Zoom, the video conferencing service whose use has spiked amid the Covid-19 pandemic, claims to implement end-to-end encryption, widely understood as the most private form of internet communication, protecting conversations from all outside parties. In fact, Zoom is using its own definition of the term, one that lets Zoom itself access unencrypted video and audio from meetings. With millions of people around the world working from home in order to slow the spread of the coronavirus, business is booming for Zoom, bringing more attention on the company and its privacy practices, including a policy, later updated, that seemed to give the company permission to mine messages and files shared during meetings for the purpose of ad targeting. Still, Zoom offers reliability, ease of use, and at least one very important security assurance: As long as you make sure everyone in a Zoom meeting connects using “computer audio” instead of calling in on a phone, the meeting is secured with end-to-end encryption, at least according to Zoom’s website, its security white paper, and the user interface within the app. But despite this misleading marketing, the service actually does not support end-to-end encryption for video and audio content, at least as the term is commonly understood. Instead it offers what is usually called transport encryption, explained further below.



When mousing over the green lock in the top left of the Zoom desktop app, it says, “Zoom is using an end to end encrypted connection” Screenshot: The Intercept

In Zoom’s white paper, there is a list of “pre-meeting security capabilities” that are available to the meeting host that starts with “Enable an end-to-end (E2E) encrypted meeting.” Later in the white paper, it lists “Secure a meeting with E2E encryption” as an “in-meeting security capability” that’s available to meeting hosts. When a host starts a meeting with the “Require Encryption for 3rd Party Endpoints” setting enabled, participants see a green padlock that says, “Zoom is using an end to end encrypted connection” when they mouse over it. But when reached for comment about whether video meetings are actually end-to-end encrypted, a Zoom spokesperson wrote, “Currently, it is not possible to enable E2E encryption for Zoom video meetings. Zoom video meetings use a combination of TCP and UDP. TCP connections are made using TLS and UDP connections are encrypted with AES using a key negotiated over a TLS connection.” The encryption that Zoom uses to protect meetings is TLS, the same technology that web servers use to secure HTTPS websites. This means that the connection between the Zoom app running on a user’s computer or phone and Zoom’s server is encrypted in the same way the connection between your web browser and this article (on https://theintercept.com) is encrypted. This is known as transport encryption, which is different from end-to-end encryption because the Zoom service itself can access the unencrypted video and audio content of Zoom meetings. So when you have a Zoom meeting, the video and audio content will stay private from anyone spying on your Wi-Fi, but it won’t stay private from the company. (In a statement, Zoom said it does not directly access, mine, or sell user data; more below.)

For a Zoom meeting to be end-to-end encrypted, the video and audio content would need to be encrypted in such a way that only the participants in the meeting have the ability to decrypt it. The Zoom service itself might have access to encrypted meeting content, but wouldn’t have the encryption keys required to decrypt it (only meeting participants would have these keys) and therefore, would not have the technical ability to listen in on your private meetings. This is how end-to-end encryption in messaging apps like Signal work: The Signal service facilitates sending encrypted messages between users, but doesn’t have the encryption keys required to decrypt those messages and therefore, can’t access their unencrypted content. “When we use the phrase ‘End to End’ in our other literature, it is in reference to the connection being encrypted from Zoom end point to Zoom end point,” the Zoom spokesperson wrote, apparently referring to Zoom servers as “end points” even though they sit between Zoom clients. “The content is not decrypted as it transfers across the Zoom cloud” through the networking between these machines. Matthew Green, a cryptographer and computer science professor at Johns Hopkins University, points out that group video conferencing is difficult to encrypt end to end. That’s because the service provider needs to detect who is talking to act like a switchboard, which allows it to only send a high-resolution videostream from the person who is talking at the moment, or who a user selects to the rest of the group, and to send low-resolution videostreams of other participants. This type of optimization is much easier if the service provider can see everything because it’s unencrypted.



Screenshot: The Intercept

“If it’s all end-to-end encrypted, you need to add some extra mechanisms to make sure you can do that kind of ‘who’s talking’ switch, and you can do it in a way that doesn’t leak a lot of information. You have to push that logic out to the endpoints,” he told The Intercept. This isn’t impossible, though, Green said, as demonstrated by Apple’s FaceTime, which allows group video conferencing that’s end-to-end encrypted. “It’s doable. It’s just not easy.” “They’re a little bit fuzzy about what’s end-to-end encrypted,” Green said of Zoom. “I think they’re doing this in a slightly dishonest way. It would be nice if they just came clean.” The only feature of Zoom that does appear to be end-to-end encrypted is in-meeting text chat. “Zoom E2E chat encryption allows for a secured communication where only the intended recipient can read the secured message,” the white paper states. “Zoom uses public and private key to encrypt the chat session with Advanced Encryption Standard (AES-256). Session keys are generated with a device-unique hardware ID to avoid data being read from other devices.” A Zoom spokesperson wrote, “When end-to-end encryption for chat is enabled, the keys are stored on the local devices and Zoom does not have access to the keys to decrypt the data.”

“I think they’re doing this in a slightly dishonest way.”

Without end-to-end encryption, Zoom has the technical ability to spy on private video meetings and could be compelled to hand over recordings of meetings to governments or law enforcement in response to legal requests. While other companies like Google, Facebook, and Microsoft publish transparency reports that describe exactly how many government requests for user data they receive from which countries and how many of those they comply with, Zoom does not publish a transparency report. On March 18, human rights group Access Now published an open letter calling on Zoom to release a transparency report to help users understand what the company is doing to protect their data. “Transparency reports are one of the strongest ways for companies to disclose threats to user privacy and free expression. They help us understand surveillance laws in different jurisdictions, provide useful information on network shutdowns and disruptions, and they show us which companies are pushing back against improper requests for user information,” said Isedua Oribhabor, U.S. policy analyst at Access Now. Access Now’s Transparency Reporting Index shows a downward trend in consistent transparency reporting, which Oribhabor said removes an essential tool for users and civil society to hold governments and companies accountable. Oribhabor pointed out that Zoom could be compelled to hand over data to governments that want to monitor online assembly or control the spread of information as activists move protests online. The lack of a transparency report makes it difficult to determine whether there’s been an increase in requests and unclear how Zoom would respond. “Companies have a responsibility to be transparent about these kinds of requests, to help users and civil society see where government abuse is occurring and how the company is pushing back,” Oribhabor said. “Zoom complies with our legal obligations or the legal obligations of our customers. This includes responding to valid legal process, or as reasonably necessary to preserve Zoom’s legal rights. Zoom is legally required to work with law enforcement when there is a violation of Zoom’s Online Terms of Service,” a Zoom spokesperson said in an email.

Zoom has the technical ability to spy on private video meetings.