When you’re on a Zoom video conference all, your data isn’t end-to-end (e2e) encrypted. While Zoom does encrypt the calls, it does so using the same technology as your browser, and the company can decrypt your call at-will. Zoom previously promised to move to e2e encryption, but now the company says it will only do so for paying users.
The difference between e2e encryption and Zoom’s current encryption is pretty stark. With e2e encryption, the company facilitating the call doesn’t have access to your data. Instead, that protection runs from user to user. But Zoom’s use of TLS encryption is similar to what you get with a protected site like Gmail or Twitter, and the company has full access to your data.
When the Intercept first pointed this out, the news spread like wildfire, and Zoom quickly promises to shift to e2e encryption. But now, on an earnings call Zoom’s CEO, Eric Yuan told analysts that only paid users would enjoy that protection. As reported by Bloomberg technology reporter, Nico Grant in a tweet, the CEO stated:
Free users for sure we don’t want to give that because we also want to work together with FBI, with local law enforcement in case some people use Zoom for a bad purpose.
The implication is, bad actors could use Zoom for terrible or illegal purposes, and by not encrypting free users, Zoom can partner with the FBI to track them down. However, Yuan didn’t address the fact that nothing stops those bad actors from merely paying for the service and gaining access to e2e encryption.
Alex Stamos, a security consultant for Zoom, tried to clarify the company positions in a Twitter thread, along with a defense for the company’s use of AES encryption for free users.
All users (free and paid) have their meeting content encrypted using a per-meeting AES256 key. Content is encrypted by the sending client and decrypted by receiving clients or by Zoom's connector servers to bridge into the PSTN network and other services.
— Alex Stamos (@alexstamos) June 3, 2020
But it didn’t take long for security researchers to come in force against Stamos’s reasoning, and understandably so, since Stamos didn’t address several concerns with Zoom’s choice.
Stamos is replying to people calling out Zoom's lack of e2e encryption for free tier by calling their takes "misleading", insisting that AES encryption, which can be bypassed by Zoom Inc. at will, qualifies as real encryption. Which, of course, is what's truly misleading here. pic.twitter.com/WH67gKwAit
— Nadim Kobeissi (@kaepora) June 3, 2020
In comparison, Facebook protects its Messenger program with e2e encryption yet still incorporates a built-in abuse report mechanism. Given that fact, it seems Zoom could do more to protect its free users while also preventing its video chat software from being used for malicious means.