Zoom, the video conferencing service whose use has spiked amid the Covid-19 pandemic, claims to implement end-to-end encryption, widely understood as the most private form of internet communication, protecting conversations from all outside parties. In fact, Zoom is using its own definition of the term, one that lets Zoom itself access unencrypted video and audio from meetings.
With millions of people around the world working from home in order to slow the spread of the coronavirus, business is booming for Zoom, bringing more attention on the company and its privacy practices, including a policy, later updated, that seemed to give the company permission to mine messages and files shared during meetings for the purpose of ad targeting.
Still, Zoom offers reliability, ease of use, and at least one very important security assurance: As long as you make sure everyone in a Zoom meeting connects using “computer audio” instead of calling in on a phone, the meeting is secured with end-to-end encryption, at least according to Zoom’s website, its security white paper, and the user interface within the app. But despite this misleading marketing, the service actually does not support end-to-end encryption for video and audio content, at least as the term is commonly understood. Instead it offers what is usually called transport encryption, explained further below.
In Zoom’s white paper, there is a list of “pre-meeting security capabilities” that are available to the meeting host that starts with “Enable an end-to-end (E2E) encrypted meeting.” Later in the white paper, it lists “Secure a meeting with E2E encryption” as an “in-meeting security capability” that’s available to meeting hosts. When a host starts a meeting with the “Require Encryption for 3rd Party Endpoints” setting enabled, participants see a green padlock that says, “Zoom is using an end to end encrypted connection” when they mouse over it.
But when reached for comment about whether video meetings are actually end-to-end encrypted, a Zoom spokesperson wrote, “Currently, it is not possible to enable E2E encryption for Zoom video meetings. Zoom video meetings use a combination of TCP and UDP. TCP connections are made using TLS and UDP connections are encrypted with AES using a key negotiated over a TLS connection.”
The encryption that Zoom uses to protect meetings is TLS, the same technology that web servers use to secure HTTPS websites. This means that the connection between the Zoom app running on a user’s computer or phone and Zoom’s server is encrypted in the same way the connection between your web browser and this article (on https://theintercept.com) is encrypted. This is known as transport encryption, which is different from end-to-end encryption because the Zoom service itself can access the unencrypted video and audio content of Zoom meetings. So when you have a Zoom meeting, the video and audio content will stay private from anyone spying on your Wi-Fi, but it won’t stay private from the company. (In a statement, Zoom said it does not directly access, mine, or sell user data; more below.)
For a Zoom meeting to be end-to-end encrypted, the video and audio content would need to be encrypted in such a way that only the participants in the meeting have the ability to decrypt it. The Zoom service itself might have access to encrypted meeting content, but wouldn’t have the encryption keys required to decrypt it (only meeting participants would have these keys) and therefore, would not have the technical ability to listen in on your private meetings. This is how end-to-end encryption in messaging apps like Signal work: The Signal service facilitates sending encrypted messages between users, but doesn’t have the encryption keys required to decrypt those messages and therefore, can’t access their unencrypted content.
“When we use the phrase ‘End to End’ in our other literature, it is in reference to the connection being encrypted from Zoom end point to Zoom end point,” the Zoom spokesperson wrote, apparently referring to Zoom servers as “end points” even though they sit between Zoom clients. “The content is not decrypted as it transfers across the Zoom cloud” through the networking between these machines.
Matthew Green, a cryptographer and computer science professor at Johns Hopkins University, points out that group video conferencing is difficult to encrypt end to end. That’s because the service provider needs to detect who is talking to act like a switchboard, which allows it to only send a high-resolution videostream from the person who is talking at the moment, or who a user selects to the rest of the group, and to send low-resolution videostreams of other participants. This type of optimization is much easier if the service provider can see everything because it’s unencrypted.
“If it’s all end-to-end encrypted, you need to add some extra mechanisms to make sure you can do that kind of ‘who’s talking’ switch, and you can do it in a way that doesn’t leak a lot of information. You have to push that logic out to the endpoints,” he told The Intercept. This isn’t impossible, though, Green said, as demonstrated by Apple’s FaceTime, which allows group video conferencing that’s end-to-end encrypted. “It’s doable. It’s just not easy.”
“They’re a little bit fuzzy about what’s end-to-end encrypted,” Green said of Zoom. “I think they’re doing this in a slightly dishonest way. It would be nice if they just came clean.”
