While I understand the tradeoff they took, it also means there’s no end to end encryption if any of the party is not paying.
Imagine being in a call with 4 people, 3 of you are paying customers and you’ll need to ask the fourth to also pay Zoom to get encryption. It’s a bad deal for the paying users as well.
I think civil unrest will set back privacy efforts. Basically, when people are scared, they want the government to protect them and theirs, and privacy concerns are pushed to the back burner.
Can they encrypt the calls at all if they allow people to call in? They would be the ones receiving the phone call, so they would need to be able to decrypt the zoom call in order to send it over the phone. I guess they could encrypt calls only if you disable dialing in or something.
Seems like E2E will be unavailable for meetings where there is a dial in participant. There's several other features which would need to be disabled as well to opt into E2E.
The reality is that this is being made out to be way more insidious than it is. Platforms should work with authorities so that bad actors like known terrorists can’t use a free platform to organize.
To the crowd who says “well you can do bad stuff if you pay” - If terrorists are paying for Zoom, they’re leaving a paper trail for the FBI. Free platforms are ripe for abuse because they’re free.
People doing high-profile illegal activities will always be able to use simple open-source software, that cannot be stopped.
Terrorism is not a valid reason - well, perhaps unless you're going to take the jump to including a Chinese national that says 'Tiananmen Square' to their wife in a random call, as some 'Law Enforcement' will.
My French language classes, typically held in person after work, moved to online and over Zoom. Initially, we tried Google Meet and found it laggy and that we would often drop out. Then we moved to Zoom and it has been a much better experience. The interface is more intuitive, has a few more features and somehow the quality has improved and the connection is much smoother. I care deeply about my privacy, but I'm lucky that we don't discuss anything sensitive in our classes such that the security issues and the lack of encryption would become a big deal.
We're a Gsuite shop, so we've been using Meet since before WFH.
It's fine, not great, but the connection seems stable and we have not experienced issues with conferences. Zoom is all that plus much more intuitive and easier to use. The entire Zoom experience is great from start to finish, built in background replacement is a really big draw along with the full tile layout (Meet got tiles two weeks ago).
I would also say that Discord video has been great too. It's only downside is that you can only be in a session on one device. That is an extremely annoying limitation as I prefer to be mobile on my phone headset and present or stream on the computer.
Exactly what we've found with our GSuite and Google Meet. Works fine with 8-12 people on a call. Useable by technically adept people, but we've had to talk clients through the interface sometimes. (From today- client: "How do I share my screen" me: "click the [share screen] text in the bottom right" client: "Oh, yeah. Of course.")
(If you want background replacement enough, OBS and VirtualCam lets you do it... I did it for a gag the other week to put myself inside a Russian nuclear powerplant control room for standup. It's not something I'd recommend telling anybody who's then gonna ask you to help them set it up though...)
I don't understand this though. I use both Google Meet and Zoom. On both platforms there are people who don't know how to use basic features labeled by buttons with descriptive text, and I don't even blame them because in a meeting when everyone's listening to you it's easy to have "brain farts" like this. On Zoom there's even the additional issue of "joining computer audio" even. I think this has more to do with people's personalities (perhaps triggering a form of stage fright) than the software.
Thanks for giving this overview! Are you using the web version or the Zoom app?
(I suspect many people on HN are using the web version because Zoom pushes their app aggressively and in an abusive way, which immediately makes the more paranoid among us decide that they don't want it. And I've heard that the installed version is great while the web version is not.)
Last time I tried, the web version of Zoom required you to create an account (even when using Chromium and the trick of canceling the download twice to make it show the web version link). The app, on the other hand, does not require creating an account.
Thats true and the only annoyance I have with Zoom is that its bad for screen sharing. To much of jitter and its terrible for sharing code screens. Microsoft Teams is much better most likely cause its P2P I guess.
I wrote the UI and my friend did the backend. One key point for me personally is doing privacy right. No identifiable data in logs etc. Tricky cause there will always be an element of "trust us".
Next weekend I hope to implement the experimental e2ee feature in WebRTC. Only for chrome so far, but maybe it'll take off for all browsers.
Why so dramatic? I understand the will to use zoom for free, but why should they care much for someone not paying? Video conferencing is still mostly not p2p, which means they are giving away a lot of bandwidth for free to a lot of people. If you have extra requirements, why not pay?
The acquisitions and hires they have made has made sense if what they are aiming for is making a more secure and private service. I don't doubt their intention. What I don't understand is why people expect them to provide all benefits for free.
Edit: does any service to multi-party e2e conferencing? What trade-offs are there?
I like the explanation and seems fair trade off to me for complying with laws. Meanwhile, I think Zoom sucks big time with their PR team unlike Google, Microsoft, due to which they are being pushed again and again on privacy issues.
The relevant bits I got from it were that there are a bunch of bad actors who create new Zoom identities and host meetings a few times before moving on, and Zoom needs a means by which they “can, if they have a strong belief that the meeting is abusive, enter the meeting visibly and report it if necessary.” Their E2EE design will make it impossible for Zoom employees to enter E2EE meetings without permission, so giving E2EE to the free tier will enable people to use Zoom meetings to facilitate abuse.
Looking back on this comment now I realize it can be construed as condoning Zoom’s decision here. I was not intending to pass judgement with that comment, but perhaps I should:
I think Zoom is wrong.
End-to-end encryption should be available to everybody no matter who they are. This means making it available to bad actors too. Expanding the scope of human communication should not be used to justify state surveillance. Privacy is a fundamental human right and one we should not be forced into giving up because it annoys the government.
Speaking more broadly, surely there is a point between zero privacy and 100% surveillance that we can all move to. If we take the encrypt (E2EE) approach to everything and all aspects of our lives, i.e. we should be able to protect our faces from video recording when walking into banks, then surely the system would be more open to abuse by bad actors. Accountability in society is what drives good behavior....if we take that away then chaos reigns. Therefore there must be a balance which is why the whole 'let's encrypt everything and protect everyone' feels like sometimes it goes too far and borders on zealotry...Yes I feel that personal freedoms are important but so is the state in mantaining peace.
Fair point with regards to government overeach. I feel like this is both a practical and political question we would need to answer as a society. What level of surveillance would be acceptable? Zero? Some? Maybe when for temporary accounts with no identity attached?
Inheritly in society, there was always some form of surveillance. When we left our homes, people around us could see and hear what we are doing and there in report suspicious behavor. Now we are adjusting to a new way of life with new forms of surveillance which are harder to detect. I completely get it and I more for encryption then for not. I guess I am also challenging myself to see both sides and think about a middle ground.
While Western governments could be better behaved, I'm feel like comparisons with the stasi are somewhat extreme and out of wack. I live in the UK and generally speaking I'm happy with the government here when it comes to surveillance. Maybe the US has a greater focus on security but they are a long way from stasi.
They might be long away from stasi now but you don't get there in a big leap you get there slowly, justifiable inch by justifiable inch until the surveillance is enough you don't have to justify it anymore because people are too afraid to protest.
If you want to discuss surveillance then yes of course it's a matter of degree. Putting cameras in a bank vs putting cameras in a pub vs putting cameras in your home. As you can tell in the real world it's clearer when it's a step too far. In the digital world we need to be more careful because it's unmapped territory.
You need to think hard about why it's an invasion of privacy to put cameras in your home. It may seem obvious but it's not. Once you understand the reasons why that is an invasion of privacy then you can start to draw analogies to the digital world and understand what is going too far and what is not. The problem is people don't have a deeper understanding of the reason we need privacy so they are easily sold security in the form of digital surveillance without understanding the eventual consequence.
I don't think it's practical to focus on the amount of surveillance as it is its nature and whether or not it can justify itself.
We already live in a society where widespread aggressive authoritarian surveillance that doesn't justify itself is commonplace. Snowden proved this. Your emails are read. Your naked selfies looked at. Personal data is used frequently to crack down heavily on legitimate dissent. These are unquestionable and it's getting worse and more entrenched, not less and it hasn't caught a single act of terrorism like it was set up (ostensibly) to do. The question is, how do we personally react to the unchecked growth of stasi-friendly surveillance infrastructure?
I think arguing that western governments could be better behaved is a fair point. The stasi also could have been better behaved. Frequent appeals to moderation didn't make them behave though and they haven't and won't make western governments behave either, though.
Appeals to moderation have a null effect because if the goalposts keep being moved, so does the moderate position. If you want your opinion to never matter at all, always pick the moderate, middle ground opinion.
Actually, the government already has, and has always had, stasi-like tendencies, they just happen to mostly target people who are not given a platform to talk about it.
Police and other law enforcement are already using legal powers to infiltrate and monitor 'radical' political groups such as Black Lives Matter, just like they have in the past with civil liberties groups. In fact, as we discovered in the COINTELPRO leaks, they were going way beyond the legal limits, having been complicit in the assassination of Malcolm X, and having tried to blackmail MLK into committing suicide.
Of course, it could be that such things don't happen anymore. Or, seeing how the police in Minneapolis are actively targeting journalists, it is significantly more likely that we just don't know about it yet.
No large state has ever tolerated real dissent to any great extent. The state doesn't have to be as paranoid about dissent as China or the USSR (which almost require(d) enthusiastic support) for police powers to eb abused against the legitimate interests of citizens.
I think it's fine to have cameras in a shop or in a bank or whatever the virtual equivalent becomes because they serve a clear security purpose.
The problem with not end to end encrypting private communications is during a lockdown people now have nowhere they can go for a private conversation. If you invite someone over to your house for drinks or for dinner you feel you can talk freely because the government doesn't have cameras in your house, that would be an invasion of privacy. Where is the virtual equivalent of that once zoom is not longer private?
Remember your freedom will be taken an inch at a time. Not all at once.
True, and I don't support Zooms decision. You said:
> Where is the virtual equivalent of that once zoom is not longer private?
What I meant by my comment is that there are good alternatives that are E2E and free, like FaceTime (ok you need an iPhone or Mac), WhatsApp, Signal etc. So people can just use that if they don't want to pay for Zoom (again, I don't think they're making the right decision either).
People will choose convenience over privacy when they can't see the threat. Zoom is convenient for video calls because it allows you to see all the people in the call on one screen, you can schedule meetings, the connection quality is good, it supports screen sharing and it's fully cross platform.
You already disqualified Facetime because realistically some of your friends and family have Android and Windows. WhatsApp connection quality is flaky, same with Skype. Does signal support group class? If it does maybe it could replace Zoom. Maybe. But all these options existed before lockdown and people still settled on Zoom because it's more convenient.
Either some massive scandal has to happen to make the public more privacy conscious or there needs to be e2e encryption by default, as a standard. With or without invisible state surveilled cameras shouldn't factor in to which dining table I buy.
>that are E2E and free, like FaceTime (ok you need an iPhone or Mac), WhatsApp, Signal etc. So people can just use that if they don't want to pay for Zoom (again, I don't think they're making the right decision either).
https://twitter.com/alexstamos/status/1268199863054811136
2) None of the major players offer E2E by default (Google Meet, Microsoft Teams, Cisco WebEx, BlueJeans). WebEx has an E2E option for enterprise users only, and it requires you to run the PKI and won't work with outsiders.
I'm not completely sure what the answers are here yet, but I do agree that it can be very psychologically reassuring to know that the only people involved in a conversation are the genuine invitees.
That said, abusive people do exist and are a legitimate problem, given the damage they can cause. Their abuse may be overt (threats, violence, noise, etc), or it can be subtle (for example, manipulation over long periods of time).
Some of that abuse may come from prior anger and frustration outside their control, and perhaps it's good to allow people to let that out -- as long as it doesn't end up harming other people in the process.
Would the situation be improved if the service provider could only step into the meeting when explicitly requested by participant(s)?
To follow your analogy, that could be seen as the equivalent of someone experiencing a medical emergency during dinner at your house and requiring outside assistance.
All these options would be gamed and misused, as they are during existing use cases in real life. Some people over-react, many people under-react, and society itself changes so it's important to build in flexibility for transparent and accountable change.
If you somehow accidentally invited an abusive person to dinner and they started acting abusive you would ask them to leave. Then when they don't leave you call the police. Really a stretch to imagine that happening more than once a lifetime.
In video calls you don't even have to do that, you can just kick them from the call. You don't need Zoom to step in you just kick them.
I really don't understand what you are getting at with the abusive people thing. What sort of situation are you imagining exactly?
Phishing is already handled by email. Don't click the zoom meeting link in the email from a Nigerian Prince and you will be fine. In general I don't see this being a problem with Zoom but rather a problem with clicking links from dodgy sources, zoom meeting links just happen to be one of many.
If there are others please list them because I'm struggling to understand the overarching thing you are getting at and examples would help with that.
That's equivalent to saying that there is a point that provides suitable authentication/privacy/… for me to ask my bank about things and instruct my bank to do stuff on my behalf, and also privides little enough privacy that any criminal goings-on can be surveilled.
Since money is key to many crimes and finding out who controls the money is an important way to investigate crimes, this in turn means that that point of agreement has to secure me from surveillance by badguys when I talk to the bank, and permit surveillance of the same badguys when they talk to the same bank in the same way.
This might perhaps be possible but the word "surely" seems inappropriate.
I think you are wrong. The reason is, people seem to continue extrapolating reasonable privacy laws that were originally meant for the physical world to the virtual world. In the physical world, however, there's always reasonable workarounds to break into these privacy barriers if there's a suspicion of crime. In the virtual world, often, there's no possible way to break strong encryption barriers even if everyone agrees there needs to be a check on what's inside for the public good.
As an illustration, if we get reasonable evidence suggesting that someone is growing marijuana in their ranch, we can get a warrant and go inside. There's not too much the owner can do to stop it. However a perfectly encrypted iphone cannot be broken into, no matter if the entire world agrees that there's evidence of crime in it.
From what I can see, no one argues against warranted search of personal property in the physical world, except maybe some sovereign citizen crazies. Given this, why can't we strive for a similar system on the virtual world as well? I too agree warrantless or unfettered govt surveillance of technology is bad, but that's a policy failing not a technology one. We should try to focus on how we can hold governments responsible instead of making fully protected crime caves for anyone who cannot whip up a conscience.
I agree privacy should be a right, but not at the expense of many people enduring a life of hell in these cordoned spaces for that cause.
If police has suspicion that they are commiting a crime it can request a warrant to install listening device and only then they can listen.
In Zoom like scenarios any third party (like technological companies using law as excuse) can listen without warrant (and they will say something like "no one is listening" as training AI is not considered "someone")
As such communications should be encrypted with asymetrical cryptography where only warrant giver can decrypt them (not warrant giver giving the private key to law enforcement, but decrypting the symetrical per session key and give that to the law enforcement). And this goes as phones too.
And quite frankly I dont care if police with warrant is listening to my conversations. I dont want to any company listen to them as they are not doint it for law enforcement but for profitting on my data (quite possibly against my interest) and this is something completely different.
This is the scenario where technology gives people MORE privacy, prevents police illegal wiretaps (without warrent giver consent), prevents technology provider wiretaps and on the other side still allows legal wiretapping based on warrent-giver.
But interesting, no one has any interest doing it, guess why?
