What you need to know
- Zoom's video conferencing calls aren't actually end-to-end encrypted.
- That's because Zoom itself is able to access unencrypted video and audio from meetings.
- The revelation could severely undermine Zoom's claims about privacy.
A report claims that video-conferencing service Zoom does not actually use end-to-end encryption as it's normally defined because Zoom is still able to access unencrypted audio and video.
According to The Intercept:
Zoom, the video conferencing service whose use has spiked amid the Covid-19 pandemic, claims to implement end-to-end encryption, widely understood as the most private form of internet communication, protecting conversations from all outside parties. In fact, Zoom is using its own definition of the term, one that lets Zoom itself access unencrypted video and audio from meetings.
As the report notes, the standard definition of E2E encryption means that no outside party is able to access a conversation. According to the report, whilst Zoom claims to use E2E encryption, its security is more accurately described as "transport encryption":
As long as you make sure everyone in a Zoom meeting connects using "computer audio" instead of calling in on a phone, the meeting is secured with end-to-end encryption, at least according to Zoom's website, its security white paper, and the user interface within the app. But despite this misleading marketing, the service actually does not support end-to-end encryption for video and audio content, at least as the term is commonly understood. Instead it offers what is usually called transport encryption, explained further below.
In several instances within Zoom's security white paper, it mentions E2E encryption, and when you enable E2E, you can hover over the green padlock in the top left corner of a meeting and see the popup "Zoom is using an end to end encrypted connection." However, The Intercept claims that when it reached out to Zoom for comment a spokesperson stated:
"Currently, it is not possible to enable E2E encryption for Zoom video meetings. Zoom video meetings use a combination of TCP and UDP. TCP connections are made using TLS and UDP connections are encrypted with AES using a key negotiated over a TLS connection."
This means that whilst your call is protected by security measures, "the Zoom service itself can access the unencrypted video and audio content of Zoom meetings". So whilst no one trying to snoop on you can access the meeting data, Zoom itself can see all of it. As the report notes, true end-to-end encryption would mean that only the participants of a Zoom call would have access to the video and audio content of the meeting, and have the ability to decrypt it. If Zoom could access encrypted content without decrypting it, that would still be E2E encryption. But that's not what's going on here. In response Zoom stated:
"When we use the phrase 'End to End' in our other literature, it is in reference to the connection being encrypted from Zoom end point to Zoom end point," the Zoom spokesperson wrote, apparently referring to Zoom servers as "end points" even though they sit between Zoom clients. "The content is not decrypted as it transfers across the Zoom cloud" through the networking between these machines.
Zoom fell foul of privacy concerns last week after it emerged user data was being sent to Facebook even if the user did not have a Facebook account, an issue that has since been rectified.
Regarding this latest revelation the report notes:
Without end-to-end encryption, Zoom has the technical ability to spy on private video meetings and could be compelled to hand over recordings of meetings to governments or law enforcement in response to legal requests. While other companies like Google, Facebook, and Microsoft publish transparency reports that describe exactly how many government requests for user data they receive from which countries and how many of those they comply with, Zoom does not publish a transparency report.