The only feature of Zoom that does appear to be end-to-end encrypted is in-meeting text chat. “Zoom E2E chat encryption allows for a secured communication where only the intended recipient can read the secured message,” the white paper states. “Zoom uses public and private key to encrypt the chat session with Advanced Encryption Standard (AES-256). Session keys are generated with a device-unique hardware ID to avoid data being read from other devices.” A Zoom spokesperson wrote, “When end-to-end encryption for chat is enabled, the keys are stored on the local devices and Zoom does not have access to the keys to decrypt the data.”
“I think they’re doing this in a slightly dishonest way.”
Without end-to-end encryption, Zoom has the technical ability to spy on private video meetings and could be compelled to hand over recordings of meetings to governments or law enforcement in response to legal requests. While other companies like Google, Facebook, and Microsoft publish transparency reports that describe exactly how many government requests for user data they receive from which countries and how many of those they comply with, Zoom does not publish a transparency report. On March 18, human rights group Access Now published an open letter calling on Zoom to release a transparency report to help users understand what the company is doing to protect their data.
“Transparency reports are one of the strongest ways for companies to disclose threats to user privacy and free expression. They help us understand surveillance laws in different jurisdictions, provide useful information on network shutdowns and disruptions, and they show us which companies are pushing back against improper requests for user information,” said Isedua Oribhabor, U.S. policy analyst at Access Now. Access Now’s Transparency Reporting Index shows a downward trend in consistent transparency reporting, which Oribhabor said removes an essential tool for users and civil society to hold governments and companies accountable.
Oribhabor pointed out that Zoom could be compelled to hand over data to governments that want to monitor online assembly or control the spread of information as activists move protests online. The lack of a transparency report makes it difficult to determine whether there’s been an increase in requests and unclear how Zoom would respond.
“Companies have a responsibility to be transparent about these kinds of requests, to help users and civil society see where government abuse is occurring and how the company is pushing back,” Oribhabor said.
“Zoom complies with our legal obligations or the legal obligations of our customers. This includes responding to valid legal process, or as reasonably necessary to preserve Zoom’s legal rights. Zoom is legally required to work with law enforcement when there is a violation of Zoom’s Online Terms of Service,” a Zoom spokesperson said in an email.
Zoom has the technical ability to spy on private video meetings.
It’s possible that Zoom’s marketing could be considered an unfair or deceptive trade practice that would run afoul of the Federal Trade Commission. In 2014, both Fandango and Credit Karma settled charges with the FTC after failing to properly implement SSL encryption for processing credit card information, despite their security promises. This left customer’s personal data vulnerable to man-in-the-middle attacks.
Independent technologist Ashkan Soltani, who formerly served as the FTC’s chief technologist, said it’s unclear to him whether Zoom is actually implementing end-to-end encryption; he was unaware that it claimed to do so prior to speaking with The Intercept. But he said that if a reasonable consumer makes a decision to use Zoom with the understanding that it has end-to-end encryption for video chat when, in fact, it did not, and if Zoom’s representation is deceptive, it could be a deceptive trade practice.
This kind of marketing could impact not just consumers, but also other businesses.
“If Zoom claimed they have end-to-end encryption, but didn’t actually invest the resources to implement it, and Google Hangouts didn’t make that claim and you chose Zoom, not only are you being harmed as consumer, but in fact, Hangouts is being harmed because Zoom is making claims about its product that are not true,” he said. “So it’s actually benefiting from false claims, and people are essentially receiving more market share because of those false claims.”
Zoom business customers with a minimum of 10 hosts have the option of using an on-premises Meeting Connector, which allows companies to essentially host a Zoom server on their internal corporate network. With this setup, meeting metadata, like the names and times of meetings and which participants join them, goes through Zoom’s servers, but “the meeting itself is hosted in customer’s internal network,” according to the white paper. “All real-time meeting traffic including audio, video, and data sharing go through the company’s internal network. This leverages your existing network security setup to protect your meeting traffic.” Even though Zoom meetings are not end-to-end encrypted, the company should not have access to the video and audio of meetings that go through a customer’s Meeting Connector server; only the customer should have access to that.
Zoom provided the following statement to The Intercept: “Zoom takes its users’ privacy extremely seriously. Zoom only collects data from individuals using the Zoom platform as needed to provide the service and ensure it is delivered as effectively as possible. Zoom must collect basic technical information like users’ IP address, OS details and device details in order for the service to function properly. Zoom has layered safeguards in place to protect our users’ privacy, which includes preventing anyone, including Zoom employees, from directly accessing any data that users share during meetings, including — but not limited to — the video, audio and chat content of those meetings. Importantly, Zoom does not mine user data or sell user data of any kind to anyone.”