Do you see a fundamental difference between Zoom and telephone companies here? Or do you think how we've handled telephony over the past century has been a clear failure? If the latter, do you think most people would agree?
I dont really care for telephone companies as heads would roll if they would dare to intercept my phone calls without court order. We had one case just 2 weeks back where one of mobile phone/internet installed some security "firewall" that was doing mitm on https, they are now under investigation and under consideration of criminal persecution. They had system in place for less then 1 week. I am protected regarding those by laws.
So to answer your question, telephone companies are a failure in USA (wild west and lawlessness), in my country they need to obey laws. Corporations doesnt obey any laws outside their country (which they select based on inneficient laws) and need to be harshly regulated.
My personally favorite would be legislation that would mandate e2e encryption that must not be backdoored by anyone else except law enforcement getting warrent but private keys are staying under judge supervision without possibility to give it away (in pkcs#12 manner) and can be only used to decrypt communication when he presses the big red button. Quite frankly you want to be able to wiretap organized crime.
So open source solutions should be banned? I should not be allowed to use or create a program that allows me to talk with e2e encryption? Finding someone in possession of undisclosed keys should be a crime?
Care to see what happens then? Check China. They are implementing this very thing. For the children, I suppose.
Those are not simple debates and you are just taking them as black and white and then offer one solution (e2e) and making huge issues on the other side (organized crime, corrupted politians (If I understand you correctly, you are most worried about them - China?). The "think of the children" and "terrorists" are the least problematic topics here).
The judge only access prevents mass data gathering of law enforcement agencies and three letter agencies (at least in my country). And enable control of further institutions. Secret and hidden backdoors (Crypto AG, Dual_EC_DRBG,...) or corporations bribed by government deals are the worse solution here as it doesnt prevent the access to the data to either corporations or secred agencies while it might hold away law enforcement or also not. And surely enables mass data gathering from all without any supervision or control. What the real issue here is that no one is mentioning any court orders. Everyone would just want to have access to everything. Now THAT IS an issue.
I was talking about legal entities operating in same manner as telcos were. Also in real world you can invent your own one time pad encoded speaking and no one will understand you even if they wiretap the communication. And actually mafia historically has been using slang to cover up the communication. Same as you can do it in open source.
Anyway, do you communicate over the "secret encryted communication channel" covered with rag, to prevent recording your lips, recording with laser measuring shaking of window glass, you face muscles, IR recording and probably next 100 methods I am not even aware of. As this are the issue you also have with warrant being issued. Guess not. So the police looks like is not an issue for you (or warrant).
Then the three letter agencies, except for "warrant" methods they will use rubber hose cryptography to break you and any of your e2e communication and actually you might wish they would be able to read from your communication without contacting you in person. So e2e doesnt change anything for you here either.
I refuse to handle open source solutions that you install on your server to use them in same manner as corporation entities that use their solutions to wiretap the communications of everyone so they can earn more money from informations they gather.
And I also think that "encrypted Apple" phones (and everyone else doing any business with government) and the whole FBI story is just a sharade to bait people that are hiding something in ecosystem where the can simply access the information by agencies that CAN issue gag order. The whole story surely looks like counter-espionage operation from 1970. Time will tell if I am right.
It's not black and white. And I am not offering e2e as THE solution to privacy and freedom, but as a part of it and an important metric of whether a solution is actually working right. Just because encryption does not protect me from EVERYTHING, like physical surveillance, that does not mean we should abandon it - THAT is black and white thinking.
Having the law being able to access encrypted communications at any time will trample at the examples I brought up, which are examples that came up with zero effort, no matter what you try to put into your proposed solution - if the goal is to prevent crime, and there are available solutions out there that allow for e2e communication, the goal does not stand. You can't have a corporation banned from e2e, but allow any random dude spin up a secure communication platform without any keys compromised - what are you even banning then.
It amazes me that "corrupt politicians" is shrugged off just like that, while corrupt officials of any kind is exactly what everyone need defenses against with ANY means. In China, they are in the process of legislating exactly what you propose - no private encryption key to be withheld from the law, and yes, you did not misunderstand, it's at the scale this implies, total control and ability to observe over all traffic and restive data at any time - even forgetting all that is happening now, that leaves little unattended by law there.
Now, what, China is a "bad example"? An "exception"? I'd say this attitude coming from governments is the norm around most the world. Where people are at real risk from what say say over the net.
Out of all such countries, let's take China. Do you believe China should reverse its course and allow encrypted communication for its citizens? Based on your words and thoughts, I say you would answer "no". It's doing exactly what you propose after all - now, the only tiny step to totally suit your proposal is to use their powers for "good"! Right? And they indeed using it for good, according to their own legislation.
Because, if you nonetheless said "yes, China should allow e2e in favour of its citizen's rights", you would in essence be saying that "Freedom loving Western countries" should give the law total access to any information (they will always do it only when needed, of course!), but the same countries should pressure "totalitarian regiments" to maintain their citizens rights including encryption. That's contradictory, at least by thinking about it only for a bit.
There's a correlation between these things. Any power given is sure to be abused. If that is not prevented and pushed back, it will not stop but worsen. Trying to find a formula to give absolute power and restrict it at the same time is just fooling around, it's the core assumptions that matter. Unless you really think that some governments are somehow immune to becoming corrupt ant totalitarian when meeting no resistance - their people must be saints indeed! - in which case, I am sorry to say, but I can only chuckle.
Read what my proposal was and stop beating the strawman (i wont attribute this to malice as you clearly havent read any of it).
With my proposal law enforcement can access to the unencrypted data far less that they can do it now (under the rag) and when they access they are under scrutiny of judges while it prevents corporations accessing it.
Maybe do take time to think about what country is, what government is and to who it serves, what corporation is and to who it serve, maybe ask yourself what the law enforcement is and who does it serve, if you dare go into further, what if there would be no law enforcement? Do you have the muscless for that?
Or chuckle mindlessly on. I think your whole statement is demanding advantages in system where someone else takes care for you to allow you to not think about dissadvantages.
In the real world one will notice law-enforcement breaking into their ranch, in the virtual world, they won't (and comparing growing marijuana to voice/video over Zoom is wrong).
In the real world law-enforcement wouldn't have access to the complete history of a conversation, in the virtual world they would. Even to anything in the past which is irrelevant to the topic.
The events in the real world are ofthen ephemeral, we don't expect our friendly conversation to last forever, in the virtual world, however, they can be recorded and stored forever.
Basically you should compare spying/wire-tapping in the real world vs. spying/wire-tapping in the virtual world.
> Given this, why can't we strive for a similar system on the virtual world as well?
Because there is no technical solution that allows something similar, such a solution
1. Must be exclusive to use by lawful authorities, a criminal cannot get a search warrant
2. Must have some reasonable per-instance cost to prevent overreaching
1 is very hard in a tech space if even possible, backdoors can always be used by other parties.
But even if 1 is possible, by the nature of digital surveillance it is very cheap and relatively easy to do mostly secretly, leading to things like NSA literally inspecting all internet traffic.
Yes, theoretically you could the seconds this if it is the overwhelming political will, but it isn't, and the general public doesn't care.
I think there is a debate here that we need to have, as a society.
But I think that broader society are not going to understand the technical issues, and are going to be swayed by overly-emotional appeals to "think of the children" and similar.
Therefore I think that we, as engineers - the people who will be asked to implement the results of any such debate, need to have this debate ourselves so we can take responsibility for our actions.
I can see both sides of this debate.
There is a legitimate need in society to gather evidence to discover the guilt or innocence of accused criminals. We cannot have a system of justice that assumes innocence until proven guilty but provides no method for gathering incriminating evidence.
There is also a legitimate basic human right to privacy. We must not be subject to constant surveillance by the state.
We have to find a middle path between the two extremes.
> why can't we strive for a similar system on the virtual world as well
because any crime in the virtual world can be uncovered by good police work. nobody has perfect operational security, including the government. so the solution to law enforcement is hard work by the law enforcers.
consider: prior to electronic communication, all private discussions were perfectly encrypted, because if you weren't there, you didn't hear what was happening. And society continued to function.
You simply can't trust the government to respect boundaries that they created but have the ability to breach, especially when it can be done completely surreptitiously.
We need to learn the lessons of Snowden, and fight tooth and nail to prevent anything less that complete, unfettered access to private communications by human beings. Anything that falls short of that will eventually be complete, unfettered surveillance, because there is no metastable equilibrium point in the middle.
consider: prior to the internet, /all/ telephone conversations could be monitored by the government. And society continued to function.
The controls on surveillance are not technical, they are political. The technology was the same, yet the Stasi listened to every call they could; other governments did not.
Fix the politics, because it /will/ win in the end. Learn the lessons of Germany and China.
We can work on fixing politics AND fix technology. We don’t have to choose between them.
What stopped the Stasi until politics was technology. And I think the encryption used helped to bring about the political change. If the Stasi had what Zoom is offering then perhaps the wall wouldn’t have fallen for 10,20,30 more years.
No, they could not monitor all conversations. They could only listen to as many calls as they had agents to listen to them. It was not possible for them to listen to everyone at once, nor could they use this as means of discovery. They had to suspect someone in the first place in order to decide to expend the human resources to listen to their calls.
This is fundamentally different from modern technology where they can have a computer listen to every single call, pick out whatever keywords they're looking for, and flag it for later review. Technology now makes it possible for them to truly listen to everyone at once. This is why end-to-end encryption is necessary for everyone.
Politics is not going to solve this problem. A lot of what America's police and intelligence agencies do is already illegal. They don't care. They're going to do anything they can with the technology.
If you can't fix the politics it's _not going to matter_. The politics will just make the technology illegal. That's what's happening in China.
It's a weirdly blinkered concept to say "America's agencies already do illegal things and their politics is broken but what will save us is American corporations deploying technology".
(The "we need universal E2E to protect our freedoms even if there are downsides" is not, in logical form, a million miles different from 'we need guns everywhere to protect us from the government and damn the negative consequences of having guns everywhere', frankly)
What if we fix the politics and forget about the technology, then the politics later become broken again? We won't be able to take back those private unencrypted conversations that could be used to retroactively incriminate us.
I actually believe that technologies such as strong encryption are creating important checks and balances that make our democracy stronger. They are not subverting it like you are implying.
>The "we need universal E2E to protect our freedoms even if there are downsides" is not, in logical form, a million miles different from 'we need guns everywhere to protect us from the government and damn the negative consequences of having guns everywhere', frankly
I agree, and I agree with both of those. Giving up freedom/privacy for safety is almost always a losing bet.
The actual trade-off is giving up safety to gain the illusion of freedom.
With guns, the state will always outgun you. So the gun-riddled society sees children in its schools murdered staggeringly often, while its (supposedly free) citizens are tear-gassed with impunity by a state for nothing more than a photo opportunity.
That was not a winning bet for that society.
It's similar with E2E. It can't protect you from the government, because the protection is illusory – it protects just you so long as the state wants it to. When it no longer wants it to, it makes it illegal. Administrations are already heading in this direction.
Meanwhile E2E enables a number of proven harms, from lynchings to child abuse. Is that a worthwhile trade-off just for the protections it gives from corporate or illegal privacy invasion? Would it lose all of those benefits if legitimate law enforcement were allowed access? There is at least a debate to be had, there.
I see it as the exact opposite: giving up freedom for the illusion of safety. Using the tear gassed protesters as an example, when there have been protests where a large number of protesters were openly carrying firearms, nobody gets tear gassed. Neither the cops nor the protesters get remotely violent.
The people with the guns aren't attending the current protests, and you can see how that has worked out.
You can't do physical harm with encryption (unless you want to count superficial burns acquired from touching a Bitcoin-mining GPU), though. The presence of guns is a necessary and pretty much sufficient condition for certain classes of physical harm, which in the eyes of many _does_ make or qualitatively different.
One of the defences Facebook uses when confronted with WhatsApp-orchestrated lynchings in India is that e2e encryption means it can't know what people are talking about or help police track the source of the messages.
Your point? If those lynchings had been orchestrated by people meeting up in person instead, nobody could know what people are talking about or help police track the source of the messages either.
In either case, to actually lynch someone, you still need to go there physically and actually do the deed. WhatsApp chats don't kill; dudes with weapons do.
The point is the scale. Law enforcement was scaled and equipped to meet the challenge of in-person lynch mob formation. In-person meetings are risky, finding like-minded people can be a challenge, etc.
Encrypted comms gives a huge asymmetric scale benefit to those who have these crimes committed. What it hasn't scaled is the ability of law enforcement to respond. And that's a choice, one which is open to criticism.
>No, they could not monitor all conversations. They could only listen to as many calls as they had agents to listen to them. It was not possible for them to listen to everyone at once, nor could they use this as means of discovery. They had to suspect someone in the first place in order to decide to expend the human resources to listen to their calls.
I think you're taking this a bit too lightly. As a side topic, I am surprised to what extent state surveillance was a thing here in the telephone era.
The secret police had about 50k full-time agents, 600k double-agents and about 400k-500k informants. From a population of 18 mil, that's about 1 in 18. Consider an usual family. You have a brother or a sister, two parents, 4 aunts or uncles and 4 grandfathers. Odds were in favor of one of them being at least an informant.
For your community? There definitely was an informant or double agent among them. Just knowing that the threat is there has a massive effect in how people communicate and bond with each other, effects that can still be felt to this day.
Consider: prior to the telephone, to monitor a conversation government had to actually send people to where the conversation happened, and that meant that they could barely monitor any conversations - and yet society continued to function.
The government still can send people to watch people use their phones or computers. On the other hand, it seems hard to dispute that all our most efficient examples of totalitarian states are post-telephone.
> You simply can't trust the government to respect boundaries that they created but have the ability to breach, especially when it can be done completely surreptitiously.
No, but in a functioning democracy we can vote them out. Democratic governments by definition have an large concentration of power, otherwise they can't fulfill their functions.
But this is bound by laws, time, and the ballot box. Surreptitious (warrantless) government surveillance should absolutely be illegal. Searches with a legal warrant (through an accountable, non-abusive, warrant granting judicial system) are absolutely necessary to gather evidence for prosecution of crimes to take place. Without trustworthy investigation and prosecution of crimes, the social contract
will fail, and this has already started happening in many areas, as we are seeing in a way right now
However, this goes both ways - the populace should get far more transparency into the functioning of the criminal legal system - especially in to the training and conduct of physical law enforcement (police officers).
I think this argument makes me more sympathetic to law enforcement’s desire than any other I’ve heard.
I can really flip my brain around and see how this desire for non encrypted communication to be the standard could come from a good place.
That said, I still come back to my default stance: crimes need to be exist outside of the private communication, to be a crime. At least under US law, where it’s very hard for just pure communication alone to be a crime.
So go investigate whatever it is that is an actual crime and causing actual harm. Making communication not private has tremendous potential chilling effects on actual thought, because people think by talking!
> As an illustration, if we get reasonable evidence suggesting that someone is growing marijuana in their ranch, we can get a warrant and go inside. There's not too much the owner can do to stop it. However a perfectly encrypted iphone cannot be broken into, no matter if the entire world agrees that there's evidence of crime in it.
