With the COVID-19 Pandemic (remember the COVID-19 Pandemic?) workers were forced to find other means of communicating — including Zoom meetings. While there were a spate of high-profile security issues with respect to Zoom, including open and shared meetings, Zoombombing, sharing data with Facebook, and deliberately routing communications through China and the like, the principal problem with Zoom, like many communications media, is that it gives you the illusion of security.
So is Zoom secure? Hard to say.
If you look at Zoom’s Terms of Service — essentially its contract — it says “Zoom will maintain reasonable physical and technical safeguards to prevent unauthorized disclosure of or access to Content, in accordance with industry standards.”
That doesn’t mean a lot. It’s not much of an enforceable promise.
In the wake of controversy over whether or not Zoom offered “point to point” or “end to end” encryption, Zoom issued a statement on its website noting that “Zoom has always strived to use encryption to protect content in as many scenarios as possible, and in that spirit, we used the term end-to-end encryption. While we never intended to deceive any of our customers, we recognize that there is a discrepancy between the commonly accepted definition of end-to-end encryption and how we were using it.” Zoom went on to note that, if all participants in a Zoom call were using the native Zoom application, the contents are encrypted from end to end and “no user content is available to Zoom’s servers or employees at any point during the transmission process.” Only if there was a translation from a non-native Zoom app to Zoom using what they called “Zoom Connectors” was there a possibility that Zoom would have a key, and even then, “Zoom has never built a mechanism to decrypt live meetings for lawful intercept purposes, nor do we have means to insert our employees or others into meetings without being reflected in the participant list.”
OK.. so native Zoom meetings are encrypted end to end, Zoom has no key, and can’t decrypt. For Zoom Connectors, Zoom may have a key but cannot decrypt the meeting even for lawful interception purposes. So, secure, right?
Maybe not.
A recent report by Bloomberg News, quoting Zoom’s CEO Eric Yuan’s most recent earnings call indicating that, with Zoom’s acquisition of encryption platform Keybase Zoom will have the ability to provide more secure messaging and noting that “[c]orporate clients will get access to Zoom’s end-to-end encryption service now being developed, but Yuan said free users won’t enjoy that level of privacy, which makes it impossible for third parties to decipher communications.” The Bloomberg report went on to note that Yuan stated, “Free users for sure we don’t want to give that because we also want to work together with FBI, with local law enforcement in case some people use Zoom for a bad purpose,”
What gives? Is Zoom currently encrypted end to end, with no ability by Zoom to give law enforcement the keys as they have stated, or is this only the case for corporate clients who pay? Does Zoom share encryption keys with the cops (and does it have such keys to share) or does it not? Does it use “end to end” encryption, or not? Yuan seems to suggest that, for the average Zoom user, security is a myth. Maybe we should have a conference call about that.
Mark Rasch is an attorney and author of computer security, Internet law, and electronic privacy-related articles. He created the Computer Crime Unit at the United States Department of Justice, where he led efforts aimed at investigating and prosecuting cyber, high-technology, and white-collar crime.