Zoom is incredibly popular these days. This video chat and video conferencing app has been catching the attention of pretty much everyone working from home these days and has shot up the popularity charts on the Google Play Store for Android phones as well as the Apple App Store for iPhones and iPads. Those cool virtual backgrounds of the beach, the Coronavirus and something straight out of Star Trek, to name a few, may have something to do with it. However, privacy isn’t its strongest suite. Now, there is confirmation that the video chats on Zoom are not end-to-end encrypted. In fact, it seems Zoom has been lying about it all this while. Or at least been judicious with the truth.
On its website for the Zoom video chat app, the security whitepaper and the security guide, the developers say that Zoom offers end-to-end-encryption. However, the good folks over at The Intercept have probed this further and it turns out that the encryption which Zoom offers isn’t exactly that. “Currently, it is not possible to enable E2E encryption for Zoom video meetings. Zoom video meetings use a combination of TCP and UDP. TCP connections are made using TLS and UDP connections are encrypted with AES using a key negotiated over a TLS connection,” a Zoom spokesperson told The Intercept when pressed on about the encryption standards. Let us now look at what they have been specifically saying about encryption all this while and why this difference matters.
In the security whitepaper, Zoom says, “We take security seriously and we are proud to exceed industry standards when it comes to your organizations communications” and adds, “Secure a meeting with end-to-end encryption” as one of the bullet points establishing how your meetings are secure. In its security guide, Zoom says, “Zoom E2E chat encryption allows for a secured communication where only the intended recipient can read the secured message. Zoom uses public and private key to encrypt the chat session with Advanced Encryption Standard (AES-256). Session keys are generated with a device-unique hardware ID to avoid data being read from other devices. This ensures that the session can not be eavesdropped on or tampered with.” Guessing most people will not dig this deep, the product page which urges you to download and start using Zoom reads, “End-to-end encryption for all meetings, role-based user security, password protection, waiting rooms, and place attendee on hold” as part of the ‘Built for modern teams’ pitch.
According to the Zoom spokesperson, the encryption Zoom is using is TLS, or Transport Layer Security, which is the same technology used to secure websites.
This means that the connection between the Zoom app that you may be using on your phone or desktop and the Zoom servers is the same standard and method as the one used to secure the connection between your phone and desktop to a HTTPS website. This is transport encryption, and not end-to-end encryption. What does this mean? We do not allege that they do, but theoretically, Zoom themselves can access the contents of any video or audio chat session on their platform. It is possible, because the chat sessions themselves aren’t encrypted—only your connection from the device to the Zoom servers is.
The way end-to-end encryption works is that only the participants that are part of the meeting can decrypt it with a uniquely generated key and be a part of the video or audio meeting. That is how WhatsApp encrypts our chats, for instance. That is how Apple FaceTime encrypts video calls and voice calls. Those who may be trying to eavesdrop will not have the unique key to decrypt a conversation and will remain shut out.
“When we use the phrase ‘End to End’ in our other literature, it is in reference to the connection being encrypted from Zoom end point to Zoom end point. The content is not decrypted as it transfers across the Zoom cloud,” the Zoom spokesperson adds. What they mean is if two users are coming together for a video call on Zoom, the connectivity between the first person’s computer to the Zoom server and the second person’s computer to the Zoom server will be encrypted. However, once the video call starts, the traffic that is going back and forth between Zoom’s own servers, for instance, is not encrypted.
At this time, of you are an Apple iPhone, iPad or Mac user, we would recommend you use Apple FaceTime for audio and video calls with colleagues. Your other option is to use Signal which has all calls and messages encrypted end-to-end—this is available for Android devices, Apple iPhone, Apple Mac and Microsoft Windows.