Web Conferencing and End-to-End Encryption
The web conferencing service known as Zoom skyrocketed in popularity during the COVID-19 pandemic. Chances are, you may have been one of millions who used Zoom for teleworking as a result of the global lockdown. However, in addition to the rise in usage, Zoom has also experienced a rise in controversy. Last week, Peter Blumberg of Bloomberg reported that Zoom was sued over privacy and security issues in their software. Joseph Cox of Vice reported that the iOS version of Zoom shared user analytics data with Facebook so that users could be targeted with advertisements, even if users didn’t have Facebook accounts. Furthermore, there is the issue of “Zoombombs,” which David Nield of Wired describes as interruptions to private meetings accomplished by guessing or finding nine-digit codes. However, the most significant controversy is Zoom’s misuse of the term “end-to-end encryption.” According to Micah Lee and Yael Grauer of The Intercept, Zoom’s use of “end-to-end encryption” differed from that of real end-to-end encryption, which is used to ensure the privacy of conversations.
End-to-end encryption is encryption in which only the recipient (the second “end”) of a message has the means to decrypt an encrypted message created by the sender (the first “end”). End-to-end encryption relies on public key encryption, which was explored in a previous blog post. According to Micah Lee and Yael Grauer, Zoom advertised that their web conferencing product used “end-to-end encryption” to protect video communications, but the company could actually decrypt the video and audio data sent between meeting participants. The ability for any party other than meeting participants to watch or listen to a private meeting undermines the goal of end-to-end encryption. Even if Zoom didn’t actively spy on private meetings, the confidentiality of video data couldn’t be guaranteed. If bad actors obtained Zoom’s means of decrypting video conferences, they could learn secrets from businesses forced to telework during the pandemic.
Fortunately, there are methods of mitigating threats to privacy when using services like Zoom. Micah Lee and Yael Grauer note that Zoom’s in-meeting chat, as opposed to video and audio content, seems to use real end-to-end encryption; thus, it may be better to type some information rather than to say it. Recently, Zoom has ushered in various security-related updates. Deepthi Jayarajan of Zoom announced that passwords and waiting rooms are now enabled by default for some accounts; David Nield listed these two options as means of protecting private meetings from “Zoombombs.” Additionally, there are various alternatives to Zoom that one could choose from, such as Cisco Webex, Microsoft Teams, Google Hangouts, and Slack. Software vendors should be honest about how consumer data is used and protected, while consumers should investigate the security and privacy of software they may use for teleworking; this way, they could push for security-related changes or search for alternatives.