These examples are talking about a different thing, we should be careful to not mix them up since the arguments for and against can be different.
The discussion prior to your comment was about protecting data in transit (end-to-end encryption); both your examples are about data at rest (full disk encryption).
With encrypted data in transit, not only can it be broken into by intercepting at the endpoints (in the case of video or audio calls, even through the physical world by pointing a camera and a microphone at the user's device), but also the end result of an end-to-end encrypted connection is much closer to a physical world private conversation (can be "broken into" only by intercepting the endpoints, that is, pointing a camera and a microphone at the persons involved).
With encrypted data at rest, the best physical analogy is a diary written in code; even if the whole world agrees that it contains evidence of embezzling, it cannot be decoded without the help of its owner's mind.
With regards to security analysis the only difference between the physical world and digital word is proximity (hops) between agents, or evidence, in a conversation and convenience of access. Software developers tend to think purely in terms of controls and exploits, which is a tiny subset of security. Even conversations in the physical world can be encrypted, for example if two people are speaking Pashto I would have no idea what is said. If it isn’t recorded for later translation it’s encrypted forever.
Those few distinctions are important from a legal perspective where agents of digital concerns are more likely operating across political boundaries at any given moment.
> There's not too much the owner can do to stop it.
They can make available fail safes to store the evidence in a physical safe with tamper proof mechanics. Breaking such a safe would destroy the contained contents in the process much like attempting to break an iPhone with supposedly perfect encryption.
Since you are talking about surveillance another common misconception I have noticed many software developers make is equating the terms: security, privacy, anonymity which are all distinct. Privacy and anonymity are both aspects of confidentiality but privacy is concerned with hiding the contents of a message where anonymity is concerned with hiding the agents of the message. Those two do not overlap. Confidentiality is one of three aspects of security, though from a legal perspective privacy is available in many contexts without application of security controls.
> As an illustration, if we get reasonable evidence suggesting that someone is growing marijuana in their ranch, we can get a warrant and go inside. There's not too much the owner can do to stop it. However a perfectly encrypted iphone cannot be broken into, no matter if the entire world agrees that there's evidence of crime in it.
let's wait until something like a "perfectly encrypted" phone actually exists before we go down this road. AFAIK, the feds have eventually been able to break into the phone in every high profile case where the issue has come up. it's not impossible, they just don't want to pay what it costs.
You make a good point, but finally encryption is just a tool. The virtual and the physical spaces are both domains, whose different nature offers different tools at their disposal. I don't think you can protect anything in the physical domain with the same certainty and mathematical elegance that's available to digital files, but if there were I wouldn't be opposed to it.
Imagine if there were a safe that couldn't be opened by anyone but the owner without destroying its contents. Would you be opposed to that? What if the design mechanism of this safe were as easy to implement as the encryption protocols are? Yes, one day some expert safe-cracker might break it. And in the even farther future the advent of "quantum safecracking" would perhaps make the safe as secure as a luggage lock. In the meantime the police would have to resort to their traditional methods.
Unfortunately all kinds of damning evidence have been lost to time. Fire is older than paper.
> Given this, why can't we strive for a similar system on the virtual world as well?
1. Encryption is an indispensable part of pretty much everyone's life. I can't imagine there's many people in our society that go more than a few days without using it.
2. If encryption can be broken by the police, it can be broken by other actors. Full stop.
2.1. It is been shown impossible for our government to keep a secret like a master key.
> As an illustration, if we get reasonable evidence suggesting that someone is growing marijuana in their ranch, we can get a warrant and go inside. There's not too much the owner can do to stop it. However a perfectly encrypted iphone cannot be broken into, no matter if the entire world agrees that there's evidence of crime in it.
Is that a terrible thing? It's not like they are hiding guns in their iphone. While there could be evidence in there, at some point there is physical evidence in the real world. Just making it easier to convict them is not a solid argument for weakening protections for everyone.
I don't think that any of the surveillance powers that the state is demanding with respect to electronics actually map that neatly to what was possible before electronics emerged. We're talking about conversations rather than physical effects, and it's not like you could obtain a warrant to retroactively obtain the contents of a conversation a marijuana dealer had with his client yesterday: once the vibrations were gone from the air, that data has been erased irretrievably. To listen in on the conversation you actually had to go there, which naturally forces you to be judicious with your surveillance powers by virtue of limited resources, whereas the electronic version scales indefinitely. On the other hand, as long as the people who are of interest to law enforcement still exist in meatspace themselves, everything that used to be possible is still possible: just as you could obtain a warrant to bug someone's room to listen in on a conversation, you can obtain a warrant to bug someone's room to observe their phone (or bug the phone itself, with physical access! Maybe that would be one rationale to finally force Apple to make its phones "repairable" by individuals :)).
I so want to be on the same side of this discussion but the argument is nuanced.
The reason "think of the kids" works so well to justify blocking E2E all the time is because child abuse happens literally all the time.
When someone solves this problem, and I don't think any of us really believe it to be solvable, we can move on. I don't want the government in my private conversations, but I don't want my kids in someone elses either.
To extend this - we recognise a duty of care to our users and their privacy when we build these systems, but if those users plan and carry out an act of terrorism did we not also have a duty of care to their victims to not aid their killers in planning their murder?
We can't shunt this responsibility forever, the public will not take our side down the road - because we are ignoring the counter-argument even if we wedge our fingers in our ears.
Child abuse, terrorism, drug trafficking and professional crime in general is a needle in a haystack compared to boring petty crime let alone normal communication.
Law enforcement entities that try to prosecute these kinds of crimes doesn't do it by building haystacks of data and then combing through looking for needles because that's a waste of their resources relative to the amount of results obtained. They do it by attacking the endpoints where the abuse or terrorism, or other professional crime has to actually happen. They find a terrorist, or a child abuser or a drug trafficker or they find evidence of their handiwork and then work from there. They see where they get their money, their bombs, their drugs, etc, etc and follow the links as much as they can. When law enforcement is actually trying to target crime they don't go fishing, digitally or in meatspace because that's not an efficient way to obtain results if the goal is to go after some genre of professional/organized crime.
Running a mass operation with no specific target (like speed traps in meat-space or dragnet operations in the digital world) is great for padding stats because you can say "look, we got X pounds of meth off the street" or whatever but it doesn't actually do much to target the professional crime because professional criminals take steps to avoid being caught in lowest common denominator type policing.
Neutering encryption (so that cops can continue to run surveillance dragnets) doesn't do anything to help the cops catch real criminals, that's just a talking point made up by the people who want the government to have the ability to put any arbitrary person under a microscope.
You will always be able to communicate with someone else in an encrypted manner, if you both want to do so, and no legislation that forces popular platforms to go unencrypted can change that. So, no illegal activity will be harmed.
> child abuse happens literally all the time... I don’t want my kids in someone elses [private conversations] either
93% of the time, the perpetrator knows the child. If you’re seriously worried your children might be victims of abuse, then your first line of defense should be against your own family and friends.
Users choose their technology. Technology doesn't choose its users. There's no way to make it impossible for criminals to use some communications service. The same technology that protects the lawful person will protect the terrorist and drug dealer. There's no solution available that doesn't also involve sacrificing the safety of upstanding citizens.
In case anyone doubts the above fact: government agents abuse their surveillance powers to spy on their loved ones.
There's no reason to believe the government is any better than these criminals. Cryptography must be strong enough to defeat even intelligence agencies as well as ubiquitous so that it'll be hard if not impossible to enforce legal limitations or bans.
on the other hand, zoom has a vested interest in identifying the people in the call (say to allow linking to a linkedin profile or other revenue-generating reasons).
Apparently it's okay for Zoom to shunt this responsibility for its paid users? Even if I were to accept your premise that omitting E2EE is a legitimate trade-off to detect abuse, Zoom's choice to selectively apply this standard for its free users suggests that this is NOT why Zoom chose to do this.
When you actually see the horrors of abuse, helped by internet and you realize that there are voluntary walls to protect these people (encryption for instance, but others too) you may have a different position. I would willingly give up that just to see children (or whoever) saved.
You may not, that's a choice. I would just like to know whether you have seen what actually happens in these circles before making a decision.
Also, I live in a normal country where this concern (state surveillance) is less of an issue.
Sounds as if you could also say that all photos people ever take, should be accessible to the government and police, to protect the children. And things people say in their homes, need to be accessible to the police, to maybe rescue kidnapped children.
> When you actually see the horrors of ...
I heard about someone working as a nurse, in an emergency room, and because of witnessing injuries from traffic accidents, she decide to never be in a car again. I can understand that, I think that decision makes sense.
But not handing over people's communication to people like Trump and Putin etc and their men.
2) None of the major players offer E2E by default (Google Meet, Microsoft Teams, Cisco WebEx, BlueJeans). WebEx has an E2E option for enterprise users only, and it requires you to run the PKI and won't work with outsiders.
The tweet you linked is newer than this discussion. And it's also misleading. The major players in the business world aren't E2EE today, so Zoom is breaking ground in that way, but as far as free offerings go FaceTime is E2EE and that's certainly not a niche service. WhatsApp is also E2EE. And there's a platform called Wire which I'm not particular familiar with but claims to be E2EE. And it's also a paid service, which suggests it's targeting businesses. I guess it just doesn't count as a "major player".
I don't get it. So they're fine with abuse, as long as you're paying them for it? Or do they have some sort of E2EE backdoor (probably, since they manage the keys), that they want to selectively apply, but can't do so if people are constantly using burner accounts, and thus want E2EE users to be somewhat anchored to their payment information?
dick flashers for one thing, and the pattern of connections or attempted connections should be a partial indicator of this sort of abuse, perhaps there should be somesort of flag that could be set on such an account for inappropriate behaviour, or even liberally thinking there should be an adults only adult activity flag to set.
this is a hydra that shows up every time someone creates a video chat there is a problem with sausage parties and sextual blackmail that needs work arounds
luring people to invite them as per clickbait methods, using obfusication so they are accidentally invited, straight up blackhat hacking to manipulate the system, early on the public meetings were getting bombed by flashers
these types are handled by identifying and outing them, or chasing them away, internet has to go beyond the "your ip number is" thing and demonstrate that there is a real knowledge of who they are, and that they are bothering people and it isnt going unnoticed.
Even if identifying dickflashers is their primary concern, situation can be helped by improving security, not decreasing it. Non-guessable meeting IDs, passwords, maybe unique invite links so it's possible for meeting orgs to identify who invited the flasher.
If someone sends clickbait invites to abusive meeting, then victims can trivially report it, possibly with screenshots.
> Their E2EE design will make it impossible for Zoom employees to enter E2EE meetings without permission
If this is acceptable to view a meeting without permission under abuse pretense, then it's also possible to do so even if someone's doing nothing wrong.
Even worse, if their system is compromised, a bad actor could monitor free users' meetings without any protections. And what is stopping those bad actors from getting a paid subscription, or maliciously gaining access to a paid account? Or these bad actors could use another system that doesn't compromise (Signal) or host their own.
Security comes in layers and logs. A system without these layers and accountability isn't secure. Zoom isn't secure, and is using law enforcement as a scapegoat and pretense to keep their security low.
Zoom has said that employees can enter a meeting, but there's no way to do that without being seen on the participant list and there is no way to record a meeting secretly. They've also said they wouldn't build these things.
>We also do not have a means to insert our employees or others into meetings without being reflected in the participant list. We will not build any cryptographic backdoors to allow for the secret monitoring of meetings.
That's a significantly better explanation, and they're really between a rock and a hard place.
They get to pick between headlines like the current one, and claims that they support child porn rings (he isn't saying it explicitly, but everything I saw looks like that is the problem they're trying to fight).
I think it's perfectly reasonable to have multiple reasons for doing something. Making money and deterring malicious users are both valid reasons. Some forums have paid fees for the purpose of deterring unwanted users (MetaFilter, Something Awful, Bitcoin Wiki in the past), so it's certainly a strategy with a precedent.
Yes, you can have as many reasons as you want, but the more you list them off to the public, the more time you have to spend defending them individually.. was the point that I was making.
There is a damn good reason why good PR people often refuse to comment. People remember stupid responses, but forget that “Zoom declined to comment to this article” very quickly.
The whole CSAM thing is terrible because it provides a great excuse for surveillance at any turn. Even though it's a tiny minority of people participating in the abuse because it is so bad people are willing to give up their own privacy for it.
There are other ways to track these criminals and we should be using those. We know they are smart enough to stop using Zoom once its no longer encrypted. Meanwhile normal people will be left holding the bag of surveillance.
A few bad apples, right? And it’s technologists and privacy advocates that are shielding their behavior.
I don’t think this argument really holds but I think it’s funny how quick we are to downplay our own “bad apples” and say that encryption is more important.
But it's okay if you're passively shielding abusers? I mean that's the crux of the argument here. "Sure, we're the preferred tool for child abusers and sex trafficking but a few bad actors don't invalidate the need for private communications" is an argument I would accept as a technologist but doesn't seem to fly with the public. It doesn't mean that E2EE is DoA it just means that you can't just throw up your hands and say that doing something is impossible.
Have the client check the FBI's CP database and refuse to send pictures that match. Sure it's open source and abusers could recompile it but they wont. In the same way that blocking the default curl useragent stops 99% of spam at my company. Would be attackers could change it, but they don't.
No one is defending child sex offenders. Just find another way to catch them that doesn't involve invading private conversations. It's the first step down a really bad path that you only have to look once at China to see the results of.
No obviously not, but you are creating a system that allows them to operate and shields them from being discovered. And if we're going to turn the political tide on E2EE from being the thing the "bad people" use to "the standard for private communications" then we have to have a better answer to this.
You don't win any political battles by being the preferred tool for child molesters and then telling the gov't to pound sand when they come asking for help finding them.
E2EE plus the client looks up images from the NCVIP database and refuses to send/receive messages would at least be something.
If the FBI comes knocking looking for access to a particular user's messages then have a system that kicks that user off the network until they agree to add the FBI's key into all their chats for a specified time. Make it a bright-line visible action to the user being monitored. You have PFS right, so they can't see old messages, and once the FBI's access is revoked you can prove that all your chats are private again.
This wont work because real child sex offenders would never give the key to the FBI. The reason I don't provide a solution is because there isn't a good compromise. However you slice it normal people will end up getting their communications monitored while the real bad actors will be one step ahead. You also can't effectively ban e2e encryption because there will always be a new software that pops up to do it. The end result is always normal people get surveiled and the real criminals are still shielded. That is why I'm saying it's a red herring. They will not be any closer to catching these people by opening up one app to surveillance. Maybe they catch one or two lazy ones but then it will dry up real quick.
If as a layman I had to guess another way to catch them it would be to go to the source. Follow cases of missing children. Investigate reported child abuse. Once you have caught one of them you are free seize their computer and use it to honey pot all their contacts, with e2e encryption so the contacts believe it's person you just caught.
Right! The point isn’t to ban E2EE it’s the design your chat system in such a way that it’s less effort for the worst actors to go somewhere else and pay lip service to the FBI. I don’t think any of these would actually solve the problem. Just that we might have a popular E2EE chat service that could survive the political fight.
