’re curious why the message isn’t sent to the recipient’s device directly, it’s because in case X’s device is offline, the message would not reach.

Why the message is sent to a server and not directly to the receiver’s phone. // Illustration by Kunal Mishra.

As to sum up, you need to understand the data that that is sent from your phone goes to a server before being received at the destination device.

2. What Is Encryption?

Encryption means encoding data while in transmission from one device to another. This ensures that if someone accesses the data while it’s travelling, he can not use it.

Let’s understand it with an example of cash and credit card.

Your cash is un-encrypted. That means anybody who holds it can use it — be it you or a burglar who stole it.Your card, on the other hand, is encrypted. Meaning not everyone can use it unless he knows the PIN, which can be any of 10,000 unique PINs.

That’s how encryption works.

In WhatsApp, you might have noticed a yellow box that tells you your chats are end-to-end encrypted. That means only you and the person who the message was sent to can read it.

WhatsApp’s encryption message

No one in between, even if he gets access to the message, can read it. Not even WhatsApp staff.

Illustration by Kunal Mishra

Think of it like changing your texts to another language which only your phone and the receiver’s one can understand. So for anyone who steals your message while it’s travelling to the receiver, it’d be useless for him.

This is End-to-end Encryption, the standard encryption for any widely used digital product.

Encryption On Zoom

Zoom’s marketing claims say the product is “end-to-end encrypted”. This can be seen from various places within Zoom’s interfaces.

The top-left icon in Zoom’s desktop app.
  • When you hover over the green lock in the top left of the Zoom desktop app, it says, “Zoom is using an end to end encrypted connection”. [This has been corrected in recent updates.]
  • In the white paper, it lists “Secure a meeting with E2E encryption” as an “in-meeting security capability” that’s available to meeting hosts

Zoom is deceptive when it says it is End-to-end encrypted.

Zoom’s “end-to-end encryption capabilities” should mean no one other than the participants of the meeting can spy the meeting.

But rather it means no one, who steals the data while being transported between your phone and Zoom’s data centres, can eavesdrop your meetings because they’re encrypted. Though, Zoom itself or government of the country the servers are located in can have access to your meetings. This denies the right to privacy.

The keys, used to decrypt the data, are also stored in Zoom’s data centres. Most of which are located in China, where governmental authorities can ask Zoom to give them access to the data, unencrypted. And Chinese laws make Zoom undeniable.

This creates a problem if you do a highly confidential discussion over a Zoom meeting. The Chinese might be spying on you.

An example is when a photo showed the Indian defence minister using Zoom to communicate with chiefs of the army.

Indian Defence Minister Rajnath Singh using Zoom for meeting with the chiefs of Army, Navy and Air Force. // Twitter/@Vijaita

While writing this article, Zoom pushed out a new update letting paid users choose which data centre they want the data to go through. Free users are given no such option. 

  • If you’re a paid user, route your Zoom meetings via a data centres in Mumbai, India.
  • If you are using Zoom for free, your data will be routed through data centres in the US.

Zoom’s chief product officer Oded Gal wrote:

“Zoom has always strived to use encryption to protect content in as many scenarios as possible, and in that spirit, we used the term end-to-end encryption. While we never intended to deceive any of our customers, we recognize that there is a discrepancy between the commonly accepted definition of end-to-end encryption and how we were using it.”

‘They don’t’ doesn’t mean ‘they can’t’.

Zoom spokesperson said, “We encrypt all video, audio, screen sharing, and chat content at the sending client, and do not decrypt it at any point before it reaches the receiving clients.

This sounds like end-to-end encryption, right? But they say “they don’t decrypt” not “they can’t decrypt”.

How Can Zoom meetings be really end-to-end encrypted?

For a fully end-to-end encrypted Zoom meeting,

  • The audio, video, screen sharing, chats and other meeting data should be encrypted in such a way that only participants of the meeting can decrypt it.
  • The Zoom data centres should still have all these meetings data but encrypted. Meaning they shouldn’t have the technical ability to eavesdrop your meetings.

This is what end-to-end encryption actually means.

Why Zoom is not end-to-end encrypted

Mathew Green, a cryptographer points out on The Intercept that video conferencing is hard to encrypt.

That’s because Zoom needs to figure out which participant is talking so as to act as a switchboard, allowing high-quality audio only from the person speaking at the moment. While rest all’s audio quality will be decreased a bit to optimize the data usage.

This optimization helps Zoom consume less battery and data, enhancing the overall quality of the meeting. This is easier when Zoom’s systems can see the data — to see who’s talking — in unencrypted form.

But it’s not impossible, too.

“If it’s all end-to-end encrypted, you need to add some extra mechanisms to make sure you can do that kind of ‘who’s talking’ switch, and you can do it in a way that doesn’t leak a lot of information. You have to push that logic out to the endpoints,” he told The Intercept. This isn’t impossible, though, Green said, as demonstrated by Apple’s FaceTime, which allows group video conferencing that’s end-to-end encrypted.

Though, it’s worth noting that it took Apple years to get end-to-end encryption to work with 32 participants on FaceTime while meetings on Zoom have 100–1000 participants.

Tech Giants are transparent, Zoom isn’t.

Companies like MicrosoftGoogle and Facebook have transparency reports that describe how many government requests for user data they receive from which countries (governments) and how many of those they comply with. Zoom doesn’t have any.

Isedua Oribhabor, U.S. policy analyst at Access Now, pointed out that Zoom could be compelled to hand over data to governments that want to monitor online assembly or control the spread of information as activists move protests online. The lack of a transparency report makes it difficult to determine whether there’s been an increase in requests and unclear how Zoom would respond.

How Zoom’s False Claims Affects The Competition?

Independent technologist Ashkan Soltani, who formerly served as the FTC’s chief technologist, said, “If Zoom claimed they have end-to-end encryption, but didn’t actually invest the resources to implement it, and Google Hangouts didn’t make that claim and you chose Zoom, not only are you being harmed as a consumer but in fact, Hangouts is being harmed because Zoom is making claims about its product that are not true”

The Good About Zoom

Zoom is deceptive when it says it is End-to-end encrypted. But not when it says its the industry leader. We talked about how misleading Zoom is. But you need to see both sides of the coin.

Let’s admit it: Zoom has a lot to dislike. But the likeable things can’t be ignored as well. We can’t judge Zoom on just one ground, can we?

  • Zoom’s free version supports meetings with up to 100 participants. The Enterprise Plus tier users can make a meeting with up to 1000 participants. Skype supports only 50 for free. Google’s Hangouts Meet supports no more than 250. Apple’s encrypted FaceTime supports only 32.
  • The meeting quality is better than Google’s Hangouts Meet and some other competitors, especially for low-end devices and networks.
  • It gives the host more control over the meeting, like muting anyone, removing, configuring chat etc.
  • It has some brilliant features to stop abuse like Zoombombing like a virtual waiting roomlocking meetings etc that most meetings app don’t have.

Zoom even made it free for educational purposes.User-friendliness. Despite advanced features and aggressive pricing, you don’t need to be a tech geek to configure Zoom.

But I agree with a post on WIRED that says, “It’s absolutely fair to put public pressure on Zoom to make things safer for regular users.”

First Published On Theciva