In the last few months, we have seen work collaboration apps like Slack and Teams take off along with Zoom video conferencing app. The demand for these apps increased after companies started asking employees to work from home due to the ongoing health crisis. However, Zoom has been in the news for all the wrong reasons as the researchers spotted that the app has been sending data to Facebook without explicit user permission. The company later patched the issue and confirmed that the user data is safe and secure.
However, it looks like the company might have missed the mark again. According to a report published by The Intercept, Zoom meetings are not end-to-end encrypted, contrary to what the company has been advertising. The Intercept noted that Zoom uses TLS which is similar to HTTPS protocol used while browsing the web. This means that your connection to the server is secure but anyone can still decrypt the call and eavesdrop if they wanted to do so.
The encryption that Zoom uses to protect meetings is TLS, the same technology that web servers use to secure HTTPS websites. This means that the connection between the Zoom app running on a user’s computer or phone and Zoom’s server is encrypted in the same way the connection between your web browser and this article (on https://theintercept.com) is encrypted. This is known as transport encryption, which is different from end-to-end encryption because the Zoom service itself can access the unencrypted video and audio content of Zoom meetings. So when you have a Zoom meeting, the video and audio content will stay private from anyone spying on your Wi-Fi, but it won’t stay private from the company.
– The Intercept
For a meeting to be end-to-end encrypted, the video and audio should be encrypted in such a way that only the participants of the call can decrypt. This can be achieved by having unique encryption keys on each end which will actively encrypt and decrypt data. In this system, Zoom or a third-party would still have access to the meeting but won’t be able to snoop as they will not have the encryption keys required to decrypt the content of the meeting.
Matthew Green, a cryptographer and computer science professor at Johns Hopkins University explained to The Intercept why it’s hard to encrypt group video calls. He noted that the “service provider needs to detect who is talking to act like a switchboard, which allows it to only send a high-resolution videostream from the person who is talking at the moment, or who a user selects to the rest of the group, and to send low-resolution videostreams of other participants. This type of optimization is much easier if the service provider can see everything because it’s unencrypted.”
If it’s all end-to-end encrypted, you need to add some extra mechanisms to make sure you can do that kind of ‘who’s talking’ switch, and you can do it in a way that doesn’t leak a lot of information. You have to push that logic out to the endpoints. It’s doable. It’s just not easy.
They’re a little bit fuzzy about what’s end-to-end encrypted. I think they’re doing this in a slightly dishonest way. It would be nice if they just came clean.
– Matthew Green
Currently, Apple is one of the more popular video conferencing services that employs end-to-end encryption for up to 32 participants. While this might not be huge, it still makes sure that the customer data is secure no one can snoop on your private meetings.
In response to The Intercept’s report, Zoom has given the following statement:
Currently, it is not possible to enable E2E encryption for Zoom video meetings. Zoom video meetings use a combination of TCP and UDP. TCP connections are made using TLS and UDP connections are encrypted with AES using a key negotiated over a TLS connection.