Zoom Meetings: No End-to-End Encryption

Zoom went from having 10 million daily users in December 2019 to having 200 million daily users in March 2020. While several sectors suffer from the COVID-19 (coronavirus) pandemic, Zoom is one of the companies that is reaping huge benefits. Zoom gained over 1,900% in usage for claiming to offer end-to-end encryption and protecting the privacy of its users.

However, recent reports claim that Zoom is not doing any of that — no end-to-end encryption and no privacy protection for users.

On Zoom’s website, there’s a white-paper detailing the services and features offered by Zoom. Reading through it, you will see that Zoom mentioned “end-to-end encryption”. Also, in a Zoom meeting, there’s a green key at the top of your screen, when you hover over it, a popup will show “end-to-end encryption”. So that should mean that no one except users should be able to access user data and the user will have to decrypt their data first. However, ‘Vice’ demonstrated in a recent post that Zoom was sending user data to Facebook without getting users’ permission. In fact, users didn’t even need to have Facebook installed on their phone.

Looking at Zoom’s encryption for meetings, the company uses the same encryption that is used to secure the connection between two networks. The same encryption used for HTTPS sites. This encryption is known as transport encryption and it is different from end-to-end encryption. Transport encryption only protects networks from unsecured connections. Hackers or cybercriminals may not be able to spy on your wifi to steal your audio and video content when using Zoom. However, Zoom can access the connection and can collect user data.

To confirm this, ‘The Intercept’ reached out to a Zoom spokesperson to find out whether the app offers end-to-end encryption. The spokesperson in a statement to ‘The Intercept’ said :

Currently, it is not possible to enable E2E encryption for Zoom video meetings. Zoom video meetings use a combination of TCP and UDP. TCP connections are made using TLS and UDP connections are encrypted with AES using a key negotiated over a TLS connection.”

So, it is clear that Zoom is using false advertising to deceive users into believing that it offers end-to-end encryption. Zoom has also claimed that it does not mine or sell user data, but that has been proven wrong with the Facebook incident mentioned above. Although, they might have stopped after that, there are no guaranteed ways to know for sure.

A Zoom spokesperson reported in an email: “Zoom complies with our legal obligations or the legal obligations of our customers. This includes responding to valid legal process, or as reasonably necessary to preserve Zoom’s legal rights. Zoom is legally required to work with law enforcement when there is a violation of Zoom’s Online Terms of Service,”.

Zoom does not publish transparency reports like Microsoft and Google. A transparency report should discuss which governments and which countries are trying to acquire user data. It should also include the company’s decision, whether they send user data to governments and corporations, or if they reject third-party requests for user data.

We may be seeing a change in Zoom’s policy as ‘Access Now’ has asked for a transparency report from Zoom, and it appears that Zoom is heeding the request.

Andrei – stock.adobe.com