If youve waded into Twitter timelines for security and privacy advocates over the past five days, youve no doubt seen Zoom excoriated for its plans to enable end-to-end encrypted video conferencing solely for paying customers. Zooms millions of non-paying users wont receive the protection so that the company can monitor meetings for child-abuse activity and other types of illegal and disturbing content, executives said.
“Oh, fuck off, @zoom_us. You don't care about anything except money,” one critic wrote on Twitter Tuesday, five days after Reuters reported the plans. “You certainly don't care about protecting people from the abusive overreach of police. After all, didn't you just say non-paying customers won't benefit from encryption b/c you want to work with law enforcement?”
The move is certainly a departure from some platforms that already offer end-to-end encryption. Signal, Facebook Messenger, and WhatsApp all offer the protection to all users, though few if any pay for the services. Few video conferencing services offer end-to-end encryption. Like Zoom, its competitors that do offer end-to-end crypto generally do so only for select users.
Impossible to unscramble
End-to-end encryption is vastly different from simply encrypting data in transit. Instead, it provides each user with keys that reside solely on their devices, where communications are encrypted and later decrypted (the encrypted data is usually encrypted a second time as it travels over the wire). With the provider having no access to the keys that decrypt the data, its impossible for law enforcement or malicious insiders to access the human-readable content.
Security and privacy advocates say that this kind of protection is crucial as more and more sensitive information is transmitted over the Internet. Groups such as the Electronic Frontier Foundation argue that end-to-end encryption should be made available to all users, whether they pay or not. Zoom has not yet implemented end-to-end encryption, but representatives have said that company engineers are in the process of designing and implementing it.
This article isnt arguing that Zooms plans as articulated so far are fine. Rather, it provides a counterpoint to criticism that the plans are motivated by greed or a desire to cozy up to law enforcement. No doubt, some Zoom critics are likely to claim this counterpoint smacks of the same “think-of-the-children” tripe that foes of strong encryption raise all the time.
Others argue that unique attributes of video conferencing and other real-time video platforms warrant people weighing, and ultimately balancing, the pros and cons of end-to-end encryption for all users.
One aspect of video conferencing is that its a platform for live child sex shows and other highly disturbing activities. An example of the role video conferencing sometimes plays in this type of crime is found in a criminal case federal prosecutors brought in 2016. It charged a man with distribution of child pornography for allegedly participating in video meetings on Yahoos video platform.
In all, prosecutors said, hundreds of Yahoo users were involved in a scheme that broadcast horrific child abuse in real time. Under established case law, prosecutors couldnt have filed charges unless a Yahoo employee was able to monitor feeds, witness the abuse personally, and describe it in sworn testimony.
A person familiar with Zooms plans said these types of live sex shows involving children are more common on video services than most people realize. Almost all of the participants use free accounts that are registered in ways that make their identities harder, if not impossible, to track. Few if any paying users engage in illegal activities.
Currently, when Zoom gets word of illegal activity, it can access the alleged participants accounts and monitor any of their feeds to verify the abuse reports. If the company implements end-to-end encryption correctly, this type of monitoring will be impossible.
Since almost all of the abuse is broadcast in meetings of unregistered users with free accounts, Zoom decided that the reasonable balance of security and safety was to implement end-to-end encryption only for paying customers. Zoom says it turns over customer data only when presented with a legally binding court order.
Like the Twitter user quoted earlier in this post, critics say Zoom is giving in to law enforcements exaggerated complaints of “going dark,” meaning providing no way to gain intelligence about real crimes because of encryption. The counterpoint can be found in a Wednesday Twitter thread from Alex Stamos, a security consultant to Zoom who has a history of defending strong encryption against authorities and resisting unwarranted searches of user data. He cited both technical limitations when meeting participants connect by phone or H.323 and SIP gear and the balancing of privacy and safety of others for Zoom not making end-to-end encryption available for all.
“There are legitimate product reasons for making E2EE an opt-in feature,” he wrote. “Such reasons existed for Facebook Messenger (which FB is working on) and exist now for Zoom. In both cases, I think optional E2EE on top of transport encryption is better than no E2EE option at all. But the other issue we have to grapple with is how products can cause harm outside of surveillance.”
But the other issue we have to grapple with is how products can cause harm outside of surveillance. As you can see from the class schedule above, there are a lot of other harms. Zoom is dealing with a couple of these intensely right now.
— Alex Stamos (@Read More – Source