Over the past decade I've had to deal with a lot of executives and security people who don't actually understand security all that well. Or at all. (Not that I'm a security expert, but that hardly makes it better when even I can see that something is nonsense).<p>Right now I know of at least half a dozen products that are marketed as having E2E encryption but do not actually implement this (no, I'm not going to out them. See second to last paragraph as to when to be wary). In part because executives, marketers and salespeople don't know what it means. And in part because when explained what it means they will insist on their own definition/interpretation and demand the product is marketed as E2E.<p>It is also important to note that quite often you are not dealing only with the company that makes a product, but the regulatory bodies that can pressure companies into complying with their wishes.<p>As for Zoom, I don't understand why people trust them or still use their product if they are at all concerned about security. It makes very little sense.
> Zoom has agreed to a requirement to establish and implement a comprehensive security program, a prohibition on privacy and security misrepresentations, and other detailed and specific relief to protect its user base<p>What a slap on the wrist. "You blatantly lied to your customers for years. How about you just continue to implement the thing that you were working on anyways."<p>I don't think punishment is always the best solution but it seems that you should at least set some sort of example.
All they had to do was say "encrypted" instead of explicitly saying "end-to-end encrypted" when it very clearly wasn't end-to-end.<p>The former still could've been a bit weaselly and misleading (many non-technical users would probably have assumed "encrypted" implied total confidentiality), but what they actually did was so much worse. I hope they get hit hard on that.
I think the assumed implication with E2EE is that no one other than the partcipants can get at the content of your communications. To do that you need:<p>1. All cryptographic keys controlled by the users.<p>2. Some way to confirm you are actually connected to who you think you are connected to.<p>3. A way to confirm that the code you are running is not leaking keys/content.<p>So Zoom failed on all 3 points. There are lots of things out there claiming E2EE that fail on one or more of these points. Almost all fail on point 2 unless the user does things that they almost never do. Is the FTC going to come up with a E2EE definition for trade and start prosecuting those that don't meet that definition? Otherwise it would seem unfair that they only went after the entity that ended up in the general media.
"[S]ince at least 2016, Zoom misled users by touting that it offered 'end-to-end, 256-bit encryption' to secure users' communications, when in fact it provided a lower level of security," the FTC said today in the announcement of its complaint against Zoom and the tentative settlement. Despite promising end-to-end encryption, the FTC said that "Zoom maintained the cryptographic keys that could allow Zoom to access the content of its customers' meetings, and secured its Zoom Meetings, in part, with a lower level of encryption than promised."<p>That's the concept of E2Z2EE (End2Zoom2End Encryption)
A deeper issue is how hard it is to "know" if companies hawking products with security implications (which is nearly everything, today) are lying.<p>I'm not even talking about the gradient ranging from innocent bugs to incompetent coders and how that gets papered over. When you buy shoddy physical goods, there are typically characteristics you can't hide, like cheap materials. But with software like this of course the only function your average person can verify is that the transmission happens, not how it is encoded. Neither Grandma nor your manager are likely to break out tcpdump to check.<p>And of course the DMCA complicates this in the US, and things are even worse for researchers elsewhere.<p>Third party audit and reputation are the only fixes I see. And the second one requires a commercial environment that rewards it. The current one doesn't; it rewards novelty and lies, so that's what we get.
So will they get fined more than Snapchat for lying about ephemeral messaging or will this be the usual American "slap on the wrist" thing we usually see to protect the investors?
If Zoom made clear to users that connections were not secured to the same standards as competitors, and that potentially hundreds of employees could be silently listening in on any call, I think that would have prevented them becoming a leader in video conference tech.<p>So the right fine here is their entire market cap. That would put them back at square one, which is where an honest competitor would be right now.
Don't forget the hidden web server fiasco <a href="https://medium.com/bugbountywriteup/zoom-zero-day-4-million-webcams-maybe-an-rce-just-get-them-to-visit-your-website-ac75c83f4ef5" rel="nofollow">https://medium.com/bugbountywriteup/zoom-zero-day-4-million-...</a>
It's situations like this that makes me wonder whether there should be more efforts put into education and awareness regarding ethics in software engineering. We teach ethics to other STEM disciplines such as biotechnology and aeronautics, why is it left out of software engineering?
Zoom is also in the habit of censoring content it doesn't approve of politically:
<a href="https://www.insidehighered.com/quicktakes/2020/10/27/zoom-faces-more-allegations-censorship" rel="nofollow">https://www.insidehighered.com/quicktakes/2020/10/27/zoom-fa...</a><p>so, drop Zoom, use a Free and Open-Source alternative. Example: Jitsi (jitsi.org) . It has more rough edges, but it works.
This is like suing Hillshire Farms because their bacon wasn't as maple-honey-bourbon-flavored as they claimed. Nobody is buying bacon just for flavoring. People use Zoom because it's a free digital telephone with screen sharing. Not because it's super duper secure.<p>Telephones (VoIP, PSTN, SMS, etc) do not have end-to-end encryption - or <i>any</i> encryption - and we've been using them for conferences since <i>always</i>. Hell, <i>we use them for Zoom calls!</i><p>This is some kind of government vendetta, probably pushed by Zoom's competitors who make a bundle in government contracts. Because they're currently the biggest provider, they're the biggest target. But this standard has not been (and will not be) held up to any of its competitors who make similar claims. The political party that is sabre-rattling in this article is just making themselves look good to their constituents.
