The COVID-19 outbreak hit economies and businesses left, right, and center as pretty much the entire world went into lockdown mode. But while sectors like tourism, aviation, retail, entertainment, and sports took the heaviest blows, other companies witnessed a meteoric rise during the pandemic. One of those companies was Zoom, the video-conferencing app that nearly every student and employee used to study and carry out work from home.
But the company faced increasing scrutiny over conflicting (and confusing) encryption claims. According to the website, Zoom said that one of its features makes video calls “end-to-end,” which means data is ciphered at all times, and even the service cannot access it. However, that wasn’t the case. Instead of using end-to-end (E2E) encryption, Zoom offers a transport (TLS) encryption, the same cryptographic protocol that web browsers like Chrome and Firefox use to secure HTTPS websites. These revelations were made in a report by The Intercept.
Since then, the company has sought to clarify this whole issue, admitting in a blog post that E2E is still not in use. “Zoom has always strived to use encryption to protect content in as many scenarios as possible, and in that spirit, we used the term end-to-end encryption,” Chief Product Officer Oded Gal said. “While we never intended to deceive any of our customers, we recognize that there is a discrepancy between the commonly accepted definition of end-to-end encryption and how we were using it,” he added.
But then, Gal added to the previous confusion by saying that Zoom encrypts all data while in transit, which sounds a lot like E2E. But cryptographers were having none of it. Based on the blog post, Tesarkt founder Jean-Philippe Aumasson revealed that Zoom encryption does not meet end-to-end criteria. That’s because the company stores and manages all encryption and decryption keys in its own cloud infrastructure, which allows it to intercept and decrypt communications. And despite Gal’s assurances that Zoom has strict internal policies to prevent anyone from accessing user data, field experts were not impressed.
“Saying they don’t decrypt it at any point does not mean that they cannot decrypt it at any point,” said Seny Kamara, Brown University cryptographer.
Zoom Announces End-to-End Encryption Plans
Following the whole encryption debacle, Zoom finally announced in April that it would roll out full end-to-end encryption for video and audio calls. But come May, the company was yet again at the center of another controversy after saying that only paying subscribers would benefit from E2E. This prompted the service to reverse its decision and make the feature available for all customers. The news came in a blog post on Wednesday, with Zoom saying that a beta version of its end-to-end encryption would kick off in July.
The feature will be disabled by default, as the technology isn’t compatible with all conferencing devices and equipment or participants using regular phones. Those who want E2E protection will have to enable it before creating a meeting. Furthermore, free users will have to enter and verify some sort of identifying information, like a phone number. As for paying customers, they will already provide such details in the sign-up process.
Zoom insisted on adding identifiers because it wants to cooperate with the authorities in case someone misuses the app.
Virtual private networks also provide secure data encryption. TheVPN.Guru has everything you need to know about these tools.