The now very popular video meeting app Zoom didn’t exactly have the best of times when the COVID pandemic showed up with overpowering strength last year. At a time when millions shifted to working from home and video meeting apps were suddenly seeing a spike in popularity, Zoom wasn’t exactly forthcoming about certain things. First, the company lied about end-to-end encryption which wasn’t enabled for conversations for users in the truest sense and also shared user data with Facebook and Google, without taking anyone’s consent. Nine months later, Zoom has agreed to pay $85 million to settle claims. Put into perspective, Zoom, as per numbers shared in June this year, has clocked $956.2 million in revenue in Q1 2022. That is up 191% from the same quarter last year. Make what you will, of the numbers.
What Is End To End Encryption And What Isn’t? The settlement agreement has been filed at the US District Court for the Northern District of California. For a long time, Zoom claimed, including on the app interface, that the Zoom calls were using an end-to-end encrypted connection. That was not true. It later turned out that only connections with the Zoom servers were encrypted whereas the calls were not, leaving them vulnerable to snooping. Some of Zoom’s servers are located in China, and these servers maintained the cryptographic keys that would allow Zoom to access the content of users’ Zoom meetings. End-to-end encryption in the truest sense would have meant that only the users on call would have had the keys to decrypt the contents of the calls and meetings. That is how Apple FaceTime and WhatsApp calls work, for example, in the truest sense.
Is It An Apology? Or Is It? Zoom has promised to be better in the future, and say that they will continue to improve the security on the Zoom app. “The privacy and security of our users are top priorities for Zoom, and we take seriously the trust our users place in us. We are proud of the advancements we have made to our platform, and look forward to continuing to innovate with privacy and security at the forefront,” says the company in a statement shared with the media. That may not exactly mean much to users who had their meetings and calls Zoombombed (yes, the phenomenon was coined as “Zoombombing” by the learned folks on social media) by hackers, making a mockery of privacy.
Corrective Measures For Sure: The first step towards solving a problem is accepting it exists. To be fair, Zoom had started working on genuine end-to-end encryption soon after, and in October last year, they rolled out true end-to-end encryption for all calls and meetings on the platform. They are using the using 256-bit AES-GCM end-to-end encryption standard.
Where There Is A Sniff Of Data, There Is Facebook: While the end-to-end encryption lying was a reality and the lawsuit which followed subsequently, there were also concerns about Zoom sharing user data. With Facebook. Zoom claimed all this while that this was because the app gave users the option of logging in via Facebook, using the Facebook Software Development Kit. That SDK was later removed, though the option of using Facebook to sign in, using the web browser, remained. Zoom has always maintained that they never sold any user’s data. The data that was shared with FB, included user’s account information, what device they were using and that device’s unique advertising identifier.