Few years ago I noticed BBM Enterprise touts end-to-end encryption pretty strongly in their marketing, without mentioning an up-front caveat.<p><a href="https://www.blackberry.com/us/en/products/bbm-enterprise" rel="nofollow">https://www.blackberry.com/us/en/products/bbm-enterprise</a><p>Turns out that by default, BBME is not end-to-end. The initial handshake is transparent to Blackberry, and they could use that to decrypt future messages without your knowledge.<p>To enable true end-to-end, you have to opt in to an out of band handshake to start each new conversation, an option you can turn on in their admin console.<p>How many people are actually going to opt in to dealing with a confirmation SMS for every new thread?<p>I reached out to Blackberry at the time to update their literature as it was misleading, but no action was taken by them.
So the takeaway here, there isn't real significant consequence for this kind of stuff. Can I just create startup and store passwords in plaintext and lie about it so that I can focus on the core user facing features of the product? Once we get big enough I'll just hire some security engineers to do things right.<p>I'm exaggerating a bit with the above example, but how much corners can someone cut and how much lies can they get away with when it comes to security? Because finding the right balance seems like a serious competitive advantage in the startup space.
Will they pay a dime in penalties or backlash for their fraud against consumers?<p>No. Because we nerds aren't holding organizational leaders accountable for their IT staffer's choices and diligence owed to purchases.
Pretty scandalous stuff. But to be fair it seems pretty likely that any or all of the major players (Apple, Google, MS, Facebook, AWS, etc) to be maintaining some sort of back-door access to the channels they control for spying purposes.<p>I suppose the risk with Zoom is leaks due to incompetence rather than leaks due to government intervention.
I'm not in the least surprised.<p>Think of other popular messaging systems that claim to offer some kind of E2EE, but are proprietary software: WhatsApp, Skype, FB Messenger, Viber, Threema, Line…<p>Distrust by default!<p>I am always amazed when folks even <i>consider</i> the alleged support for strong E2E encryption in those apps… the value of those claims is exactly zero.
There are (at least) two points, I think:<p>- Open protocols would be helpful. Then you can implement it by yourself and you can see if it is encrypted (and implement whatever other features you may need, including saving energy).<p>- If they lied to users about end-to-end encryption, then it is false advertising. It is important to avoid false advertising.
> <i>Amid controversy in July 2019, Zoom issued an update to completely remove the Web server from its Mac application, as we reported at the time.</i><p>Surprised to see them mention the web server thing and not mention that it was so bad that Apple actually updated its antivirus software to remove the Zoom web server.
It's kind of funny to put this article in parallel with this one :<p><a href="https://news.ycombinator.com/item?id=25028411" rel="nofollow">https://news.ycombinator.com/item?id=25028411</a><p>Where the EU is planning to add backdoors to E2E services.
I was never confused, but am more technical. I mean, how do you terminate to POTS, do the mix-ins etc without zoom decrypting on their end? If it's E2E encrypted and I have a dial in number - it's not E2E in that sense.
I guess fake till you make it is name of the game these days. But if that is really the case why did we vilify companies like Theranos or Edison.<p>I have often wondered if I should do it at work as well.
What other popular group video meeting tools are e2e? I know of none.<p>I remember reading a while back that Zoom claimed a few times they were e2e-encrypted, but what they meant was transport encryption.
Why would any company with valuable IP use Zoom after this security blunder, along with the fact they "accidentally" routed domestic US calls via China. Zoom is software developed almost entirely in China, meaning it is subject to Chinese law and the very strong influence of the CCP.<p>It is fact to say that Zoom could be compelled by the CCP to plant backdoors in software to siphon valuable IP for use by Chinese companies, as is usually the case with CCP-aligned companies like Huawei (Huawei had a cash incentive program for employees who delivered stolen IP to them).
Companies that mine data from users will often mislead users when it comes to privacy.<p>e.g.: "You have control over your data"... no, you don't.
Oh you know that private video chat that that literally everyone uses, it's not private.<p>How is this getting almost no attention from the ms media?
Pretty ridiculous for the US to be enforcing this while they try to ban and reduce availability of E2EE worldwide. Zoom et all are doing them a great service by spreading FUD and confusion about what E2EE even is. Once it's reduced to "complex math thing" in people's minds no one will know or care when they ban it.
if security is that much important to you, your company may be you, your company should build a communication platform for itself right!?<p>you, people should believe or trust no one! thats the number one rule for [e2e, or else] security I think.
No! Corporations lie?!<p>At least their feet will held to the fire!<p>/s<p>Tbh though, they will only be held to account, if another big player wants to cripple them and take their market.
I don't understand how the FTC arrived at the conclusion they're not E2E? Or have I missed something?<p>>Despite promising end-to-end encryption, the FTC said that "Zoom maintained the cryptographic keys that could allow Zoom to access the content of its customers' meetings, and secured its Zoom Meetings, in part, with a lower level of encryption than promised."<p>Not wonderful but that still, technically, is an E2E encryption scheme. Is it not? Or do they mean one end terminates in Zoom's servers and it's not E2E through the whole pipe, but rather two pipes stitched together?<p>Agreed it's not as secure as they marketed, but this seems to suggest if you want to offer E2E you need a specific kind of key storage to meet this new precedent. Good in practice, but maybe the FTC are not the right people to placing such a hurdle down?<p>I'm sure I've missed something though.