Nice, the upside of posting a comment with >10 upvotes (not a common occurence in my case) is that:
1. you end up getting more responses
2. more responses === a higher probability of seeing gems like this wikipedia wormhole I'm about to get sucked into:) I had no idea about the horsemen/chans or that May identified the reason behind the alpha particle problem. Cheers.
As one of said children in the 80's that stuff freaked me out. Riding bikes at night with friends and hearing weird noises in the woods would get the ol' heart (and legs) pumping.
I was just the opposite. It just sounded so bizarre to me, that when the rumors started flying in my area of certain group's activities at certain locations, my friends and I would sneak off to investigate. It wasn't that we were interested in said activities, or that we were necessarily investigating the validity of the rumors. We were just curious. It turns out, it was all false and made up. Put serious doubts in my mind at an early age about "believing everything you hear", but also seriously lowered the credibility of the people repeating the information in my mind. Had it not been for my interest in computers, I might have turned into some sort of investigator.
> I feel like "we need to protect the children" is the new reductio ad hitlerum.
At the risk of being pedantic: it’s not new at all. That’s part of almost every political campaigns from the past century. Technically “reductio ad hitlerum” is the new “protect the children” argument.
I don't think history supports that. There were essentially zero childrens' rights until post-war. In some locations child abusers were originally prosecuted via animal-protection laws.
The “protect the children” argument has little to do with actual children protection laws. It’s about using pathos of the crowd to manipulate opinion.
Regarding history, I don’t know about the US specifically, but Europeans countries have legal children protections since end of 19th, beginning of 20th centuries (depending on the country).
I'm not sure I understand the trade off w.r.t. possible abuse.
For harassment / offensive content, if anything E2EE will make it easier to prove where offensive content came from. You've got a cryptographic chain leading to the source after all. All you need is a button to record and report things (which admittedly seems to be exactly what they intent to build). The E2EE aspect doesn't really change things, except that Zoom can't record things themselves, which they claim they didn't do in the first place (although they might have relied on the small server side buffer they had, but that's an iffy solution at best).
Also not sure what to think of Zoom's Trust and Safety team breaking into a private conversation when they think some kind of abuse is going on. Yes E2EE would make it impossible, but why on earth would Zoom want that kind of role?
The more and more I see of Zoom, the less and less I think the organization is in tune with Liberal ideals and culture. At least this is less devious than coping an absolute security stance, then turning around and giving the government the keys anyways.
I mean the historical concept. In a way, I think Zoom's organization is somewhat more in touch with the left wing and youth culture. I have a real distaste for how Zoom (the software) does things for you, as if it knows better.
I can’t speak for others, but zoom is super oriented for corporate meetings and they certainly aren’t “in touch” with my culture (esp compared to facetime or facebook video chat), its current popularity is just an artifact of being the most popular corporate group video software at the time the pandemic hit the US.
Secure by default is no longer a staple of communication apps?
I thought we established that standard. Oh well, ride your wave Zoom, don’t get mad when the inevitable funded competitors start showing up with security as a default.
I test drove Jitsi with a few different groups (including a not particularly technical frined group) with no more instruction than "Here's a link to a video meeting. If you're on mobile it'll prompt you to download the app. The password is 'foobah'", and it "just works" too.
> Enterprise orgs don't care about cost.
In my experience,thay also don't care too much about ease-of-use either. Purchasing deparments and managers are looking to someone who'll convince them that they won't personally take the blame when something goes wrong, which is why expensive proprietary services win over open source so often... "Sure everything's gone TITSUP[1], but it's Microsoft/SalesForce/Zoom fault. I've logged a ticket." is a magical career and face saving phrase...
1 "Total Inability To Supply Useful Product" - hat tip to El Reg...
(And you don't need anything like as big an instance as a t3.large - a t3.small works fine for small workloads...)
Everything from the "Install and configure Jitsi" section works just fine on Digital Ocean (and Raspberry Pi) too, if you translate the AWS specific setup stuff in the previous parts to suit...
At which point you find a trail leading to some Russian hackers who stole the credit card and then sold it for cryptocurrency over the internet to the person you're looking for, who they have never met.
It's square one. It's no easier to trace the anonymous buyer of a stolen credit card than the anonymous Zoom user to begin with.
And you know - stolen credit cards might even give them an actual conviction they can make stick "Al Capone style", instead of trying to convince a jury that shittalking in a Zoom chat was a real threat...
> When you pay for something, you are very traceable, its a big difference.
So in order to have privacy you have to do a thing that violates your privacy. Rather problematic for people who need privacy.
If I'm organizing one of these anti-police brutality protests, I don't think I want the associated purchases to be tagged with my name in some police-accessible database.
Meanwhile the actual terrorists and foreign governments can just commit identity theft or similar.
They are two distinct concepts. Security with encryption is about trust guarantees. I send message X to Alice and I know Bob can't read the plaint text of message X because I encrypted it with Alice's key.
Privacy can benefit from additional security. But it's generally a whole other ball game. For example, Bob will still know I sent a message to Alice and can hit me with a wrench until I reveal the plaintext of message X.
It's all privacy here. End to end encryption provides privacy; the company can't view your conversations. Not paying with a credit card provides privacy; you don't have to give them your personal information. So if you can't have one without the other then you can't have privacy with Zoom. (Unless you're a terrorist with a stolen credit card.)
What about the troves of metadata they collect and make available to law enforcement? Plus the fact you have to register with a phone number which can tie the metadata to a specific individual.
Doesn't sound very private to me.
Privacy is full of tradeoffs. Security isnt. My messages on WhatsApp are safe from anyone I don't trust that doesn't have 10 super computers and a lot of patience.
But that doesn't mean everything I do on there isn't tracked to kingdom come. It doesn't mean the fact I sent a message to Alice is private.
> So by your logic then, WhatsApp provides privacy?
By your logic by my logic then Zoom provides privacy if you pay them. This is obviously the opposite of what I said. The most private solution is end to end encrypted and doesn't require a credit card and doesn't collect metadata etc.
> Privacy is full of tradeoffs. Security isnt.
Everything is full of trade offs. How can privacy be full of trade offs and security not when privacy is a subset of security?
> The most private solution is end to end encrypted and doesn't require a credit card and doesn't collect metadata etc.
The most private solution actually doesn't involve a computer at all. It's not very useful though.
> How can privacy be full of trade offs and security not when privacy is a subset of security?
See my initial comment:
> Security with encryption is about trust guarantees.
I'm not meaning "cybersecurity" when I say security here. I'm talking specifically about the security of encryption. Privacy and crypto security are two distinct concepts within cybersecurity.
Privacy hides the existence of a thing. Encryption (security) keeps the thing safe.
Isn’t that part of security? I mean you lack physical security to prevent bob from using a 5$ wrench on you.
if security proctols make it difficult to trace that you sent a message at all,I.e. also takes care of metadata along with the content you also get privacy.
With physical security, it would be more like "I trust Bob isn't going to hit me with a wrench because he told me he wouldn't".
Bob isn't very trustworthy.
Sure, we could encrypt everything ever created by any device at all times.
But some sort of communication is sent from one IP address to another IP address. Even if it's encrypted, some form of something was sent.
This is where privacy then becomes a thing. You could start sending random noise out constantly. then when your encrypted data is sent out it looks like the rest of the random noise.
That would be like "I sent out 4999 random messages to 4999 random people and 1 encrypted message to Alice. Now Bob can't work out I sent my encrypted message to Alice".
That's the difference. Privacy is about hiding the existence of something from Bob. Security is about keeping something safe from Bob.
> That would be like "I sent out 4999 random messages to 4999 random people and 1 encrypted message to Alice. Now Bob can't work out I sent my encrypted message to Alice".
No, in order to have privacy you can choose applications which appeal to different user base and have different tradeoffs. Like Signal, or even WhatsApp.
Zoom appeals to a different user base and offers different features as selling points. Please read the twitter thread mentioned below to understand their perspective.
Originally only two person chats were e2e encrypted, then the added e2e to group chats, but last time I checked (admittedly a year or more back) if one participant in a group chat had an old version of the app, the entire group chat was unencrypted, without an obvious user interface indication of that.
I use (and trust) Signal. I believe Wickr is trusted by people who have resources behind them to know whether it's trustworthy (though it's closed source, so :shrug:).
If you need "used by the masses", then you're gonna be stuck with, I dunno - Facebook public posts? Gmail? Slack? Smoke signals? Nothing that's fit for purpose" if you value privacy...
> No, in order to have privacy you can choose applications which appeal to different user base and have different tradeoffs.
In other words, don't use Zoom.
> Please read the twitter thread mentioned below to understand their perspective.
Their perspective is they don't want to use end to end encryption so they can turn their users in.
Even for ordinary users, this yields no advantage to the user. For users who have reason to fear oppression by the authorities it's quite problematic, and in general everyone else should try to avoid using such things out of solidarity.
Maybe it is not about affordability, but about digital footprint (credit card, bank account etc.) which these kind of agencies would be wary of, after all Zoom does not accept cash transactions.
If they think you're a terrorist or want to pretend that you are, $20 won't keep them out of your calls. This is just a way to justify expanding surveillance and making a few bucks off it.
Aside from the PR fiasco, this is bad for their paying users.
I can’t verify that Zoom actually encrypts my calls, I have to trust that they’re telling the truth. When I find out that they’re willing to turn off encryption for some calls to make spying on their users easier, the idea of holding business meetings on their platform becomes unpalatable.
They're also maybe allowing decryption by anyone else who wants to, and by law enforcement without a warrant - there's no cryptographic proof anywhere that Zoom will only hand the key to police on presentation of a warrant, and never use it themselves.
In the meantime, anyone who actually cares about their privacy can use an e2e encrypted group chat today with e.g. Wire. All this gets us is that unwitting people who can't afford to pay are in the position to get spied on.
It's the same thing. If it can be turned off, it will be accidentally turned off, accidentally not turned on, or a myriad other things in this general direction.
I witnessed a cellular carrier discovering that they had all encryption disabled for several months. A honest mistake, but one that should have been impossible by design.
"If Emil was a rogue service provider running the bridge for the meeting, he would no longer be able to eavesdrop on it and an attempt to do so would only yield, well we already said that: an endless stream of rubbish.
The only way for Emil to actually participate in the meeting would be if he was made privy to the e2ee key. In this case he was and once he enters it, everything goes back to normal"
(Sadly, Chrome only for now - so if Google and state actors are your adversary, "you're still gonna get mossad'd upon"...)
Current encryption imementations (AES GCM) will not be downgraded. Meetings will still be encrypted and meeting content is still not going to be used for tracking users.
E2E will be an opt in choice for paying users who are willing to sacrifice some features for the benefits from additional security.
On a more serious note, until there is a protocol and implementation available then we can't say anything for sure. Us Security folks aren't magicians.
That was uncalled for . Yes it is hard or impossible to do in zoom .
If these tools use open standards and well documented protocols this will not be a problem.
I can verify without a phd in cryptoanalyis and reverse engineering my browser is running a secure connection to a website and certificate is signed by the source(for sites enabled with FS and HSTS ).
This is well known issue since Ken Thompson’s trusting trust paper and not what am I getting at it
It is degrees of trust . Trust is not absolute , neither is security . Depending on your threat models you have to secure yourself. More transparency improves security does not solve all the problems just makes it costlier for an attacker . If cost outweighs the benefit they will not attempt to do it.
Https does not magically make your communication 100% secure ,however the number of people who can issue a certificate from a comprised root CA or control one is considerably less than the number of people who can monitor your plain text traffic .
Don't get me started on browser certificates. That's a whole week of my life I'll never get back.
The short versiom of it is, your browser trusts CAs to say whether a certificate is valid. But CAs often trust other CAs who may not actually be that trustworthy. Those CAs then trust other CAs who definitely are not as trustworthy... Etc.
So that certificate/padlock picture in your browser may not be as trustworthy as you think. It's an active problem.
In terms of an actually relevant reply that's not bemoaning browser certs...
Yes I was a bit harsh. But I was trying to demonstrate a point - no one knows for sure until we can look at this stuff in detail. Until the researchers get to pull it apart then no one can verify anything. The little green tick on a zoom call is practically worthless until some external work is done.
The protocol is documented and open. I linked to it in my comment.
The open proctols for RTC today is webTRC. Zoom does not use webRTC. If the proctols Are open like http then I can build my own client and do not have to use theirs (just like you can your own hacker news app) . Zoom will not use webRTC for this precise reason. If they and all others did I can choose my client and I can choose a client who I trust and will give my green tick open source or not .
Google supported jabber in chat for a long time , slack supported IRC (both dropped the support ) but when they did you could any irc client in slack or use google chat using jabber with any client
If an open protocols for video are used like email (although not good example for encryption). It does not matter who your service provider is you can verify they are secure , or move to another one .
Today I have more than 10 video conferencing apps on my devices (zoom, Hangouts, meet, Webex , teams, GoToMeeting , chime , Skype, SfB, FaceTime , signal, telegram , ring central and Uber conference... ) because a customer , partner friend or family uses one of those . I have only one email and browser client though, it does not have to open source at all, ppl happily pay for closed source gmail or o365 without worrying will my mails deliver to you while still using official client or client of their choice
Sorry, to clarify, when i say protocol I specifically mean the E2E encryption protocol.
Also, have you thought about asking your clients/whatever to use one app to communicate with you? Even if you get half of them onboard, it sounds like it would save you a lot of mental bother.
I wish , every company has their own app to use , they will invite you to their conference by default, asking 10 people on the call to change for 1-2 is not feasible.
Many of them cannot install any new native application on their desktop / phone without IT approvals or their vpn does not allow traffic to consumer apps like Hangouts . They also need to record for compliance , pre-Covid some apps like Webex are connected to their conference room bridges using dedicated lines and hardware etc
Family / friends do not use use biz tools , it not easier to convince Apple users who like FaceTime, messenger is popular in few countries , wechat in China , WhatsApp in other places .
It is easier install another app rather than trying to get your grandma to switch from one thing someone installed on her phone and she learnt to use.
Reverse engineer/packet sniff the implementation and perform some sort of cryptanalysis to see if the implementation works according to the published protocol. It's pretty standard.
That's sort of what happened with the ECB mode stuff that kicked this whole thing off in the first palace. See section 4 from the below for more info.
That doesn't show that someone on Zoom's end isn't decrypting data in an invisible way, without a warrant, with the key they have access to, in the non-e2e case.
This whole discussion is about the E2E case. That's what the CEO was referring to. There's a twitter thread link somewhere.
I think I read that Zoom do decrypt AES-GCM server side already. They have to so they can put the little green box around the person currently speaking. EDIT - this is incorrect for AES-GCM, it's not decrypted server side.
Edit - at least e2e is the angle I'm approaching it from as it's the new information.
Which is a fairly ambiguous question and could be interpreted several ways so I went mainly for the E2E case (as it's the new thing).
Could also be interpreted as how can we show only paid users can access it? Or that certain features will be disabled with E2E?
What I replied with covers both E2E and the current state equally tbh (the linked article did it before with ECB). There are always limitations to what is possible.
