Zoom faces criticism for denying free users e2e encryption

In this photo illustration a Zoom App logo is displayed on a smartphone on March 30, 2020 in Arlington, Virginia. - The Zoom video meeting and chat app has become the wildly popular host to millions of people working and studying from home during the coronavirus outbreak. (Photo by Olivier DOULIERY / AFP) (Photo by OLIVIER DOULIERY/AFP via Getty Images)
In this photo illustration a Zoom App logo is displayed on a smartphone on March 30, 2020 in Arlington, Virginia. - The Zoom video meeting and chat app has become the wildly popular host to millions of people working and studying from home during the coronavirus outbreak. (Photo by Olivier DOULIERY / AFP) (Photo by OLIVIER DOULIERY/AFP via Getty Images)
Natasha Lomas

What price privacy? Zoom is facing a fresh security storm after CEO Eric Yuan confirmed that a plan to reboot its battered security cred by (actually) implementing end-to-end encryption does not in fact extend to providing this level of security to non-paying users.

This Zoom 'premium on privacy' is necessary so it can provide law enforcement with access to call content, per Bloomberg, which reported on security-related remarks made by Yuan during an earnings call yesterday, when the company reported big gains thanks to the coronavirus pandemic accelerating uptake of remote working tools.

“Free users for sure we don’t want to give [e2e encryption] because we also want to work together with FBI, with local law enforcement in case some people use Zoom for a bad purpose,” Yuan said on the call.

Security experts took swiftly to Twitter to condemn Zoom's 'pay us or no e2e' policy.




EFF associate research director, Gennie Gebhart, also critically discussed Zoom's decision to withhold e2e encryption for free users in a Twitter thread late last month, following a feedback call with the company -- criticizing it for spinning what she characterized as pure upsell as a safety consideration.

It's a nuance-free cop-out to blanket-argue that 'bad things happen on free accounts', she suggested.


Fast forward to today and a tweet about the report of Yuan's comments written by Bloomberg technology reporter, Nico Grant, triggered an intervention by none other than Alex Stamos -- the former Facebook and Yahoo! security executive who signed up by as a consultant on Zoom's security strategy back in April days after the company had been served with a class action lawsuit from shareholders for overstating security claims.

Stamos -- who was CSO at Yahoo! during a period when the NSA was using a backdoor to scan user email and also headed up security at Facebook at a time when Russia implemented a massive disinformation campaign targeting the 2016 US presidential election -- weighed in via Twitter to claim there's a "difficult balancing act between different kinds of harms" which he said justifies Zoom's decision to deny e2e encryption for all users.


Curiously, Stamos was also CSO at Facebook when the tech giant completed the roll out of e2e encryption on WhatsApp -- providing this level of security to the then billion+ users of its free-to-use mobile messaging and video chat app.

Which might suggest Stamos' conception of online "harms" has evolved considerably since 2016 -- after all, he's since landed at Stanford as an adjunct professor (where he researches "safe tech"). Although, in the same year (2016), he defended his employer's decision not to make e2e encryption the default on Facebook Messenger. So Stamos' unifying thread appears to be being paid to defend corporate decision-making while applying a gloss of 'security expertise'.

His latest Twit(n)ter-vention runs to type, with the security consultant now defending Zoom's management's decision not to extend e2e encryption to free users of the product.

But his tweeted defence of AES encryption as a valid alternative to e2e encryption has attracted some pointed criticism from the crypto community -- as an attack on established standards.


Nadim Kobeissi, a Paris-based applied cryptography researcher -- who told us that his protocol modelling and analysis software was used by the Zoom team during development of its proposed e2e encrypted system for (paid product) meetings -- called out Stamos for "insisting that AES encryption, which can be bypassed by Zoom Inc. at will, qualifies as real encryption".

That's "what's truly misleading here", Kobeissi tweeted.


In a phone call with TechCrunch, Kobeissi fleshed out his critique, saying he's concerned, more broadly, that a current and (he said) much needed "Internet zeitgeist" focus on online safety is being hijacked by certain vested interests to push their own agenda in a way that could roll back major online security gains -- such as the expansion of e2e encryption to free messaging apps like WhatsApp and Signal -- and lead to a general deterioration of security ideals and standards.

Kobeissi pointed out that AES encryption -- which Stamos defended -- does not prevent server intercepts and snooping on calls. Nor does it offer a way for Zoom users to detect such an attack, with the crypto expert emphasizing it's "fundamentally different from snooping-resistant encryption".

