As its popularity continues to bubble, Zoom is beginning to spark questions surrounding how well its new users’ conversations will be encrypted. Online vigilance is important, so it’s always smart to take a closer look at the details when a platform sees a sudden burst of attention. In this case, the skepticism may be proven accurate.
Encryption takes many complicated-sounding forms, but the core definition is easy to understand. It’s the process of using code to make a message indecipherable to users without proper authorization. Encryption is also automated on both ends: the contents of the message are encrypted through an algorithm, and the keys given to authorized parties to access said content are also automatically created. Obviously, the keys aren’t given to us as people (that would mean thousands of lengthy, alphanumeric sequences for every online exchange) but are instead sent to our connected devices. Encryption exists in virtually all forms of digital communication, ensuring our emails, text messages, and everything else are privately stored between the sender and the receiver… ideally.
When one user accesses a web page, most websites use TLS encryption to keep any information shared between that site’s server and that user’s web browser. The site and the user have equal access to the data being exchanged, and this process is called transport encryption. Instead of that, a messaging app would ideally use some form of end-to-end (E2E) encryption, meaning only the sender and receiver can see the contents of a conversation; the site’s server doesn’t have a key either. Zoom, which handles sensitive, private conversations between an increasing number of people who suddenly find themselves working from home, says it uses end-to-end encryption. A report from The Intercept suggests that is not entirely true.
How Zoom Handles Encryption
With E2E encryption, the service itself should be able to access conversations between users for transport reasons, but should not be able to decipher them. Think of it like the postal service carrying sealed packages. According to a Zoom spokesperson, however, the “ends” in their end-to-end are on their servers, not on the users’ machines. That means Zoom is capable of seeing and interpreting the content of video meetings. Text chat during a meeting can be properly E2E encrypted, but video chat is not.
A lack of E2E encryption isn’t an immediate threat by itself, but it can be a problem when combined with other factors. Zoom server operators spying on conversations for some nefarious purpose is unlikely, but it having access to chats means they could leak that information unintentionally, in an entirely decipherable form. It also means Zoom could be forced by government agencies or law enforcement to provide entire conversations. The article explains that other platforms like Facebook and Google publish transparency reports to reveal any requests made, by governments or other organizations, for access to user data. As of this writing, Zoom does not.
In its defense, Zoom is on the record saying it doesn’t publish or sell any user data. Its lack of true E2E encryption seems to simply be a result of part of the chat feature set, making it easier on the back end to offer users more bells and whistles. Currently, Zoom doesn’t stand to benefit in any way from accessing user chat data. Furthermore, larger meetings can use Zoom’s Meeting Connector feature to host meetings on an internal network, which further encrypts the message, and protects it from leaks (from Zoom’s side). However, the company’s blatant dishonesty – saying it uses E2E encryption but using its own definition of that – is troublesome, especially now that so many businesses depend on Zoom.