I could break into the Zoom servers to make sure everything is kosher. But that's illegal.
If WhatsApp started transmitting E2E keys back to their servers people would find that out client side through network packet inspection, not server side.
Security researchers are limited in the tools/methods they can use. We have to work with what we've got at our disposal.
> Security researchers are limited in the tools/methods they can use. We have to work with what we've got at our disposal.
Which is exactly why "trust us, we're not going to do anything with these keys" is a ridiculous state of affairs and shouldn't be tolerated. We can't show that they're actually doing what they say, and it'll be years after they implement mass surveillance on the behest of law enforcement before someone leaks something.
> I think I read that Zoom do decrypt AES-GCM server side already. They have to so they can put the little green box around the person currently speaking.
> Matthew Green, a cryptographer and computer science professor at Johns Hopkins University, points out that group video conferencing is difficult to encrypt end to end. That’s because the service provider needs to detect who is talking to act like a switchboard, which allows it to only send a high-resolution videostream from the person who is talking at the moment, or who a user selects to the rest of the group, and to send low-resolution videostreams of other participants. This type of optimization is much easier if the service provider can see everything because it’s unencrypted.
This was 2 months ago so their new white paper clarifies the current situation:
> For use cases such as meeting real-time content (video, voice, and content share), where data is transmitted over User
Datagram Protocol (UDP), we use AES-256 GCM mode to encrypt these compressed data streams. Additionally, for video,
voice, and content share encrypted with AES, once it’s encrypted, it remains encrypted as it passes through Zoom’s meeting servers until it reaches another Zoom Client or a Zoom Connector, which helps translate the data to another protocol.
That Bloomberg article is boring except for the sentence at the end. The submitter made the title be about the last sentence, but we changed it back to the original, which didn't satisfy anybody because the only interesting thing about the article is the last sentence.
The current post seems at first glance to be a garden-variety tweet picking up on that sentence, but someone pointed out to me that it's actually by the author of the Bloomberg article, suggesting that he might be at odds with the Bloomberg editors about what aspects of the story are significant. Suddenly that's interesting.
Given that sneak's post was the first on this and that it links to the statement by the reporter about the only thing that anyone here cares about, it seems clear that this is the post we should leave up. So I merged the comments from the other thread hither.
FBI are slightly above police concerning abuse of authority. Once I reported a serious crime police in my area weren’t willing to investigate and I filed it with the fbi but never was contacted again and when I was told they would. Seeing how cops behave with the protests makes me skeptical if any law enforcement in USA is legitimate unless you’re loaded with money or social influence.
That's nice and all, but unless you can install their software by compiling the source yourself you have no chance of verifying that the implementation is actually correct. Even with the source available that's an extremely difficult task.
Are they somehow obfuscating their binaries, or are they simply LLVM output? Is it your belief that straightforward compiler output is somehow infeasible to verify?
It’s already too hard to find security bugs in clean source code. Analyzing a binary can confirm the existence of encryption and the overall crypto scheme, but not the absence of backdoors.
Help me understand how the exact opposite thing isn't true? The binary is the true record of what the platform is actually going to execute, unlike the source code.
Because the analysis needs to be done by a human mind, and it's 10x more difficult to analyse a binary, even with some tools. And it is already hard to analyze even clean source code, because there can be hidden backdoors, they are not always all called "function SendDataToFBIForTracking(data)".
If the build is reproducible, you can analyze the source, compile it and verify they're distributing the correct binary. If the build isn't reproducible for some reason, you can still do this on some subset of the code.
Now, of course, the binary is what gets executed, so it is the ground truth.
What he means is that it's not practically feasible. Experts and a few talented crackers have the expertise to go through a binary with tools like IDA Pro and analyse it, but the process takes a lot of man-hours and is much harder than auditing source code. So yes, if there is a problem with Zoom the NSA and other state-run agencies will find and exploit it, but ordinary security professionals might not have the combination of manpower and expertise needed.
Since it's used so much now, I still hope that somebody reverse-engineers some of the clients. In contrast to auditing open source code, this might also pose legal problems, though.
I should have qualified my statement better. There aren’t many people in the world who can accurately audit a complex application. Evidence of the above fact is that there are approximately zero complex applications without a history of security issues, and there have even been successful attempts to maliciously add exploitable bugs in open source projects.
Among these people only a small minority is able to perform a similar audit on compiled code, and only at a much lower pace.
So I agree that it is possible to check a binary, but it is not feasible in a reasonable way.
PS. You are a well known (maybe even famous in the community) software security expert. Your perception of the availability and competence of good experts may be skewed by the fact that you probably know most of the good ones
He can maybe do it, and a few dozen of other people. There aren’t simply enough good experts to do it on any significant portion of popular software products.
"Reverse engineering a specific version [every version?] of a private binary is a reasonable burden of proof for users to undertake in order to feel confident in the encryption used by their comms"
What? I usually agree with your takes but this seems out there (or did I misread/mischaracterize it)
You would still have to audit every the code of every released version right?
Reverse engineering is obviously more difficult but someone with the right skills and tools would find it a straightforward task.
Also - unless you are somehow also inspecting their CI/CD toolchain, there's no guarantee that the source being inspected matches the binaries being released - so you would need to reverse the binaries anyway.
Their terms of service disallow reverse-engineering or even disassembling the binaries: https://zoom.us/terms
> You agree that You will not use, and will not permit any End User to use, the Services to: (i) modify, disassemble, decompile, prepare derivative works of, reverse engineer or otherwise attempt to gain access to the source code of the Services
“Free users for sure we don’t want to give that because we also want to work together with FBI, with local law enforcement in case some people use Zoom for a bad purpose.”
He could be a 'PR Genius' by gently coaxing people into being paying customers, but I don't think that's it, rather, this is just mind-blowing, gigantic PR lack of self-awareness verging on disaster. To just say it as he articulated it, publicly ... my gosh man.
From a communications perspective this is like comedy.
EVERY communications provider has to comply with lawful intercept [1] regulation in all the regions where they operate. If they do not they find themselves hauled before the regulator and they'll be fined or worse until they do or go out of business.
'Encryption', while it would make it harder to snoop on your calls from third parties, will not 'protect' you from lawful intercept.
Furthermore specific to the US Zoom also has to comply with the Communications Assistance for Law Enforcement Act [2]. This does in no way mean Zoom can not encrypt its traffic. It just means it has to provide law enforcement the ability to covertly wiretap every and any communication. If Zoom provides end to end encryption to its paying customers, it still has to provide access to law enforcement to the content of those communications.
I'm not sure what your point is? Do you believe that all encryption is broken? If not, to the FBI, the tapped data should be indistinguishable from random bytes, from the definition of ciphertext. And that serves its purpose perfectly well. Whether or not the FBI has access to the ciphertext is immaterial.
> 'Encryption', while it would make it harder to snoop on your calls from third parties, will not 'protect' you from lawful intercept.
Yes it will, it will make the intercept so expensive that it will not make sense anymore for them to do it.
In the first case, all they need to do to intercept is to call Zoom headquarters, or even just go to some pre-setup website and just enter the identity of the user and voíla you have the data. The cost is 1 man-hour of an agent.
In the second case, the Zoom doesn't have technical ability to break the encryption, and to "lawfully intercept" they need to either break your phone or physically break into your home to install some devices, or construct elaborate servers to trick your phone into thinking it talks to real Zoom, or use the supercomputers to break some of the encryption, or use some of their hidden stashed 0-day, and thus risk exposing it by using it, and not be able to use it later for a real threat. Cost of this can be astronomical for breaking a single user. (And all of that is even more true for open-source solutions.)
Also a lot of people disdain this not because they are terrorists. They disdain this type of surveillance because it has been shown many times that governments do not just track terrorists, they always end up abusing their power and track everyone, and there are agents who sometimes just make fun of people and read their emails etc. Didn't you read any of the Snowden material that was published? Encryption prevents exactly this type of ABUSE of the power by the government.
>If Zoom provides end to end encryption to its paying customers, it still has to provide access to law enforcement to the content of those communications.
How do you think this works? If Alice and Bob generate private keys and share only their public keys with each other over the wire how does the provider obtain the content of those communications to share? It never had them.
There is no non broken way to provide a backdoor for government while actually retaining meaningful security in the long run. See the extensive discussion on "key escrow"
Lets discuss a very old encrypted communication mechanism. PGP encrypted email. If I Bob send an encrypted email to Alice how does gmail fulfill its obligations as stated previously to law enforcement? PGP came out in 1991 and CALEA is from 1994. In the 26 years since I don't seem to recall anyone shutting down gmail.
However, law enforcement agencies around the world see "broken" ways to achieve this as a 'lesser of two evils' trade-off. Am I too paranoid (I hope I am) to envisage a scenario where Sam, our friendly US law enforcement officer asks Sheila, his friendly AU counterpart to request a copy of the conversation obtained through technical capability and assistance notices and share it back under 5 eyes agreements? Add the pending bilateral CLOUD act for an extra spicy double exchange sandwich?
477 comments
[ 2.8 ms ] story [ 386 ms ] threadThere is? I'm not sure what my cost for clang, python, llvm, firefox, is for being free. Even wikipedia, mdn, openstreetmaps, ...
Zoom clearly says "Sure! (how high would you like me to jump, officer?)"
All meetings recorded (for law agencies and similar future use) or paid version
*We take your privacy seriously.
I suggest looking elsewhere instead of supporting Zoom.
Imagine being in a call with 4 people, 3 of you are paying customers and you’ll need to ask the fourth to also pay Zoom to get encryption. It’s a bad deal for the paying users as well.
I still think it’s a dumb move. Imagine if “HTTPS for pay users only” was a thing.
- Special Agent Smith here, FBI - here judge sign this order?
- What is it?
- Its someone who we suspect of doing bad stuff, AND they are using paid version of Zoom.
- Oh that's the encrypted one, right?
- Yes, your Honor, the free one is non encrypted, you have to pay to hide your convo.
- Here is the paper, good luck.
And if there is a backdoor for police there is a backdoor for more than the police.
That works only until the people you're scared of are those the government sends "to serve and protect"...
Should someone tell him?
https://twitter.com/alexstamos/status/1268061790954385408
To the crowd who says “well you can do bad stuff if you pay” - If terrorists are paying for Zoom, they’re leaving a paper trail for the FBI. Free platforms are ripe for abuse because they’re free.
Also I’ll need a copy of your bank account statement. I just need to take a look. Make sure it’s ok. Unless someone else has recently.
The narrative that we should sack our privacy to help “law enforcement” is fucking braindead.
Terrorism is not a valid reason - well, perhaps unless you're going to take the jump to including a Chinese national that says 'Tiananmen Square' to their wife in a random call, as some 'Law Enforcement' will.
EDIT: We tried Meet, not Hangouts.
It's fine, not great, but the connection seems stable and we have not experienced issues with conferences. Zoom is all that plus much more intuitive and easier to use. The entire Zoom experience is great from start to finish, built in background replacement is a really big draw along with the full tile layout (Meet got tiles two weeks ago).
I would also say that Discord video has been great too. It's only downside is that you can only be in a session on one device. That is an extremely annoying limitation as I prefer to be mobile on my phone headset and present or stream on the computer.
Exactly what we've found with our GSuite and Google Meet. Works fine with 8-12 people on a call. Useable by technically adept people, but we've had to talk clients through the interface sometimes. (From today- client: "How do I share my screen" me: "click the [share screen] text in the bottom right" client: "Oh, yeah. Of course.")
(If you want background replacement enough, OBS and VirtualCam lets you do it... I did it for a gag the other week to put myself inside a Russian nuclear powerplant control room for standup. It's not something I'd recommend telling anybody who's then gonna ask you to help them set it up though...)
(I suspect many people on HN are using the web version because Zoom pushes their app aggressively and in an abusive way, which immediately makes the more paranoid among us decide that they don't want it. And I've heard that the installed version is great while the web version is not.)
Trying to provide an alternative to zoom/google.
I wrote the UI and my friend did the backend. One key point for me personally is doing privacy right. No identifiable data in logs etc. Tricky cause there will always be an element of "trust us".
Next weekend I hope to implement the experimental e2ee feature in WebRTC. Only for chrome so far, but maybe it'll take off for all browsers.
The acquisitions and hires they have made has made sense if what they are aiming for is making a more secure and private service. I don't doubt their intention. What I don't understand is why people expect them to provide all benefits for free.
Edit: does any service to multi-party e2e conferencing? What trade-offs are there?
When he puts it in the context of their typical abuse pattern - anonymous emails, VPNs, and just a few meetings - this decision makes much more sense.
I hope they expand on their thought process in a blog post at some point, I'd love to read more.
The relevant bits I got from it were that there are a bunch of bad actors who create new Zoom identities and host meetings a few times before moving on, and Zoom needs a means by which they “can, if they have a strong belief that the meeting is abusive, enter the meeting visibly and report it if necessary.” Their E2EE design will make it impossible for Zoom employees to enter E2EE meetings without permission, so giving E2EE to the free tier will enable people to use Zoom meetings to facilitate abuse.
I think Zoom is wrong.
End-to-end encryption should be available to everybody no matter who they are. This means making it available to bad actors too. Expanding the scope of human communication should not be used to justify state surveillance. Privacy is a fundamental human right and one we should not be forced into giving up because it annoys the government.
The trouble is, by the time they do (and they will, China is halfway there), it will be too late to protest.
Inheritly in society, there was always some form of surveillance. When we left our homes, people around us could see and hear what we are doing and there in report suspicious behavor. Now we are adjusting to a new way of life with new forms of surveillance which are harder to detect. I completely get it and I more for encryption then for not. I guess I am also challenging myself to see both sides and think about a middle ground.
While Western governments could be better behaved, I'm feel like comparisons with the stasi are somewhat extreme and out of wack. I live in the UK and generally speaking I'm happy with the government here when it comes to surveillance. Maybe the US has a greater focus on security but they are a long way from stasi.
If you want to discuss surveillance then yes of course it's a matter of degree. Putting cameras in a bank vs putting cameras in a pub vs putting cameras in your home. As you can tell in the real world it's clearer when it's a step too far. In the digital world we need to be more careful because it's unmapped territory.
You need to think hard about why it's an invasion of privacy to put cameras in your home. It may seem obvious but it's not. Once you understand the reasons why that is an invasion of privacy then you can start to draw analogies to the digital world and understand what is going too far and what is not. The problem is people don't have a deeper understanding of the reason we need privacy so they are easily sold security in the form of digital surveillance without understanding the eventual consequence.
We already live in a society where widespread aggressive authoritarian surveillance that doesn't justify itself is commonplace. Snowden proved this. Your emails are read. Your naked selfies looked at. Personal data is used frequently to crack down heavily on legitimate dissent. These are unquestionable and it's getting worse and more entrenched, not less and it hasn't caught a single act of terrorism like it was set up (ostensibly) to do. The question is, how do we personally react to the unchecked growth of stasi-friendly surveillance infrastructure?
I think arguing that western governments could be better behaved is a fair point. The stasi also could have been better behaved. Frequent appeals to moderation didn't make them behave though and they haven't and won't make western governments behave either, though.
