The COVID-19 pandemic has led to a rise in the usage of video calling apps. Zoom has been the most popular choice among consumers and enterprises alike, though as the service gets more and more popular, it is being put through more scrutiny that is revealing some startling things. A new report claims that contrary to Zoom’s claims, it is not using end-to-end encryption for video and audio calls.
In an end-to-end encrypted call, only the parties at both ends are able to view the feed. However, Zoom itself is able to access unencrypted video and audio from meetings. This is because despite claiming that it is using end-to-end encryption, Zoom is using transport encryption. Below is how The Intercept explains transport encryption:
The encryption that Zoom uses to protect meetings is TLS, the same technology that web servers use to secure HTTPS websites. This means that the connection between the Zoom app running on a user’s computer or phone and Zoom’s server is encrypted in the same way the connection between your web browser and this article is encrypted. This is known as transport encryption, which is different from end-to-end encryption because the Zoom service itself can access the unencrypted video and audio content of Zoom meetings. So when you have a Zoom meeting, the video and audio content will stay private from anyone spying on your Wi-Fi, but it won’t stay private from the company.
What this means it that Zoom can access the video feed of your meetings. The company did confirm that it does not “directly access, mine, or sell user data.”
Zoom offers an option where a meeting can only be hosted with mandatory encryption for third-party endpoints. However, when contacted, the company clarified that it is currently not possible to hold E2E video meetings using Zoom.
“Currently, it is not possible to enable E2E encryption for Zoom video meetings. Zoom video meetings use a combination of TCP and UDP. TCP connections are made using TLS and UDP connections are encrypted with AES using a key negotiated over a TLS connection.”
The only aspect of Zoom that is end-to-end encrypted is in-meeting text chat. This revelation is obviously going to raise a lot of eyebrows against Zoom. Many enterprises are relying on the service for holding video meetings and the lack of proper end-to-end encryption is definitely going to be a cause of concern for them. This is not the first time that Zoom has been found flouting user privacy. Just last week, it was discovered that Zoom’s mobile app was sending data to Facebook even if a user did not have a Facebook account.
[Via The Intercept]