The video conferencing app has boomed in popularity recently, as people switch to working from home. But a new investigation from The Intercept has revealed that the app isn’t running watertight end-to-end encryption, at least as the term is commonly understood.
Instead, it looks like Zoom relies on Transport Layer Security (TLS) for encryption, which is actually the bog standard encryption used by most websites. This means that there is a secure encryption, but it’s running between your app and the Zoom servers.
Put simply, it means that Zoom has the ability access both the video and audio in your meeting.
Related: The best ways to video chat
End-to-end encryption is commonly understood to mean that encrypted messages can only be decrypted by the people at the end points of a connection. In relation to video conference software, people may well think these end points are represented by the meeting participants.
But Zoom has admitted that this isn’t what the company means when it mentions end-to-end encryption, and has instead come up with a new definition that identifies itself as an end point.
Speaking with The Intercept, a spokesperson said: “When we use the phrase ‘End to End’ in our other literature, it is in reference to the connection being encrypted from Zoom end point to Zoom end point.”
Zoom also went on to say that it doesn’t access any video or audio content, but only collects data that is necessary for service provision.
In addition, the company said it “has layered safeguards in place to protect our users’ privacy, which includes preventing anyone, including Zoom employees, from directly accessing any data that users share during meetings.”
While this might appease some, others might not be too happy. As Zoom technically has access to that video and audio content, the company could be forced to hand over meeting data if this is requested by authorities – and Zoom’s definition of end-to-end encryption still feels like a shady manoeuvre.
The news comes just after the company sheepishly apologised for accidentally sending user data to Facebook, and amidst reports that Zoom users have experienced other people crashing their meetings.
Related: How to delete a Zoom account
In other Zoom-related security stories, it appears that despite the Ministry of Defence banning the use of Zoom, the Prime Minister is still holding virtual meetings on the software – and accidentally publishing the meeting ID in the top left corner to boot.
This morning I chaired the first ever digital Cabinet.
Our message to the public is: stay at home, protect the NHS, save lives. #StayHomeSaveLives pic.twitter.com/pgeRc3FHIp
— Boris Johnson #StayHomeSaveLives (@BorisJohnson) March 31, 2020
We’ve reached out to Zoom for comment on the latest security concerns and will update this story with the response.
Editorial independence
Editorial independence means being able to give an unbiased verdict about a product or company, with the avoidance of conflicts of interest. To ensure this is possible, every member of the editorial staff follows a clear code of conduct.
Professional conduct
We also expect our journalists to follow clear ethical standards in their work. Our staff members must strive for honesty and accuracy in everything they do. We follow the IPSO Editors’ code of practice to underpin these standards.
Editorial independence
Editorial independence means being able to give an unbiased verdict about a product or company, with the avoidance of conflicts of interest. To ensure this is possible, every member of the editorial staff follows a clear code of conduct.
Professional conduct
We also expect our journalists to follow clear ethical standards in their work. Our staff members must strive for honesty and accuracy in everything they do. We follow the IPSO Editors’ code of practice to underpin these standards.