Appeals to moderation have a null effect because if the goalposts keep being moved, so does the moderate position. If you want your opinion to never matter at all, always pick the moderate, middle ground opinion.
Police and other law enforcement are already using legal powers to infiltrate and monitor 'radical' political groups such as Black Lives Matter, just like they have in the past with civil liberties groups. In fact, as we discovered in the COINTELPRO leaks, they were going way beyond the legal limits, having been complicit in the assassination of Malcolm X, and having tried to blackmail MLK into committing suicide.
Of course, it could be that such things don't happen anymore. Or, seeing how the police in Minneapolis are actively targeting journalists, it is significantly more likely that we just don't know about it yet.
No large state has ever tolerated real dissent to any great extent. The state doesn't have to be as paranoid about dissent as China or the USSR (which almost require(d) enthusiastic support) for police powers to eb abused against the legitimate interests of citizens.
The problem with not end to end encrypting private communications is during a lockdown people now have nowhere they can go for a private conversation. If you invite someone over to your house for drinks or for dinner you feel you can talk freely because the government doesn't have cameras in your house, that would be an invasion of privacy. Where is the virtual equivalent of that once zoom is not longer private?
Remember your freedom will be taken an inch at a time. Not all at once.
> Where is the virtual equivalent of that once zoom is not longer private?
What I meant by my comment is that there are good alternatives that are E2E and free, like FaceTime (ok you need an iPhone or Mac), WhatsApp, Signal etc. So people can just use that if they don't want to pay for Zoom (again, I don't think they're making the right decision either).
You already disqualified Facetime because realistically some of your friends and family have Android and Windows. WhatsApp connection quality is flaky, same with Skype. Does signal support group class? If it does maybe it could replace Zoom. Maybe. But all these options existed before lockdown and people still settled on Zoom because it's more convenient.
Either some massive scandal has to happen to make the public more privacy conscious or there needs to be e2e encryption by default, as a standard. With or without invisible state surveilled cameras shouldn't factor in to which dining table I buy.
Agree.
> WhatsApp connection quality is flaky
Disagree. Might be anecdotal, but at least in Europe, most my friends use WhatsApp for personal video calls and not Zoom.
Genrally agree with you that we need E2E as default (as we need SSL as a default).
https://twitter.com/alexstamos/status/1268199863054811136 2) None of the major players offer E2E by default (Google Meet, Microsoft Teams, Cisco WebEx, BlueJeans). WebEx has an E2E option for enterprise users only, and it requires you to run the PKI and won't work with outsiders.
Any E2E shipping in Zoom will be groundbreaking.
Make a free account and test it.
That said, abusive people do exist and are a legitimate problem, given the damage they can cause. Their abuse may be overt (threats, violence, noise, etc), or it can be subtle (for example, manipulation over long periods of time).
Some of that abuse may come from prior anger and frustration outside their control, and perhaps it's good to allow people to let that out -- as long as it doesn't end up harming other people in the process.
Would the situation be improved if the service provider could only step into the meeting when explicitly requested by participant(s)?
To follow your analogy, that could be seen as the equivalent of someone experiencing a medical emergency during dinner at your house and requiring outside assistance.
All these options would be gamed and misused, as they are during existing use cases in real life. Some people over-react, many people under-react, and society itself changes so it's important to build in flexibility for transparent and accountable change.
In video calls you don't even have to do that, you can just kick them from the call. You don't need Zoom to step in you just kick them.
I really don't understand what you are getting at with the abusive people thing. What sort of situation are you imagining exactly?
To answer your question: phishing scams could be one example. I'm sure there are many others.
If there are others please list them because I'm struggling to understand the overarching thing you are getting at and examples would help with that.
Since money is key to many crimes and finding out who controls the money is an important way to investigate crimes, this in turn means that that point of agreement has to secure me from surveillance by badguys when I talk to the bank, and permit surveillance of the same badguys when they talk to the same bank in the same way.
This might perhaps be possible but the word "surely" seems inappropriate.
As an illustration, if we get reasonable evidence suggesting that someone is growing marijuana in their ranch, we can get a warrant and go inside. There's not too much the owner can do to stop it. However a perfectly encrypted iphone cannot be broken into, no matter if the entire world agrees that there's evidence of crime in it.
From what I can see, no one argues against warranted search of personal property in the physical world, except maybe some sovereign citizen crazies. Given this, why can't we strive for a similar system on the virtual world as well? I too agree warrantless or unfettered govt surveillance of technology is bad, but that's a policy failing not a technology one. We should try to focus on how we can hold governments responsible instead of making fully protected crime caves for anyone who cannot whip up a conscience.
I agree privacy should be a right, but not at the expense of many people enduring a life of hell in these cordoned spaces for that cause.
In physical world two people are talking.
If police has suspicion that they are commiting a crime it can request a warrant to install listening device and only then they can listen.
In Zoom like scenarios any third party (like technological companies using law as excuse) can listen without warrant (and they will say something like "no one is listening" as training AI is not considered "someone")
As such communications should be encrypted with asymetrical cryptography where only warrant giver can decrypt them (not warrant giver giving the private key to law enforcement, but decrypting the symetrical per session key and give that to the law enforcement). And this goes as phones too.
And quite frankly I dont care if police with warrant is listening to my conversations. I dont want to any company listen to them as they are not doint it for law enforcement but for profitting on my data (quite possibly against my interest) and this is something completely different.
This is the scenario where technology gives people MORE privacy, prevents police illegal wiretaps (without warrent giver consent), prevents technology provider wiretaps and on the other side still allows legal wiretapping based on warrent-giver.
But interesting, no one has any interest doing it, guess why?
So to answer your question, telephone companies are a failure in USA (wild west and lawlessness), in my country they need to obey laws. Corporations doesnt obey any laws outside their country (which they select based on inneficient laws) and need to be harshly regulated.
My personally favorite would be legislation that would mandate e2e encryption that must not be backdoored by anyone else except law enforcement getting warrent but private keys are staying under judge supervision without possibility to give it away (in pkcs#12 manner) and can be only used to decrypt communication when he presses the big red button. Quite frankly you want to be able to wiretap organized crime.
Care to see what happens then? Check China. They are implementing this very thing. For the children, I suppose.
The judge only access prevents mass data gathering of law enforcement agencies and three letter agencies (at least in my country). And enable control of further institutions. Secret and hidden backdoors (Crypto AG, Dual_EC_DRBG,...) or corporations bribed by government deals are the worse solution here as it doesnt prevent the access to the data to either corporations or secred agencies while it might hold away law enforcement or also not. And surely enables mass data gathering from all without any supervision or control. What the real issue here is that no one is mentioning any court orders. Everyone would just want to have access to everything. Now THAT IS an issue.
I was talking about legal entities operating in same manner as telcos were. Also in real world you can invent your own one time pad encoded speaking and no one will understand you even if they wiretap the communication. And actually mafia historically has been using slang to cover up the communication. Same as you can do it in open source.
Anyway, do you communicate over the "secret encryted communication channel" covered with rag, to prevent recording your lips, recording with laser measuring shaking of window glass, you face muscles, IR recording and probably next 100 methods I am not even aware of. As this are the issue you also have with warrant being issued. Guess not. So the police looks like is not an issue for you (or warrant).
Then the three letter agencies, except for "warrant" methods they will use rubber hose cryptography to break you and any of your e2e communication and actually you might wish they would be able to read from your communication without contacting you in person. So e2e doesnt change anything for you here either.
I refuse to handle open source solutions that you install on your server to use them in same manner as corporation entities that use their solutions to wiretap the communications of everyone so they can earn more money from informations they gather.
And I also think that "encrypted Apple" phones (and everyone else doing any business with government) and the whole FBI story is just a sharade to bait people that are hiding something in ecosystem where the can simply access the information by agencies that CAN issue gag order. The whole story surely looks like counter-espionage operation from 1970. Time will tell if I am right.
Having the law being able to access encrypted communications at any time will trample at the examples I brought up, which are examples that came up with zero effort, no matter what you try to put into your proposed solution - if the goal is to prevent crime, and there are available solutions out there that allow for e2e communication, the goal does not stand. You can't have a corporation banned from e2e, but allow any random dude spin up a secure communication platform without any keys compromised - what are you even banning then.
It amazes me that "corrupt politicians" is shrugged off just like that, while corrupt officials of any kind is exactly what everyone need defenses against with ANY means. In China, they are in the process of legislating exactly what you propose - no private encryption key to be withheld from the law, and yes, you did not misunderstand, it's at the scale this implies, total control and ability to observe over all traffic and restive data at any time - even forgetting all that is happening now, that leaves little unattended by law there.
Now, what, China is a "bad example"? An "exception"? I'd say this attitude coming from governments is the norm around most the world. Where people are at real risk from what say say over the net.
Out of all such countries, let's take China. Do you believe China should reverse its course and allow encrypted communication for its citizens? Based on your words and thoughts, I say you would answer "no". It's doing exactly what you propose after all - now, the only tiny step to totally suit your proposal is to use their powers for "good"! Right? And they indeed using it for good, according to their own legislation.
Because, if you nonetheless said "yes, China should allow e2e in favour of its citizen's rights", you would in essence be saying that "Freedom loving Western countries" should give the law total access to any information (they will always do it only when needed, of course!), but the same countries should pressure "totalitarian regiments" to maintain their citizens rights including encryption. That's contradictory, at least by thinking about it only for a bit.
There's a correlation between these things. Any power given is sure to be abused. If that is not prevented and pushed back, it will not stop but worsen. Trying to find a formula to give absolute power and restrict it at the same time is just fooling around, it's the core assumptions that matter. Unless you really think that some governments are somehow immune to becoming corrupt ant totalitarian when meeting no resistance - their people must be saints indeed! - in which case, I am sorry to say, but I can only chuckle.
With my proposal law enforcement can access to the unencrypted data far less that they can do it now (under the rag) and when they access they are under scrutiny of judges while it prevents corporations accessing it.
Maybe do take time to think about what country is, what government is and to who it serves, what corporation is and to who it serve, maybe ask yourself what the law enforcement is and who does it serve, if you dare go into further, what if there would be no law enforcement? Do you have the muscless for that?
Or chuckle mindlessly on. I think your whole statement is demanding advantages in system where someone else takes care for you to allow you to not think about dissadvantages.
In the real world one will notice law-enforcement breaking into their ranch, in the virtual world, they won't (and comparing growing marijuana to voice/video over Zoom is wrong).
In the real world law-enforcement wouldn't have access to the complete history of a conversation, in the virtual world they would. Even to anything in the past which is irrelevant to the topic.
The events in the real world are ofthen ephemeral, we don't expect our friendly conversation to last forever, in the virtual world, however, they can be recorded and stored forever.
Basically you should compare spying/wire-tapping in the real world vs. spying/wire-tapping in the virtual world.
Because there is no technical solution that allows something similar, such a solution
1. Must be exclusive to use by lawful authorities, a criminal cannot get a search warrant 2. Must have some reasonable per-instance cost to prevent overreaching
1 is very hard in a tech space if even possible, backdoors can always be used by other parties.
But even if 1 is possible, by the nature of digital surveillance it is very cheap and relatively easy to do mostly secretly, leading to things like NSA literally inspecting all internet traffic.
Yes, theoretically you could the seconds this if it is the overwhelming political will, but it isn't, and the general public doesn't care.
So in the end it's better to encrypt everything
But I think that broader society are not going to understand the technical issues, and are going to be swayed by overly-emotional appeals to "think of the children" and similar.
Therefore I think that we, as engineers - the people who will be asked to implement the results of any such debate, need to have this debate ourselves so we can take responsibility for our actions.
I can see both sides of this debate.
There is a legitimate need in society to gather evidence to discover the guilt or innocence of accused criminals. We cannot have a system of justice that assumes innocence until proven guilty but provides no method for gathering incriminating evidence.
There is also a legitimate basic human right to privacy. We must not be subject to constant surveillance by the state.
We have to find a middle path between the two extremes.
because any crime in the virtual world can be uncovered by good police work. nobody has perfect operational security, including the government. so the solution to law enforcement is hard work by the law enforcers.
consider: prior to electronic communication, all private discussions were perfectly encrypted, because if you weren't there, you didn't hear what was happening. And society continued to function.
You simply can't trust the government to respect boundaries that they created but have the ability to breach, especially when it can be done completely surreptitiously.
We need to learn the lessons of Snowden, and fight tooth and nail to prevent anything less that complete, unfettered access to private communications by human beings. Anything that falls short of that will eventually be complete, unfettered surveillance, because there is no metastable equilibrium point in the middle.
The controls on surveillance are not technical, they are political. The technology was the same, yet the Stasi listened to every call they could; other governments did not.
Fix the politics, because it /will/ win in the end. Learn the lessons of Germany and China.
What stopped the Stasi until politics was technology. And I think the encryption used helped to bring about the political change. If the Stasi had what Zoom is offering then perhaps the wall wouldn’t have fallen for 10,20,30 more years.
This is fundamentally different from modern technology where they can have a computer listen to every single call, pick out whatever keywords they're looking for, and flag it for later review. Technology now makes it possible for them to truly listen to everyone at once. This is why end-to-end encryption is necessary for everyone.
Politics is not going to solve this problem. A lot of what America's police and intelligence agencies do is already illegal. They don't care. They're going to do anything they can with the technology.
It's a weirdly blinkered concept to say "America's agencies already do illegal things and their politics is broken but what will save us is American corporations deploying technology".
(The "we need universal E2E to protect our freedoms even if there are downsides" is not, in logical form, a million miles different from 'we need guns everywhere to protect us from the government and damn the negative consequences of having guns everywhere', frankly)
I actually believe that technologies such as strong encryption are creating important checks and balances that make our democracy stronger. They are not subverting it like you are implying.
I agree, and I agree with both of those. Giving up freedom/privacy for safety is almost always a losing bet.
With guns, the state will always outgun you. So the gun-riddled society sees children in its schools murdered staggeringly often, while its (supposedly free) citizens are tear-gassed with impunity by a state for nothing more than a photo opportunity.
That was not a winning bet for that society.
It's similar with E2E. It can't protect you from the government, because the protection is illusory – it protects just you so long as the state wants it to. When it no longer wants it to, it makes it illegal. Administrations are already heading in this direction.
Meanwhile E2E enables a number of proven harms, from lynchings to child abuse. Is that a worthwhile trade-off just for the protections it gives from corporate or illegal privacy invasion? Would it lose all of those benefits if legitimate law enforcement were allowed access? There is at least a debate to be had, there.
The people with the guns aren't attending the current protests, and you can see how that has worked out.
https://www.wired.com/story/how-whatsapp-fuels-fake-news-and...
In either case, to actually lynch someone, you still need to go there physically and actually do the deed. WhatsApp chats don't kill; dudes with weapons do.
Encrypted comms gives a huge asymmetric scale benefit to those who have these crimes committed. What it hasn't scaled is the ability of law enforcement to respond. And that's a choice, one which is open to criticism.
I think you're taking this a bit too lightly. As a side topic, I am surprised to what extent state surveillance was a thing here in the telephone era.
