Zoom's privacy woes lead back to end-to-end encryption

Dive Brief:

Zoom lacks end-to-end encryption and instead defaults to an interpretation of transport encryption, reports The Intercept Tuesday. Transport encryption is a method used to authenticate two systems for communication over networks.
A Zoom spokesperson told The Intercept E2E encryption is not enabled for video meetings, despite the company's security white paper saying otherwise. Instead, the company encrypts meetings by using, in part, transport layer security (TLS), which is part of transport encryption as a whole. Because the meetings are not encrypted E2E in the traditional sense, Zoom can access unencrypted users' video conferences or transcripts.
Researchers from Hacker House found Zoom chat windows can send a Windows device's network location through text, reports Ars Technica. The text becomes clickable and could jeopardize usernames and the Windows NTML. From there, hackers can leverage credentials to access other network-connected solutions.

Dive Insight:

Zoom and other collaboration platforms are invaluable tools during the coronavirus outbreak.

In December Zoom had on average 10 million daily meeting participants, by March that number exceeded 200 million, according to a blog post from CEO Eric Yuan Wednesday.

"We did not design the product with the foresight that, in a matter of weeks, every person in the world would suddenly be working, studying, and socializing from home," said Yuan.

The rapid adoption of Zoom put the company's security and privacy flaws under a microscope, including its claim of E2E encryption.

If the company had true E2E encryption, "even Zoom itself would be unable to view and transcribe voice and video content," Paul Bischoff, privacy advocate with Comparitech, told CIO Dive. "The only consumer [voice over internet protocol] app I know of that does this is FaceTime."

Cisco Webex also uses TLS protocols, according to its security white paper. However, the company said there is an E2E encryption option for Webex Meetings and Support. Microsoft similarly offers options for E2E encryption use for calls but it is not a default. Skype for Business uses secure real-time transport protocol for audio and video. Google Hangouts also does not provide E2E encryption for video chats, though it's secure.

While E2E encryption is difficult in video conferencing, Zoom's privacy policies have caught the eye of law enforcement.

New York Attorney General Letitia James is looking into the video conferencing company's privacy policies, according to a letter obtained by the New York Times Monday. James highlighted Zoom's slow response to security concerns and questioned whether the company's existing security measures are "sufficient to adapt to the recent and sudden surge in both the volume and sensitivity of data being passed through its network," according to the letter.

The Federal Bureau of Investigation is also scrutinizing Zoom's security, largely pertaining to "Zoom-bombing," according to an announcement from the federal agency Monday. The company had already responded to Zoom-bombing, or gate-crashing, tactics by offering users tips for avoiding unsolicited mayhem.

The company released an updated privacy policy on Sunday, after privacy concerns regarding data sharing and ad targeting arose. "Zoom collects only the user data that is required to provide you Zoom services," including technical support, according to the update.

But user security controls can only go so far, especially when it comes to data protection.

Effective immediately, Zoom is launching a "feature freeze" to "focus on our biggest trust, safety, and privacy issues," said Yuan. The company is also preparing a transparency report to outline requests for data, records or content. Yuan is also beginning weekly webinars for privacy updates starting April 8.