When you participate in a zoom video conference, your data is not encrypted continuously (e2e). While Zoom encrypts the calls, it uses the same technology as your browser, and the company can decrypt your call at will. Zoom had previously promised to switch to e2e encryption, but the company is now saying that this will only be for paying users.
The difference between e2e encryption and Zoom's current encryption is quite large. With e2e encryption, the company that made the call has no access to your data. Instead, this protection is carried out from user to user. However, using Zoom's TLS encryption is similar to using a protected website like Gmail or Twitter, and the company has full access to your data.
When Intercept pointed out, the news spread like wildfire and Zoom quickly promised to switch to e2e encryption. When Zoom's CEO called for a profit, Eric Yuan told analysts that only paid users would enjoy this protection. As reported by Bloomberg technology reporter Nico Grant in a tweet, the CEO said:
Free users certainly don't want to give that because we also want to work with the FBI, with local law enforcement in case that some people use zoom for a bad cause.
The result is that bad actors could use Zoom for horrific or illegal purposes. If free users are not encrypted, Zoom can work with the FBI to track them down. However, Yuan didn't go into the fact that nothing prevents these bad actors from paying for the service and gaining access to e2e encryption.
Alex Stamos, a security advisor to Zoom, attempted to clarify the company's positions in a Twitter thread along with a defense for the company's use of AES encryption for free users.
All users (free and paid) encrypted their meeting content with one AES256 key per meeting. The content is encrypted by the sending client and decrypted by the receiving client or by Zooms Connector servers to connect to the PSTN network and other services.
– Alex Stamos (@alexstamos) June 3, 2020
However, this was not the case. It does not take long for security researchers to come up against Stamos' reasoning, understandably because Stamos Zoom's choice did not address several concerns.
Stamos responds to people who call Zoom's lack of e2e encryption for the free tier of if you describe their takes as "misleading" and insist that AES encryption can be circumvented by Zoom Inc. at will , is considered real encryption. Which of course is really misleading here. pic.twitter.com/WH67gKwAit
– Nadim Kobeissi (@kaepora) June 3, 2020
In comparison, Facebook protects its messenger program with e2e encryption and still contains one integrated in the abuse reporting mechanism. Given this, Zoom seems to be doing more to protect its free users while preventing its video chat software from being used for malicious purposes.