The secret police had about 50k full-time agents, 600k double-agents and about 400k-500k informants. From a population of 18 mil, that's about 1 in 18. Consider an usual family. You have a brother or a sister, two parents, 4 aunts or uncles and 4 grandfathers. Odds were in favor of one of them being at least an informant.
For your community? There definitely was an informant or double agent among them. Just knowing that the threat is there has a massive effect in how people communicate and bond with each other, effects that can still be felt to this day.
The government still can send people to watch people use their phones or computers. On the other hand, it seems hard to dispute that all our most efficient examples of totalitarian states are post-telephone.
No, but in a functioning democracy we can vote them out. Democratic governments by definition have an large concentration of power, otherwise they can't fulfill their functions.
But this is bound by laws, time, and the ballot box. Surreptitious (warrantless) government surveillance should absolutely be illegal. Searches with a legal warrant (through an accountable, non-abusive, warrant granting judicial system) are absolutely necessary to gather evidence for prosecution of crimes to take place. Without trustworthy investigation and prosecution of crimes, the social contract will fail, and this has already started happening in many areas, as we are seeing in a way right now
However, this goes both ways - the populace should get far more transparency into the functioning of the criminal legal system - especially in to the training and conduct of physical law enforcement (police officers).
I can really flip my brain around and see how this desire for non encrypted communication to be the standard could come from a good place.
That said, I still come back to my default stance: crimes need to be exist outside of the private communication, to be a crime. At least under US law, where it’s very hard for just pure communication alone to be a crime.
So go investigate whatever it is that is an actual crime and causing actual harm. Making communication not private has tremendous potential chilling effects on actual thought, because people think by talking!
These examples are talking about a different thing, we should be careful to not mix them up since the arguments for and against can be different.
The discussion prior to your comment was about protecting data in transit (end-to-end encryption); both your examples are about data at rest (full disk encryption).
With encrypted data in transit, not only can it be broken into by intercepting at the endpoints (in the case of video or audio calls, even through the physical world by pointing a camera and a microphone at the user's device), but also the end result of an end-to-end encrypted connection is much closer to a physical world private conversation (can be "broken into" only by intercepting the endpoints, that is, pointing a camera and a microphone at the persons involved).
With encrypted data at rest, the best physical analogy is a diary written in code; even if the whole world agrees that it contains evidence of embezzling, it cannot be decoded without the help of its owner's mind.
With regards to security analysis the only difference between the physical world and digital word is proximity (hops) between agents, or evidence, in a conversation and convenience of access. Software developers tend to think purely in terms of controls and exploits, which is a tiny subset of security. Even conversations in the physical world can be encrypted, for example if two people are speaking Pashto I would have no idea what is said. If it isn’t recorded for later translation it’s encrypted forever.
Those few distinctions are important from a legal perspective where agents of digital concerns are more likely operating across political boundaries at any given moment.
> There's not too much the owner can do to stop it.
They can make available fail safes to store the evidence in a physical safe with tamper proof mechanics. Breaking such a safe would destroy the contained contents in the process much like attempting to break an iPhone with supposedly perfect encryption.
Since you are talking about surveillance another common misconception I have noticed many software developers make is equating the terms: security, privacy, anonymity which are all distinct. Privacy and anonymity are both aspects of confidentiality but privacy is concerned with hiding the contents of a message where anonymity is concerned with hiding the agents of the message. Those two do not overlap. Confidentiality is one of three aspects of security, though from a legal perspective privacy is available in many contexts without application of security controls.
let's wait until something like a "perfectly encrypted" phone actually exists before we go down this road. AFAIK, the feds have eventually been able to break into the phone in every high profile case where the issue has come up. it's not impossible, they just don't want to pay what it costs.
Imagine if there were a safe that couldn't be opened by anyone but the owner without destroying its contents. Would you be opposed to that? What if the design mechanism of this safe were as easy to implement as the encryption protocols are? Yes, one day some expert safe-cracker might break it. And in the even farther future the advent of "quantum safecracking" would perhaps make the safe as secure as a luggage lock. In the meantime the police would have to resort to their traditional methods.
Unfortunately all kinds of damning evidence have been lost to time. Fire is older than paper.
1. Encryption is an indispensable part of pretty much everyone's life. I can't imagine there's many people in our society that go more than a few days without using it.
2. If encryption can be broken by the police, it can be broken by other actors. Full stop.
2.1. It is been shown impossible for our government to keep a secret like a master key.
2.2. Math
Is that a terrible thing? It's not like they are hiding guns in their iphone. While there could be evidence in there, at some point there is physical evidence in the real world. Just making it easier to convict them is not a solid argument for weakening protections for everyone.
The reason "think of the kids" works so well to justify blocking E2E all the time is because child abuse happens literally all the time.
When someone solves this problem, and I don't think any of us really believe it to be solvable, we can move on. I don't want the government in my private conversations, but I don't want my kids in someone elses either.
To extend this - we recognise a duty of care to our users and their privacy when we build these systems, but if those users plan and carry out an act of terrorism did we not also have a duty of care to their victims to not aid their killers in planning their murder?
We can't shunt this responsibility forever, the public will not take our side down the road - because we are ignoring the counter-argument even if we wedge our fingers in our ears.
Law enforcement entities that try to prosecute these kinds of crimes doesn't do it by building haystacks of data and then combing through looking for needles because that's a waste of their resources relative to the amount of results obtained. They do it by attacking the endpoints where the abuse or terrorism, or other professional crime has to actually happen. They find a terrorist, or a child abuser or a drug trafficker or they find evidence of their handiwork and then work from there. They see where they get their money, their bombs, their drugs, etc, etc and follow the links as much as they can. When law enforcement is actually trying to target crime they don't go fishing, digitally or in meatspace because that's not an efficient way to obtain results if the goal is to go after some genre of professional/organized crime.
Running a mass operation with no specific target (like speed traps in meat-space or dragnet operations in the digital world) is great for padding stats because you can say "look, we got X pounds of meth off the street" or whatever but it doesn't actually do much to target the professional crime because professional criminals take steps to avoid being caught in lowest common denominator type policing.
Neutering encryption (so that cops can continue to run surveillance dragnets) doesn't do anything to help the cops catch real criminals, that's just a talking point made up by the people who want the government to have the ability to put any arbitrary person under a microscope.
93% of the time, the perpetrator knows the child. If you’re seriously worried your children might be victims of abuse, then your first line of defense should be against your own family and friends.
https://www.rainn.org/statistics/perpetrators-sexual-violenc...
The statistics for children are in the paragraph after the first graph.
And this is exactly the case where we want to be able to have digital evidence.
What could possibly go wrong?
In case anyone doubts the above fact: government agents abuse their surveillance powers to spy on their loved ones.
https://en.wikipedia.org/wiki/LOVEINT
This article was posted here recently, a reminder of how easy it is to become the target of warrantless government surveillance:
https://schmud.de/posts/2020-06-02-mlk.html
There's no reason to believe the government is any better than these criminals. Cryptography must be strong enough to defeat even intelligence agencies as well as ubiquitous so that it'll be hard if not impossible to enforce legal limitations or bans.
Easy: don't let your kid join zoom meetings without your permission/supervision until he/she understands that there are bad people out there.
When you actually see the horrors of abuse, helped by internet and you realize that there are voluntary walls to protect these people (encryption for instance, but others too) you may have a different position. I would willingly give up that just to see children (or whoever) saved.
You may not, that's a choice. I would just like to know whether you have seen what actually happens in these circles before making a decision.
Also, I live in a normal country where this concern (state surveillance) is less of an issue.
> When you actually see the horrors of ...
I heard about someone working as a nurse, in an emergency room, and because of witnessing injuries from traffic accidents, she decide to never be in a car again. I can understand that, I think that decision makes sense.
But not handing over people's communication to people like Trump and Putin etc and their men.
2) None of the major players offer E2E by default (Google Meet, Microsoft Teams, Cisco WebEx, BlueJeans). WebEx has an E2E option for enterprise users only, and it requires you to run the PKI and won't work with outsiders.
Any E2E shipping in Zoom will be groundbreaking.
What a few good examples of "abusive" meetings?
this is a hydra that shows up every time someone creates a video chat there is a problem with sausage parties and sextual blackmail that needs work arounds
How are these people invited to meetings and why aren't they kicked from the meeting? How would anyone handle this in a real world meeting?
these types are handled by identifying and outing them, or chasing them away, internet has to go beyond the "your ip number is" thing and demonstrate that there is a real knowledge of who they are, and that they are bothering people and it isnt going unnoticed.
If someone sends clickbait invites to abusive meeting, then victims can trivially report it, possibly with screenshots.
If this is acceptable to view a meeting without permission under abuse pretense, then it's also possible to do so even if someone's doing nothing wrong.
Even worse, if their system is compromised, a bad actor could monitor free users' meetings without any protections. And what is stopping those bad actors from getting a paid subscription, or maliciously gaining access to a paid account? Or these bad actors could use another system that doesn't compromise (Signal) or host their own.
Security comes in layers and logs. A system without these layers and accountability isn't secure. Zoom isn't secure, and is using law enforcement as a scapegoat and pretense to keep their security low.
https://blog.zoom.us/wordpress/2020/05/07/zoom-acquires-keyb...
>We also do not have a means to insert our employees or others into meetings without being reflected in the participant list. We will not build any cryptographic backdoors to allow for the secret monitoring of meetings.
They get to pick between headlines like the current one, and claims that they support child porn rings (he isn't saying it explicitly, but everything I saw looks like that is the problem they're trying to fight).
Zoom needs a business model and saying "if you want encryption you need to pay for it", to me sounds like a reasonable approach to making money.
Once you start dragging other reasons into it, you need to start defending them.
Well he didn't use the word "rings" but he did says CSAM (Child Sexual Abuse Material).
There are other ways to track these criminals and we should be using those. We know they are smart enough to stop using Zoom once its no longer encrypted. Meanwhile normal people will be left holding the bag of surveillance.
I don’t think this argument really holds but I think it’s funny how quick we are to downplay our own “bad apples” and say that encryption is more important.
Have the client check the FBI's CP database and refuse to send pictures that match. Sure it's open source and abusers could recompile it but they wont. In the same way that blocking the default curl useragent stops 99% of spam at my company. Would be attackers could change it, but they don't.
You don't win any political battles by being the preferred tool for child molesters and then telling the gov't to pound sand when they come asking for help finding them.
E2EE plus the client looks up images from the NCVIP database and refuses to send/receive messages would at least be something.
If the FBI comes knocking looking for access to a particular user's messages then have a system that kicks that user off the network until they agree to add the FBI's key into all their chats for a specified time. Make it a bright-line visible action to the user being monitored. You have PFS right, so they can't see old messages, and once the FBI's access is revoked you can prove that all your chats are private again.
If as a layman I had to guess another way to catch them it would be to go to the source. Follow cases of missing children. Investigate reported child abuse. Once you have caught one of them you are free seize their computer and use it to honey pot all their contacts, with e2e encryption so the contacts believe it's person you just caught.
Do you want to:
a) accept lack of E2EE
or
b) do you hate children? Pick one.
Hurry up, your precious internet points™ are at stake here.
1. you end up getting more responses
2. more responses === a higher probability of seeing gems like this wikipedia wormhole I'm about to get sucked into:) I had no idea about the horsemen/chans or that May identified the reason behind the alpha particle problem. Cheers.
“So what you’re saying is that Zoom is fine protecting pedophiles from law enforcement, as long as you profit?”
This is why you shouldn’t play such dumb games as a company, there is only downsides from a PR perspective.
At the risk of being pedantic: it’s not new at all. That’s part of almost every political campaigns from the past century. Technically “reductio ad hitlerum” is the new “protect the children” argument.
Regarding history, I don’t know about the US specifically, but Europeans countries have legal children protections since end of 19th, beginning of 20th centuries (depending on the country).
See https://en.wikipedia.org/wiki/Declaration_of_the_Rights_of_t... for a pre-WW2, international effort.
https://en.wikipedia.org/wiki/Thought-terminating_clich%C3%A...
For harassment / offensive content, if anything E2EE will make it easier to prove where offensive content came from. You've got a cryptographic chain leading to the source after all. All you need is a button to record and report things (which admittedly seems to be exactly what they intent to build). The E2EE aspect doesn't really change things, except that Zoom can't record things themselves, which they claim they didn't do in the first place (although they might have relied on the small server side buffer they had, but that's an iffy solution at best).
Also not sure what to think of Zoom's Trust and Safety team breaking into a private conversation when they think some kind of abuse is going on. Yes E2EE would make it impossible, but why on earth would Zoom want that kind of role?
Edit: downvoted on clarification is certainly a new experience.
I thought we established that standard. Oh well, ride your wave Zoom, don’t get mad when the inevitable funded competitors start showing up with security as a default.
> Enterprise orgs don't care about cost.
In my experience,thay also don't care too much about ease-of-use either. Purchasing deparments and managers are looking to someone who'll convince them that they won't personally take the blame when something goes wrong, which is why expensive proprietary services win over open source so often... "Sure everything's gone TITSUP[1], but it's Microsoft/SalesForce/Zoom fault. I've logged a ticket." is a magical career and face saving phrase...
1 "Total Inability To Supply Useful Product" - hat tip to El Reg...
You can disable forcing mobile users into an app, too.
(And you don't need anything like as big an instance as a t3.large - a t3.small works fine for small workloads...)
Everything from the "Install and configure Jitsi" section works just fine on Digital Ocean (and Raspberry Pi) too, if you translate the AWS specific setup stuff in the previous parts to suit...
It never was. It never was.
Security was built over time, with a lot of lessons learned in between.
Browsers didn't magically start supporting SSL overnight. MSN Messenger never had any encryption, for example.
One of the first protocols to support some form of encryption was SILC, but who uses it?
Do they _really_ think terrorists, counterintellegence agents, or criminal organisations can't afford $20/month???
Edit: never mind, Google told me. It's getting the older kids to buy you alcohol.
It's square one. It's no easier to trace the anonymous buyer of a stolen credit card than the anonymous Zoom user to begin with.
So in order to have privacy you have to do a thing that violates your privacy. Rather problematic for people who need privacy.
If I'm organizing one of these anti-police brutality protests, I don't think I want the associated purchases to be tagged with my name in some police-accessible database.
Meanwhile the actual terrorists and foreign governments can just commit identity theft or similar.
They are two distinct concepts. Security with encryption is about trust guarantees. I send message X to Alice and I know Bob can't read the plaint text of message X because I encrypted it with Alice's key.
Privacy can benefit from additional security. But it's generally a whole other ball game. For example, Bob will still know I sent a message to Alice and can hit me with a wrench until I reveal the plaintext of message X.
It's all privacy here. End to end encryption provides privacy; the company can't view your conversations. Not paying with a credit card provides privacy; you don't have to give them your personal information. So if you can't have one without the other then you can't have privacy with Zoom. (Unless you're a terrorist with a stolen credit card.)
What about the troves of metadata they collect and make available to law enforcement? Plus the fact you have to register with a phone number which can tie the metadata to a specific individual.
Doesn't sound very private to me.
Privacy is full of tradeoffs. Security isnt. My messages on WhatsApp are safe from anyone I don't trust that doesn't have 10 super computers and a lot of patience.
