Yeah. The problem here is that Zoom lied about it.
And, like, why? Sure, if no one ever caught them, e2e could be a reason to choose Zoom—but it's like lying on a resumé. Which, I guess is also a thing that happens sometimes, but it's generally understood to be a bad idea.
>You can't know, because it wasn't actually e2ee, eh
You can know that nobody external to Zoom spied on those streams as they were encrypted between client and Zoom servers. The fact that Zoom had access to your stream, in principle, is par for course.
>These are hard to quantify but they're not nothing.
And they got in trouble. There is the FTC slap and the PR cost associated with the negative publicity. That feels about right for the level of infraction. But when these kinds of articles come out, people are calling for regulatory bodies to 'make examples' of the companies in question. That's not how it works. That's not how it should work.
1) false claims are a indeed problematic because they erode trust in Zoom
2) having no E2E is more dangerous in Zoom than with other software
For example, there is no E2E in Teams, but we have it running on servers in the same country with no direct US/CN connection.
Or even better: run it on your own servers in a DMZ. Then, E2E is not so crucial any more.
> what is the maximum possible harm zoom could have caused?
+ HIPAA violation
+ Violation of jury secrecy
+ FERPA violation
+ False advertising and fraud
That's US specific. I'm sure foreign governments will have their own opinions.
You're right, you can be HIPAA compliant and not be E2E encrypted - if you have the right paperwork and auditing process. Zoom didn't because they claimed to be E2E encrypted.
There are some things you can lie about and it's crappy but not a big deal. "Lag free video streaming!" - Sure, whatever. "The best quality!" Again, don't care. When it comes to information security claims though, lying has very serious penalties because the damage you cause is extremely serious. This wasn't them telling a white lie about how awesome they are, this is them intentionally and knowingly engaging in fraudulant behavior to make profit at the expense and security of users - and we should absolutely punish the hell out of people who do that to line their own pockets with a few extra dollars.
Apparently it's okay for Zoom to shunt this responsibility for its paid users? Even if I were to accept your premise that omitting E2EE is a legitimate trade-off to detect abuse, Zoom's choice to selectively apply this standard for its free users suggests that this is NOT why Zoom chose to do this.
You forgot "5. Zoom gets praised for developing features in response to criticism that already existed in other products that work better."
Jokes aside, with Zoom's track record, it's not worth using anymore regardless of what features they implement. Not having E2E encryption is no where near as much of a red flag as lying about it is to me.
Zoom isn't learning from mistakes and making improvements that the market demands. It's providing a feature it said it already had.
Zoom knew E2EE was something the market demanded, so it lied about having E2EE. This was a blatant lie to get more people to use its platform. Then Zoom got caught. Now it's actually trying to provide what it said it provided in the first place.
Only in the sense that Zoom got lambasted for calling their original setup E2EE. "Well technically our servers that log everything are a end of the communication".
At least in the states they faced legal penalties for such a claim (albeit a slap on the wrist).
I guess you don't have experience working in a company with a marketing team that feel they can buzzword things in without checking with IT teams then.
I'm in no way saying it's impossible that Zoom did say E2E encryption while knowing that's not true, but I could imagine a scenario where a security person says "Yeah, we're encrypting connections to our backend" and a marketing person researching E2E and then saying to themselves "Yeah, sounds like we're doing E2E, let's write that", because this stuff happens all the time in the industry.
> Their intention was to deceive users
You sound so sure about their intentions, do you have any actual proof of this that others are missing? Again, I'm not saying it's impossible that their intention was to deceive users, but as an engineer, I always favor proof over guessing.
"While we never intended to deceive any of our customers, we recognize that there is a discrepancy between the commonly accepted definition of end-to-end encryption and how we were using it."
Because "thousands of enterprises around the world have done exhaustive security reviews of our user, network, and data center layers and confidently selected Zoom for complete deployment" and they didnt "design the product" for these "new, mostly consumer use cases", it means that up until now they couldnt have forseen that lying about e2e encryption to sell enterprise subscriptions was an issue.
Bingo, they straight up lied about E2E, bypassed security features, sold user info and hacked their way into self installing.
Plus blaming all the issues on consumer use cases is hilarious. That might work for like a company that makes fiber lines for commercial deployments or something However, it's like they forgot that their core video might be B2B, but the client is almost always B2C and always has been. The fact that you are forced to use the Zoom client/plugins to attend a Zoom meeting may make the business case enterprise, but they have always been taking these horrible stances on the client and harming normal people who can't choose to use something else.
Therapists, lawyers, courts including closed door courts, confidential internal meetings for publically traded companies, doctors appointments, exchanging passwords/etc. Even my mom just telling me about a medical situation she's having.
All of those have legal requirements for privacy, and many of them used Zoom because it was supposed to meet those requirements. Zoom lied and failed to meet those requirements. There are other ways to meet those requirements (instead of E2E encryption you can have other kinds of controls) but since Zoom claimed to have E2E, they didn't bother with those other ways of meeting the requirements.
This wasn't an accident or a discrepency. Zoom didn't accidentally have some kind of fancy attack that could be pulled off. They literally, knowingly and plainly misrepresented their product, to get sales they shouldn't have. There are words for that like "Fraud".
I do not think Zoom are being honest about this matter. What they are is “encrypted in transit.” I appreciate that there may be %REASONS% that E2E is unachievable given the feature set they wish to provide, but to me, that juts means they should be up front.
“All Zoom communications are encrypted-in-transit. We do process them on our servers to provide features like X, Y, or Z.”
It’s quite simple: Zoom are lying. They’ve doubled down on their lies.
End to end encryption means something. Zoom isn’t that. Zoom is claiming to be that.
There’s not much to it.
They set the stage for it previously, too: they’ve done all sorts of shady things with computers onto which their client is installed. Zoom singled themselves out of the pack by being some of the only name-and-address provided software to use these techniques; everything else that does so is criminal malware.
Apple even pushed an OS malware detection update to remove Zoom’s backdoor.
Also, think of the competitors of zoom who lost customers to them due to their lying, that's a harm too, eh?
These are hard to quantify but they're not nothing.
reply