More Zoom Privacy Concerns: Report Suggests Lax Data Encryption 

Zoom’s video chat platform doesn’t offer end-to-end encryption which allows the company easy access to user data.

The Quint
Tech News
Published:
Your Zoom video call may not be as private as you think.
i
Your Zoom video call may not be as private as you think.
(Photo: The Quint/Aroop Mishra)

advertisement

Business is booming for Zoom, the video conferencing app, as only recently we learned that it is one of the most downloaded video chat apps around the world since the global lockdown due to coronavirus has forced a lot of people to take their official meetings and interactions online.

Turns out there are a lot of complications with the video chat app as according to a report by The Intercept, the Zoom app doesn’t offer end-to-end encryption (E2EE), which allows Zoom access to video and audio of the users on its platform.

Apparently, Zoom is using its own definition of end-to-end encryption and misrepresenting its privacy policies.

What Is Zoom’s Version of E2EE?

A section of Zoom’s privacy policy which was last updated on 18 March says that it “does use certain standard advertising tools which require Personal Data.”

In-meeting security features of the Zoom app. Photo: The Quint

This means that Zoom is in the advertising business and runs operations by harvesting users' personal data to sell ads. The bigger problem is that this fact has been kept shrouded from Zoom’s user base.

According to Zoom’s policies, until the time you are using the app’s video and audio platform, your conversations are E2EE. When you’re connecting to another user on a video chat you even get to see a green padlock and a notification on the top-left corner that reads that “Zoom is using an end-to-end encrypted connection.”

The top-left corner shows the encryption notification.Photo: The Quint

However, the report by The Intercept suggests that Zoom uses a technology called transport encryption which is not end-to-end encrypted.

Reporters at The Intercept reached out to Zoom for a comment on their encryption technology.

“Currently, it is not possible to enable E2E encryption for Zoom video meetings. Zoom video meetings use a combination of TCP and UDP. TCP connections are made using TLS and UDP connections are encrypted with AES using a key negotiated over a TLS connection.”   
<a href="https://theintercept.com/2020/03/31/zoom-meeting-encryption/">Zoom spokesperson to The Intercept</a>

Okay, the above language is a bit complicated to understand so let me simplify it for you.

The Zoom video app used TLS (Transport Layer Security) to secure its meeting which is the same type of security used to protect HTTPS websites. This is not the same as E2EE.

With TLS there is a level of security between the Zoom user and the Zoom server wherein a third-party cannot spy on the two. However, the Zoom server has access to the users’ data and can access the unencrypted video or audio from meetings.

If a Zoom meeting is encrypted, the audio and the video will be secure in such a way that only the participants would have access to decrypt the data. The Zoom server might have access to the encrypted data set but wouldn’t have the key to decrypt it which makes sure they cannot extract any data from the meetings.
ADVERTISEMENT
ADVERTISEMENT

What All Is Really Encrypted

It turns out that there is actual E2EE in Zoom’s text messaging service. The company spokesperson confirmed the same in the report.

It’s not that E2EE is not possible with video chat apps. Apple’s FaceTime uses E2EE for all of its video group meetings. Even text messaging apps like Telegram, WhatsApp and Signal use E2EE in their text messaging platform.

Without transparency in its services Zoom is obliged to present a transparency report of meetings with governments or law enforcement in response to legal requests as they might ask for the users’ data.

Companies like Google, Facebook and Microsoft follow this protocol.

Privacy is Paramount

Many apps and services function on the user’s data and need it to sell advertisements for revenue. This is undertaken with the user’s consent but there are times when the user is unaware that their data is being used. The Zoom app’s predicament is one of those cases.

Recently, a bug was found in the iOS version of the Zoom app which was sending data to Facebook. The issue was resolved later only after it was brought into the limelight.

According to a Vice story, a user has filed a class-action lawsuit against Zoom for sending data to Facebook. The app has also been found leaking email-addresses and photos of users to strangers on the platform.

Choose The Lesser Evil

Video chat apps have been a blessing in these testing times. They have helped the world stay connected and also helped by keeping the digital infrastructure and businesses functioning online. But, at what cost?

Zoom needs to clear up its act and be more transparent about its privacy policies and for what purposes it’s accessing the user’s data. Since it offers a particular feature set that other group chat apps are not able to provide there aren’t many other options to choose from.

Google Duo recently updated its platform to support 12 users at a time while Skype offers group connectivity on a video call for up to 50 members.

I am not saying that these video chat apps are 100 percent secure but if you have to choose a lesser evil you should have options. Right?

(At The Quint, we question everything. Play an active role in shaping our journalism by becoming a member today.)

Published: undefined

ADVERTISEMENT
SCROLL FOR NEXT