Yeah. The problem here is that Zoom lied about it.
And, like, why? Sure, if no one ever caught them, e2e could be a reason to choose Zoom—but it's like lying on a resumé. Which, I guess is also a thing that happens sometimes, but it's generally understood to be a bad idea.
Zoom isn't learning from mistakes and making improvements that the market demands. It's providing a feature it said it already had.
Zoom knew E2EE was something the market demanded, so it lied about having E2EE. This was a blatant lie to get more people to use its platform. Then Zoom got caught. Now it's actually trying to provide what it said it provided in the first place.
1) false claims are a indeed problematic because they erode trust in Zoom
2) having no E2E is more dangerous in Zoom than with other software
For example, there is no E2E in Teams, but we have it running on servers in the same country with no direct US/CN connection.
Or even better: run it on your own servers in a DMZ. Then, E2E is not so crucial any more.
Apparently it's okay for Zoom to shunt this responsibility for its paid users? Even if I were to accept your premise that omitting E2EE is a legitimate trade-off to detect abuse, Zoom's choice to selectively apply this standard for its free users suggests that this is NOT why Zoom chose to do this.
Zoom is a closed-source application. Even if it implements perfect E2EE, you still need to trust the Zoom client itself. I don't see any reason why someone would trust the closed-source Zoom client, which means that E2EE basically means we're back to square one.
This wasn't the only problem with Zoom, and it was an egregious problem. Zoom has lost all presumption of good faith, and in fact earned the presumption of bad faith as far as I'm concerned.
You forgot "5. Zoom gets praised for developing features in response to criticism that already existed in other products that work better."
Jokes aside, with Zoom's track record, it's not worth using anymore regardless of what features they implement. Not having E2E encryption is no where near as much of a red flag as lying about it is to me.
There was a big controversy around Zoom calling it E2E with their server being one of the ends. Not sure what their new narrative is but I do not trust Zoom to do the right thing regardless.
Now, I don't think Zoom should have been advertising E2EE when it isn't.
But I think some people are still missing the general point that E2EE is fundamentally incompatible with general-purpose business/educational videoconferencing.
It works for Facetime which is designed for small groups exclusively using a Facetime app.
But the second you allow phone dial-in (virtually always a hard requirement), the second you allow cloud recording (which the article acknowledges), E2EE becomes meaningless, because the server itself necessarily becomes another endpoint.
For >99.9% of people this is fine.
For the <0.1% who might be the hand-selected targets of government spying, industrial espionage, or crime enforcement, then no, you shouldn't be using Zoom. But if that's a top priority for you, you weren't already using Zoom anyways -- I assume you'd be using auditable open-source encryption. You wouldn't have trusted Zoom marketing terms in the first place.
Therapists, lawyers, courts including closed door courts, confidential internal meetings for publically traded companies, doctors appointments, exchanging passwords/etc. Even my mom just telling me about a medical situation she's having.
All of those have legal requirements for privacy, and many of them used Zoom because it was supposed to meet those requirements. Zoom lied and failed to meet those requirements. There are other ways to meet those requirements (instead of E2E encryption you can have other kinds of controls) but since Zoom claimed to have E2E, they didn't bother with those other ways of meeting the requirements.
This wasn't an accident or a discrepency. Zoom didn't accidentally have some kind of fancy attack that could be pulled off. They literally, knowingly and plainly misrepresented their product, to get sales they shouldn't have. There are words for that like "Fraud".
Honestly, I know they hired a good team to do it and stand to lose everything if they didn't implement it properly... but they lied about it once and that was so brazen that I won't believe it until it's confirmed by at least a few independent experts. Zoom, in my mind, is synonymous with invaded privacy, poor security and lies.
I do not think Zoom are being honest about this matter. What they are is “encrypted in transit.” I appreciate that there may be %REASONS% that E2E is unachievable given the feature set they wish to provide, but to me, that juts means they should be up front.
“All Zoom communications are encrypted-in-transit. We do process them on our servers to provide features like X, Y, or Z.”
And, like, why? Sure, if no one ever caught them, e2e could be a reason to choose Zoom—but it's like lying on a resumé. Which, I guess is also a thing that happens sometimes, but it's generally understood to be a bad idea.
reply