But that doesn't mean everything I do on there isn't tracked to kingdom come. It doesn't mean the fact I sent a message to Alice is private.
By your logic by my logic then Zoom provides privacy if you pay them. This is obviously the opposite of what I said. The most private solution is end to end encrypted and doesn't require a credit card and doesn't collect metadata etc.
> Privacy is full of tradeoffs. Security isnt.
Everything is full of trade offs. How can privacy be full of trade offs and security not when privacy is a subset of security?
The most private solution actually doesn't involve a computer at all. It's not very useful though.
> How can privacy be full of trade offs and security not when privacy is a subset of security?
See my initial comment: > Security with encryption is about trust guarantees.
I'm not meaning "cybersecurity" when I say security here. I'm talking specifically about the security of encryption. Privacy and crypto security are two distinct concepts within cybersecurity.
Privacy hides the existence of a thing. Encryption (security) keeps the thing safe.
if security proctols make it difficult to trace that you sent a message at all,I.e. also takes care of metadata along with the content you also get privacy.
Bob isn't very trustworthy.
Sure, we could encrypt everything ever created by any device at all times. But some sort of communication is sent from one IP address to another IP address. Even if it's encrypted, some form of something was sent.
This is where privacy then becomes a thing. You could start sending random noise out constantly. then when your encrypted data is sent out it looks like the rest of the random noise.
That would be like "I sent out 4999 random messages to 4999 random people and 1 encrypted message to Alice. Now Bob can't work out I sent my encrypted message to Alice".
That's the difference. Privacy is about hiding the existence of something from Bob. Security is about keeping something safe from Bob.
Sounds exactly like I2P darknet.
Zoom appeals to a different user base and offers different features as selling points. Please read the twitter thread mentioned below to understand their perspective.
Ummm, no.
(I mean, sure, it sometimes uses Signal protocol, but seriously a _Facebook_ product recommendation in a privacy discussion???)
Do you have better recommendations which use E2E and are also already used by the masses?
I use (and trust) Signal. I believe Wickr is trusted by people who have resources behind them to know whether it's trustworthy (though it's closed source, so :shrug:).
If you need "used by the masses", then you're gonna be stuck with, I dunno - Facebook public posts? Gmail? Slack? Smoke signals? Nothing that's fit for purpose" if you value privacy...
In other words, don't use Zoom.
> Please read the twitter thread mentioned below to understand their perspective.
Their perspective is they don't want to use end to end encryption so they can turn their users in.
Even for ordinary users, this yields no advantage to the user. For users who have reason to fear oppression by the authorities it's quite problematic, and in general everyone else should try to avoid using such things out of solidarity.
Advertisers are nickel and dime-ing cheapskates - gotta plug into the "War on Citizens" police state money pipe to get rich these days...
I can’t verify that Zoom actually encrypts my calls, I have to trust that they’re telling the truth. When I find out that they’re willing to turn off encryption for some calls to make spying on their users easier, the idea of holding business meetings on their platform becomes unpalatable.
In the meantime, anyone who actually cares about their privacy can use an e2e encrypted group chat today with e.g. Wire. All this gets us is that unwitting people who can't afford to pay are in the position to get spied on.
I witnessed a cellular carrier discovering that they had all encryption disabled for several months. A honest mistake, but one that should have been impossible by design.
And what reassurance do I have that they won’t do that to me, a paying customer? All I have is a little icon that says “encrypted” and Zoom’s word.
https://jitsi.org/blog/e2ee/
"If Emil was a rogue service provider running the bridge for the meeting, he would no longer be able to eavesdrop on it and an attempt to do so would only yield, well we already said that: an endless stream of rubbish.
The only way for Emil to actually participate in the meeting would be if he was made privy to the e2ee key. In this case he was and once he enters it, everything goes back to normal"
(Sadly, Chrome only for now - so if Google and state actors are your adversary, "you're still gonna get mossad'd upon"...)
E2E will be an opt in choice for paying users who are willing to sacrifice some features for the benefits from additional security.
See this thread for more details: https://twitter.com/alexstamos/status/1268061790954385408
Edit to credit vjeux for the thread link
If you want to look at something now, the white paper for the E2E protocol design is public and open right now: https://github.com/zoom/zoom-e2e-whitepaper
On a more serious note, until there is a protocol and implementation available then we can't say anything for sure. Us Security folks aren't magicians.
Any sufficiently advanced cryptography is indistinguishable from magic.
Which isn’t entirely untrue from a layperson’s perspective.
Edit: fixed a word. I’d accidentally written “is” rather than “isn’t”.
If these tools use open standards and well documented protocols this will not be a problem.
I can verify without a phd in cryptoanalyis and reverse engineering my browser is running a secure connection to a website and certificate is signed by the source(for sites enabled with FS and HSTS ).
It is degrees of trust . Trust is not absolute , neither is security . Depending on your threat models you have to secure yourself. More transparency improves security does not solve all the problems just makes it costlier for an attacker . If cost outweighs the benefit they will not attempt to do it.
Https does not magically make your communication 100% secure ,however the number of people who can issue a certificate from a comprised root CA or control one is considerably less than the number of people who can monitor your plain text traffic .
The short versiom of it is, your browser trusts CAs to say whether a certificate is valid. But CAs often trust other CAs who may not actually be that trustworthy. Those CAs then trust other CAs who definitely are not as trustworthy... Etc.
So that certificate/padlock picture in your browser may not be as trustworthy as you think. It's an active problem.
Yes I was a bit harsh. But I was trying to demonstrate a point - no one knows for sure until we can look at this stuff in detail. Until the researchers get to pull it apart then no one can verify anything. The little green tick on a zoom call is practically worthless until some external work is done.
The protocol is documented and open. I linked to it in my comment.
Google supported jabber in chat for a long time , slack supported IRC (both dropped the support ) but when they did you could any irc client in slack or use google chat using jabber with any client
If an open protocols for video are used like email (although not good example for encryption). It does not matter who your service provider is you can verify they are secure , or move to another one .
Today I have more than 10 video conferencing apps on my devices (zoom, Hangouts, meet, Webex , teams, GoToMeeting , chime , Skype, SfB, FaceTime , signal, telegram , ring central and Uber conference... ) because a customer , partner friend or family uses one of those . I have only one email and browser client though, it does not have to open source at all, ppl happily pay for closed source gmail or o365 without worrying will my mails deliver to you while still using official client or client of their choice
Also, have you thought about asking your clients/whatever to use one app to communicate with you? Even if you get half of them onboard, it sounds like it would save you a lot of mental bother.
Many of them cannot install any new native application on their desktop / phone without IT approvals or their vpn does not allow traffic to consumer apps like Hangouts . They also need to record for compliance , pre-Covid some apps like Webex are connected to their conference room bridges using dedicated lines and hardware etc
Family / friends do not use use biz tools , it not easier to convince Apple users who like FaceTime, messenger is popular in few countries , wechat in China , WhatsApp in other places .
It is easier install another app rather than trying to get your grandma to switch from one thing someone installed on her phone and she learnt to use.
That's sort of what happened with the ECB mode stuff that kicked this whole thing off in the first palace. See section 4 from the below for more info.
https://citizenlab.ca/2020/04/move-fast-roll-your-own-crypto...
I think I read that Zoom do decrypt AES-GCM server side already. They have to so they can put the little green box around the person currently speaking. EDIT - this is incorrect for AES-GCM, it's not decrypted server side.
Edit - at least e2e is the angle I'm approaching it from as it's the new information.
> Meetings will still be encrypted and meeting content is still not going to be used for tracking users.
And the person responding to you asked "how will you show this?".
Could also be interpreted as how can we show only paid users can access it? Or that certain features will be disabled with E2E?
What I replied with covers both E2E and the current state equally tbh (the linked article did it before with ECB). There are always limitations to what is possible.
I could break into the Zoom servers to make sure everything is kosher. But that's illegal.
If WhatsApp started transmitting E2E keys back to their servers people would find that out client side through network packet inspection, not server side.
Security researchers are limited in the tools/methods they can use. We have to work with what we've got at our disposal.
Which is exactly why "trust us, we're not going to do anything with these keys" is a ridiculous state of affairs and shouldn't be tolerated. We can't show that they're actually doing what they say, and it'll be years after they implement mass surveillance on the behest of law enforcement before someone leaks something.
Should we work towards an ideal? Sure. Should we stress out that things aren't perfect? Probably not.
It's an iteresting technical idea though. Would be interesting to see if any existing systems have a "canary" element to them.
Why is this not a client thing?
Edit: Civility
> Matthew Green, a cryptographer and computer science professor at Johns Hopkins University, points out that group video conferencing is difficult to encrypt end to end. That’s because the service provider needs to detect who is talking to act like a switchboard, which allows it to only send a high-resolution videostream from the person who is talking at the moment, or who a user selects to the rest of the group, and to send low-resolution videostreams of other participants. This type of optimization is much easier if the service provider can see everything because it’s unencrypted.
https://theintercept.com/2020/03/31/zoom-meeting-encryption/
This was 2 months ago so their new white paper clarifies the current situation:
> For use cases such as meeting real-time content (video, voice, and content share), where data is transmitted over User Datagram Protocol (UDP), we use AES-256 GCM mode to encrypt these compressed data streams. Additionally, for video, voice, and content share encrypted with AES, once it’s encrypted, it remains encrypted as it passes through Zoom’s meeting servers until it reaches another Zoom Client or a Zoom Connector, which helps translate the data to another protocol.
https://zoom.us/docs/doc/Zoom%20Encryption%20Whitepaper.pdf
(I realize codec is not the correct term.)
That Bloomberg article is boring except for the sentence at the end. The submitter made the title be about the last sentence, but we changed it back to the original, which didn't satisfy anybody because the only interesting thing about the article is the last sentence.
The current post seems at first glance to be a garden-variety tweet picking up on that sentence, but someone pointed out to me that it's actually by the author of the Bloomberg article, suggesting that he might be at odds with the Bloomberg editors about what aspects of the story are significant. Suddenly that's interesting.
Given that Alex has been tweeting in response to this in detail (https://twitter.com/alexstamos/status/1268061790954385408), it seems like there's enough information here to support a substantive thread.
Given that sneak's post was the first on this and that it links to the statement by the reporter about the only thing that anyone here cares about, it seems clear that this is the post we should leave up. So I merged the comments from the other thread hither.
https://github.com/zoom/zoom-e2e-whitepaper
Don't forget we can sniff and inject packets at the network level. Just because we dont have sources doesn't mean we can't test if it works or not.
I cannot find any in the parents comment.
Now, of course, the binary is what gets executed, so it is the ground truth.
Since it's used so much now, I still hope that somebody reverse-engineers some of the clients. In contrast to auditing open source code, this might also pose legal problems, though.
Among these people only a small minority is able to perform a similar audit on compiled code, and only at a much lower pace.
So I agree that it is possible to check a binary, but it is not feasible in a reasonable way.
PS. You are a well known (maybe even famous in the community) software security expert. Your perception of the availability and competence of good experts may be skewed by the fact that you probably know most of the good ones
This is a bit disingenuous.
The fact that he knows them means that he can comment on the feasibility of that analysis.
So seriously--how many are required?
This is patently false. Binary code can be completely analyzed and understood with respect to back doors.
What? I usually agree with your takes but this seems out there (or did I misread/mischaracterize it)
Reverse engineering is obviously more difficult but someone with the right skills and tools would find it a straightforward task.
Also - unless you are somehow also inspecting their CI/CD toolchain, there's no guarantee that the source being inspected matches the binaries being released - so you would need to reverse the binaries anyway.
> You agree that You will not use, and will not permit any End User to use, the Services to: (i) modify, disassemble, decompile, prepare derivative works of, reverse engineer or otherwise attempt to gain access to the source code of the Services
He could be a 'PR Genius' by gently coaxing people into being paying customers, but I don't think that's it, rather, this is just mind-blowing, gigantic PR lack of self-awareness verging on disaster. To just say it as he articulated it, publicly ... my gosh man.
From a communications perspective this is like comedy.
EVERY communications provider has to comply with lawful intercept [1] regulation in all the regions where they operate. If they do not they find themselves hauled before the regulator and they'll be fined or worse until they do or go out of business.
'Encryption', while it would make it harder to snoop on your calls from third parties, will not 'protect' you from lawful intercept.
Furthermore specific to the US Zoom also has to comply with the Communications Assistance for Law Enforcement Act [2]. This does in no way mean Zoom can not encrypt its traffic. It just means it has to provide law enforcement the ability to covertly wiretap every and any communication. If Zoom provides end to end encryption to its paying customers, it still has to provide access to law enforcement to the content of those communications.
[1] https://en.wikipedia.org/wiki/Lawful_interception
[2] https://en.wikipedia.org/wiki/Communications_Assistance_for_...
Yes it will, it will make the intercept so expensive that it will not make sense anymore for them to do it.
In the first case, all they need to do to intercept is to call Zoom headquarters, or even just go to some pre-setup website and just enter the identity of the user and voíla you have the data. The cost is 1 man-hour of an agent.
In the second case, the Zoom doesn't have technical ability to break the encryption, and to "lawfully intercept" they need to either break your phone or physically break into your home to install some devices, or construct elaborate servers to trick your phone into thinking it talks to real Zoom, or use the supercomputers to break some of the encryption, or use some of their hidden stashed 0-day, and thus risk exposing it by using it, and not be able to use it later for a real threat. Cost of this can be astronomical for breaking a single user. (And all of that is even more true for open-source solutions.)
Also a lot of people disdain this not because they are terrorists. They disdain this type of surveillance because it has been shown many times that governments do not just track terrorists, they always end up abusing their power and track everyone, and there are agents who sometimes just make fun of people and read their emails etc. Didn't you read any of the Snowden material that was published? Encryption prevents exactly this type of ABUSE of the power by the government.
How do you think this works? If Alice and Bob generate private keys and share only their public keys with each other over the wire how does the provider obtain the content of those communications to share? It never had them.
There is no non broken way to provide a backdoor for government while actually retaining meaningful security in the long run. See the extensive discussion on "key escrow"
Lets discuss a very old encrypted communication mechanism. PGP encrypted email. If I Bob send an encrypted email to Alice how does gmail fulfill its obligations as stated previously to law enforcement? PGP came out in 1991 and CALEA is from 1994. In the 26 years since I don't seem to recall anyone shutting down gmail.
I actually agree with you on this. I was personally involved in the past to advocate for stronger encryption ( https://archive.nytimes.com/www.nytimes.com/library/cyber/we... [1997]).
However, law enforcement agencies around the world see "broken" ways to achieve this as a 'lesser of two evils' trade-off. Am I too paranoid (I hope I am) to envisage a scenario where Sam, our friendly US law enforcement officer asks Sheila, his friendly AU counterpart to request a copy of the conversation obtained through technical capability and assistance notices and share it back under 5 eyes agreements? Add the pending bilateral CLOUD act for an extra spicy double exchange sandwich?
https://twitter.com/alexstamos/status/1268061796339814400
Eh, am I supposed to trust you just like that? If history taught is anything, it's that there will be.