Popular video conferencing app Zoom used by millions working from home during the coronavirus pandemic is misleading users about its security, a report claims.
According to tech-orientated investigative news site The Intercept, Zoom claims to secure calls with end-to-end encryption, the industry gold standard for privacy.
This feature is used by secure messaging platforms to ensure only participants can see the chats, excluding even the company itself.
However, it has been revealed that Zoom employs a lesser form of security called TLS which is similar to HTTPS — used to secure websites.
Zoom calls its lesser feature ‘end-to-end encryption’, a different definition to what is used by the rest of the industry.
With Zoom’s form of cybersecurity, a chat is encrypted on a server but, if Zoom and its staff wanted to, they could unlock the chat and view its contents.
According to tech-orientated investigative news site The Intercept, Zoom claims to secure calls with end-to-end encryption, the industry gold standard for privacy
WHAT IS END-TO-END ENCRYPTION?
End-to-end encryption ensures only the two participants of a chat can read messages, and no one in between – not even the company that owns the service.
End-to-end encryption is intended to prevent data being read or secretly modified when it is in transit between the two parties.
The cryptographic keys needed to access the service are automatically provided only to the two people in each conversation.
In decrypted form, messages are accessible by a third party – which makes them interceptable by governments for law enforcement reasons.
Facebook-owned WhatsApp is already encrypted, and now Mark Zuckerberg is looking to do the same with Facebook Messenger and Instagram Direct.
Zoom has rapidly become one of the most essential apps as people adapt to a remote working lifestyle.
In the first few months of 2020 it has acquired more than two million new users – more than its total for the entirety of 2019.
However the app’s surge in popularity has been outstripped by a string of publicity disasters and various privacy scandals.
In the US, it was reported yesterday, the FBI received complaints from Zoom users that private chats were being disturbed by pornography.
New York Attorney General Letitia James sent a letter to the company ‘with a number of questions to ensure the company is taking appropriate steps to ensure users’ privacy and security,’ a spokesman said.
On Monday, the FBI’s Boston office also warned it had ‘received multiple reports of conferences being disrupted by pornographic and/or hate images and threatening language.’
A group conversation for recovering alcoholics in New York was also hacked.
Users hosting the Alcoholics Anonymous (AA) meeting said members suddenly heard a man’s voice interject and shout anti-Semitic slurs and insensitive references to drinking.
In the UK, Prime Minister Boris Johnson was relentlessly mocked after sharing a screenshot of the cabinet’s virtual meeting and leaving on the Zoom ID, leaving the chat open for anyone to join.
The latest reports that Zoom is not fully securing users’ data may be down to the complex technical issues this poses for a video conferencing app.
Matthew Green, a cryptographer and computer science professor at Johns Hopkins University told The Intercept the app needs to detect who is talking in real time to prioritise their video stream.
This, he says, is much easier to do if the service provider can see everything that is going on in the chat, something that would be impossible with end-to-end encryption.
In the UK, Prime Minister Boris Johnson was mocked after sharing a screenshot of the cabinet’s virtual meeting and leaving on the Zoom ID, leaving the chat open for anyone to join (pictured)
What security measures does Zoom have?
Users of the Zoom video-conferencing app are given a code to enter the meeting ‘room’. This number of between nine and 11 digits can then be shared with those the meeting host wish to join them.
But things can get out of hand if people share these codes online on social media, allowing something called ‘zoombombing’, where mass groups of people can join a meeting as a joke or to disrupt it if they receive the code.
However, there are additional steps that can be taken to block this.
Private groups can also be set up so that they require an additional password to join.
This means that even if the room code is shared accidentally, as in today’s case, it is not possible to join the room.
Additionally, a meeting can be set up so that no-one can enter before the organiser or chair.
This means pranksters cannot ‘sit’ in a room waiting for others to log in.
The chair of the meeting has the power to kick uninvited guests out of the room once they are in it.
The technological advancements it would take to allow the app to automatically switch to highlight who is talking while fully encrypting the information is difficult, but not impossible.
For example, Apple has successfully managed to do it with a very similar feature on FaceTime.
‘They’re a little bit fuzzy about what’s end-to-end encrypted,’ Mr Green said, referring to Zoom.
‘I think they’re doing this in a slightly dishonest way. It would be nice if they just came clean.’
Zoom told The Intercept it does not directly access, mine or sell user data, despite having access to it.
MailOnline has approached Zoom for comment.
Jake Moore, Cybersecurity Specialist at ESET, told MailOnline that it is unsurprising a free app such as Zoom is experiencing significant privacy issues now it is being used on a mass scale.
‘As video calls increase, we really need to take moment away from this new normal and look into the privacy conundrum that goes in parallel with free apps,’ he says.
‘End-to-end encrypted video platforms exist and offer more privacy based communications, but I tend to find that the majority of people don’t initially think about their personal security or privacy when it comes to conference calling.
‘This is even a first for many people too.
‘For social and light business meetings Zoom is fine, as long as users realise what data is being shared to third parties, and that they could potentially be intercepted by “zoombombers” or more illegitimate parties.
‘I certainly wouldn’t recommend using free software for sensitive or private meetings.’