Hence he characterized Stamos' defence of AES as "misleading and manipulative" -- saying it blurs a clearly established dividing line between e2e encryption and non-e2e.

"There are two problems [with the Zoom situation]: 1) There's no e2e encryption for free users; and 2) there's intentional deception," Kobeissi told TechCrunch.

He also questioned why Stamos has not publicly pushed for Zoom to find ways to safely implement e2e encryption for free users -- pointing, by way of example, to the franking 'abuse report' mechanism that Facebook recently applied to e2e encrypted "Secret Conversations" on Messenger.

"Why not improve on Facebook Messenger franking," he suggested, calling for Zoom to use its acquisition of Keybase's security team to invest and do research that would raise security standards for all users.

Such a mechanism could "absolutely" be applied to video and voice calls, he argued.

"I think [Stamos] has a deleterious effect on the kind of truth that ends up being communicated about these services," Kobeissi added in further critical remarks about the former Facebook CSO -- who he said comes across as akin to a "fixer" who gets called in "to render a company as acceptable as possible to the security community while letting it do what it wants".

We've reached out to Zoom and Stamos for comment. Update: Stamos has now sent this response to Kobeissi's criticism of his defence of AES, writing: "The free tier is encrypted on the wire, just like WebEx, Meet, Teams and other competitors. Just as with those companies, servers have access to the encryption keys to allow for things like phone bridges, room services and in-cloud transcription. The tweet thread and the paper I linked to make this all perfect clear and are accurate."

"[Facebook] Messenger's franking system addresses an important issue, allowing for hosts to report bad activity in a cryptographically secure way. We are looking at the Messenger design as we build host reporting. This is important to deal with 'Zoombombings', especially when the disruptors do something really harmful," Stamos added when asked about the possibility of implementing a similar mechanism on Zoom's platform.

"But that doesn't address a whole other safety issue, which is the creation of short lived self-service accounts that then host really harmful meetings for strangers, the worst being the live abuse of children. Right now, Zoom's T&S team can enter a small number of meetings that are very high risk but a proper E2E design (like we have proposed) would stop that."

Zoom consultant Alex Stamos weighs in on Keybase acquisition


More From

  • How Have I Been Pwned became the keeper of the internet's biggest data breaches

    When Troy Hunt launched Have I Been Pwned in late 2013, he wanted it to answer a simple question: Have you fallen victim to a data breach? Seven years later, the data-breach notification service processes thousands of requests each day from users who check to see if their data was compromised — or pwned with a hard 'p' — by the hundreds of data breaches in its database, including some of the largest breaches in history. As it's grown, now sitting just below the 10 billion breached-records mark, the answer to Hunt's original question is more clear.

  • The UK government to acquire satellite company OneWeb in deal funded in part by India's Bharti Global

    Distressed satellite constellation operator OneWeb, which had entered bankruptcy protection proceedings at the end of March, has completed a sale process, with a consortium led by the UK Government as the winner. The group, which includes funding from India's Bharti Global – part of business magnate Sunil Mittal's Bharti Enterprises – plan to pursue OneWeb's plans of building out a broadband internets satellite network, while the UK would also like to potentially use the constellation for Positioning, Navigation and Timing (PNT) services in order to replace the EU's sat-nav resource, which the UK lost access to in January as a result of Brexit.

  • Lime puts Jump bikes back on London streets

    Jump bikes are returning to London — this time through its new owner Lime . London is the first city in Europe to see Jump bikes return since Uber offloaded the company to Lime in a complex deal that unfolded in May. Lime raised $170 million in a funding round led by Uber, along with other existing investors Alphabet, Bain Capital Ventures and GV. As part of the deal, Lime acquired Jump, the electric bike and scooter division that Uber acquired in 2018 for around $200 million.

  • Intel to invest $253.5 million in India's Reliance Jio Platforms

    Intel said on Friday it will invest $253.5 million in Jio Platforms, joining a roster of high-profile investors including Facebook, General Atlantic, and Silver Lake that have backed India’s top telecom operator in recent months. The American chipmaker's investment arm said it is acquiring a 0.39% stake in Jio Platforms, giving the Indian firm a valuation of $65 billion. Intel Capital is the 12th investor to buy a stake in Jio Platforms, which has raised more than $15.5 billion by selling a 25% stake since April this year.