This article was published on April 1, 2020

Don’t believe Zoom: Its video calls are not encrypted end-to-end


Don’t believe Zoom: Its video calls are not encrypted end-to-end

It’s a brand new day with a brand new privacy issue for popular video calling app Zoom. Last night, The Intercept published a report highlighting that Zoom’s claim of having end-to-end encryption for its meetings is not true.

The video conferencing company boasts about end-to-end encryption on its website, and in a separate security-related white paper. However, The Intercept’s report found that the service uses transport encryption instead.

[Read: This tool erases web page text to reveal hidden poetry]

Transport encryption is a Transport Layer Security (TLS) protocol, that secures the connection between you and the server you’re connected to. That’s the same encryption used in a secure connection between you and any website with HTTPS protocol. The key difference between transport encryption and end-to-end encryption is that Zoom (or the server you’re connected to) will be able to see your data.

Zoom's security white paper noting that the app has end-to-end encryption
Zoom’s security white paper noting that the app has end-to-end encryption

In a comment provided to The Intercept, Zoom confirmed that the service doesn’t provide end-to-end encryption at the moment:

Currently, it is not possible to enable E2E encryption for Zoom video meetings. Zoom video meetings use a combination of TCP and UDP. TCP connections are made using TLS and UDP connections are encrypted with AES using a key negotiated over a TLS connection.

The company clarified that “end-to-end” mention in the literature refers to Zoom endpoints aka Zoom server, which sits between clients. So, it can technically look at your data. While the firm denies that it can access or sells user data to third-parties, it would’ve been better to clearly state the encryption standards it uses.

This isn’t the first time Zoom’s shady policies have come to light. A report by Bleeping Computer published today notes that it’s possible for hackers to steal passwords through Zoom’s Windows client.

Last week, the service’s iOS app was found to be sending data to Facebook without explicit user consent. The company removed the code that was sending data to the social network later. Last month, the digital rights non-profit Electronic Frontier Foundation (EFF) noted that using Zoom’s products can have some serious implications on your privacy

Yesterday, Privacy-focused browser Tor suggested that you should ditch Zoom and use an open-source solution called Jitsi Meet.

However, if you absolutely have use Zoom, you can use web links for browsers through a handy Chrome extension developed by Arkadiy Tetelman. 

To that end, the ball is in the video conferencing app’s court to repair its reputation, and implement strong and transparent privacy practices. Otherwise, people will soon turn to freely available and more secure alternatives.

Get the TNW newsletter

Get the most important tech news in your inbox each week.

Also tagged with