If you’ve waded into Twitter timelines for security and privacy advocates over the past five days, you’ve no doubt seen Zoom excoriated for its plans to enable end-to-end encrypted video conferencing solely for paying customers. Zoom’s millions of non-paying users won’t receive the protection so that the company can monitor meetings for child-abuse activity and other types of illegal and disturbing content, executives said.
“Oh, fuck off, @zoom_us. You don’t care about anything except money,” one critic wrote on Twitter Tuesday, five days after Reuters reported the plans. “You certainly don’t care about protecting people from the abusive overreach of police. After all, didn’t you just say non-paying customers won’t benefit from encryption b/c you want to work with law enforcement?”
The move is certainly a departure from some platforms that already offer end-to-end encryption. Signal, Facebook Messenger, and WhatsApp all offer the protection to all users, though few if any pay for the services. Few video conferencing services offer end-to-end encryption. Like Zoom, its competitors that do offer end-to-end crypto generally do so only for select users.
Impossible to unscramble
End-to-end encryption is vastly different from simply encrypting data in transit. Instead, it provides each user with keys that reside solely on their devices, where communications are encrypted and later decrypted (the encrypted data is usually encrypted a second time as it travels over the wire). With the provider having no access to the keys that decrypt the data, it’s impossible for law enforcement or malicious insiders to access the human-readable content.
Security and privacy advocates say that this kind of protection is crucial as more and more sensitive information is transmitted over the Internet. Groups such as the Electronic Frontier Foundation argue that end-to-end encryption should be made available to all users, whether they pay or not. Zoom has not yet implemented end-to-end encryption, but representatives have said that company engineers are in the process of designing and implementing it.
This article isn’t arguing that Zoom’s plans as articulated so far are fine. Rather, it provides a counterpoint to criticism that the plans are motivated by greed or a desire to cozy up to law enforcement. No doubt, some Zoom critics are likely to claim this counterpoint smacks of the same “think-of-the-children” tripe that foes of strong encryption raise all the time.
Others argue that unique attributes of video conferencing and other real-time video platforms warrant people weighing, and ultimately balancing, the pros and cons of end-to-end encryption for all users.
One aspect of video conferencing is that it’s a platform for live child sex shows and other highly disturbing activities. An example of the role video conferencing sometimes plays in this type of crime is found in a criminal case federal prosecutors brought in 2016. It charged a man with distribution of child pornography for allegedly participating in video meetings on Yahoo’s video platform.
In all, prosecutors said, hundreds of Yahoo users were involved in a scheme that broadcast horrific child abuse in real time. Under established case law, prosecutors couldn’t have filed charges unless a Yahoo employee was able to monitor feeds, witness the abuse personally, and describe it in sworn testimony.
A person familiar with Zoom’s plans said these types of live sex shows involving children are more common on video services than most people realize. Almost all of the participants use free accounts that are registered in ways that make their identities harder, if not impossible, to track. Few if any paying users engage in illegal activities.
Currently, when Zoom gets word of illegal activity, it can access the alleged participants’ accounts and monitor any of their feeds to verify the abuse reports. If the company implements end-to-end encryption correctly, this type of monitoring will be impossible.
Since almost all of the abuse is broadcast in meetings of unregistered users with free accounts, Zoom decided that the reasonable balance of security and safety was to implement end-to-end encryption only for paying customers. Zoom says it turns over customer data only when presented with a legally binding court order.
Like the Twitter user quoted earlier in this post, critics say Zoom is giving in to law enforcement’s exaggerated complaints of “going dark,” meaning providing no way to gain intelligence about real crimes because of encryption. The counterpoint can be found in a Wednesday Twitter thread from Alex Stamos, a security consultant to Zoom who has a history of defending strong encryption against authorities and resisting unwarranted searches of user data. He cited both technical limitations when meeting participants connect by phone or H.323 and SIP gear and the balancing of privacy and safety of others for Zoom not making end-to-end encryption available for all.
“There are legitimate product reasons for making E2EE an opt-in feature,” he wrote. “Such reasons existed for Facebook Messenger (which FB is working on) and exist now for Zoom. In both cases, I think optional E2EE on top of transport encryption is better than no E2EE option at all. But the other issue we have to grapple with is how products can cause harm outside of surveillance.”
But the other issue we have to grapple with is how products can cause harm outside of surveillance. As you can see from the class schedule above, there are a lot of other harms. Zoom is dealing with a couple of these intensely right now.
— Alex Stamos (@alexstamos) June 3, 2020
Another Zoom defender is Nicholas Weaver, a researcher at UC Berkeley’s International Computer Science Institute and a lecturer at the university. On Thursday, he challenged a critic on Twitter by saying the video conferencing service rightly needed a way to authenticate users (currently, free users need no account). “ithout it, he argued, end-to-end encryption would provide little meaningful protection because there would be no way to know if the user on the other end was really the person she was claiming to be.
“Billing records matter,” he wrote. “$15/month is establishing a paper trail and friction. I’m very comfortable with this decision, esp since proper end-to-end requires significant authentication infrastructure that isn’t needed in the current security model.
“In this world financial access is probably the most reliable device-independent one available,” he added. “You CAN have throwaway credit cards (gift cards) but those should be distinguishable based on a prefix list.”
Jon Callas, cryptography expert and senior technology fellow at the ACLU, has also described Zoom’s plans as a reasonable compromise.
Right now, few video conference platforms offer true end-to-end encryption, and those that do offer it do so only for select groups of users. (Google Duo is an exception, but it limits group calls to 32 participants, well below what Zoom allows.) What’s more, Gmail, Facebook services other than WhatsApp and Messenger, and hundreds of other widely used online services also don’t provide end-to-end encryption for their non-video services. It’s not clear why Zoom is being singled out for an industry-wide practice.
No doubt, the company has work to do. Zoom still hasn’t followed the example of Google, Facebook, and other companies in publishing transparency reports that detail the law enforcement orders they receive for user data. Until it does, users have a strong reason for caution. There might be other ways to balance privacy and security besides denying end-to-end crypto to all non-paying customers. But if Zoom implements its end-to-end protection properly, it will be one of the few conferencing services that does so for any of its users. Restricting its use to some users is a vastly better way to accommodate safety than building the kinds of backdoors authorities demand.