Zoom won't encrypt calls so they can sell you out to the cops

Direct from CEO Eric Yuan. Today. He said this today.

Corporate clients will get access to Zoom's end-to-end encryption service now being developed, but Yuan said free users won't enjoy that level of privacy, which makes it impossible for third parties to decipher communications.

"Free users for sure we don't want to give that because we also want to work together with FBI, with local law enforcement in case some people use Zoom for a bad purpose," Yuan said on the call.

Based on their track record, it's not like they could ensure the privacy of your calls even if they wanted to. But it's good to know up front that they absolutely do not want to.

Previously, previously, previously, previously, previously, previously, previously.

Tags: , , , , ,

9 Responses:

  1. Bill Bob says:

    The solution is to always talk in Pig Latin, then nobody can decipher your conversations.

    • Use Cvt Yngva, they'll never figure it out!

      • ssl-3 says:

        Pna fbzrbar gryy zr jul Mbbz orpnzr gur tb-gb sbe rirelguvat eryngrq gb ivqrbpbasrerapvat vafgrnq bs nalguvat ryfr?

        • Carlos says:

          Mbbz jnf jvqryl ninvynoyr naq unq n serr gvre. Tbbtyr Zrrg ng gur gvzr erdhverq lbh gb unir na betnavmngvba nppbhag, juvpu nqqrq sevpgvba. Fxlcr naq bgure ZF gbbyf unq fbzr bgure sevpgvba naq Fxlcr va cnegvphyne unf fbzr vzntr ceboyrzf gung znl be znl abg or onfrq va ernyvgl.

          • ssl-3 says:

            Gunax lbh sbe gur rkcynangvba. V'z sbeghangr gb unir ernpurq zvqqyr-ntrqarff jvgu irel srj tebhc zrrgvatf bs nal glcr, bayl n unaqshy bs juvpu jrer ryrpgebavp, fb V'z xvaq bs bhg bs gur ybbc (qrfcvgr nyyrtrqyl orvat va n srj qvssrerag pbearef bs "gur grpu vaqhfgel").

            Fb vf gur serr Tbbtyr guvat vf frpher-vfu?

            • Carlos says:

              Google Meet gratis version doesn't feature end-to-end encryption at all as I understand it. It's one of the peculiar things about this controversy; I don't think any of the major players offer it to free users, and some don't offer it at all. In that respect, Zoom seems to be getting singled out without cause here.

              But in other respects, it seems reasonably secure. It's purely browser-based, so it's not adding a large attack surface (unlike the Zoom desktop/mobile apps, which should be avoided - their service can also work in a browser, but they make that unnecessarily difficult).


              • Nick Lamb says:

                Nobody is doing end-to-end encryption for multi-party video conferencing. It is hard, and in the general case it's also expensive and cuts out a bunch of features some people are 100% sure they want. Some people have expressed interest in doing it in the future, (e.g. Jitsi) and some people have lied about doing it (e.g. Zoom) but I've found no sign anybody actually offers it as a normal consumer product today.

                Person-to-person? Yes. Signal and several others can do end-to-end encrypted video chat today. But that's not a video conference.

                Zoom was singled out for what their current major version did at the time of the controversy versus what it claimed. What they claimed was 256-bit AES GCM end-to-end encryption.

                But what they were actually shipping was hand-rolled 128-bit AES-ECB of just some RTP data to and from Zoom's servers, with a single key per call chosen by those servers.

                If you had that key, which (all?) Zoom servers do, and which every participant at any point during a call has, you can decrypt everything from the entire call.

                Because they used RTP an adversary is presented with full metadata, unencrypted. Only the data (e.g. exactly what is said or visible) is encrypted. And because they used ECB the encryption reveals any blocks (16 bytes) that reoccur in the video or audio data too, which is likely enough to gradually get insights into the data too

                It also looks like they used VBR SILK for audio. Academics have built AI models that can guess much better than average just by looking at the metadata (size of each VBR chunk) whether certain key words were or were not said on a stream.

                Zoom fixed the crypto nerd speak, shipping (at least by their own claim) AES-256-GCM instead of AES-128-ECB - but that's stuff their competitors already did, the problem is they claimed to offer end-to-end and of course that was just a lie.

  2. Pinback says:

    Time to write some bots that make dangerous sounding calls to each other?

  3. sneak says:

    The last time I used words similar to "sell you out to the cops" in a popular blog post, I got a bunch of white khaki-wearing do-gooders saying "well who wants criminals in their group anyway?", obviously unfamiliar with, well, the entirety of history, or the fact that pigs frequently target the innocent, or even the difference between their asshole and their elbow.

    If you are in any way whatsoever writing for square people, note that hearing the term "rat" implies to them "actual crime". I did not know this until I saw it myself, but it turns out that the world has a lot of dipshits in it.

  • Previously