556 comments

[ 5.7 ms ] story [ 294 ms ] thread
What? This isn't a thing already?
Does end to end encryption help when it's known that much of the traffic is routed through China? Genuine question.
Yes. The whole point of end-to-end encryption is that your data is safe even when it goes through untrusted servers. (I know they might have a backdoor, or might screw it up somehow. But in principle, if they do it securely, then this holds.)
Is it possible for Zoom / the CCP to hold the encryption keys? That would make it insecure, right? (genuine question).
Yes, if the keys are held in servers that they have access to then they would be able to decrypt the traffic and see what is happening. The whole point of e2e encryption is that only the 2 parties have the keys, Zoom are abusing this term and making people believe they are doing e2e
What makes you think they're abusing the term? Did you read their whitepaper?

https://github.com/zoom/zoom-e2e-whitepaper

They apparently 'define it differently' to every other company, organization, and infosec professional. This sort of thing used to be called lying, but it's essentially an 'alternative fact' now:

https://www.theverge.com/2020/3/31/21201234/zoom-end-to-end-...

Zoom, however, denies that it’s misleading users. The company told The Intercept, “When we use the phrase ‘End to End’ in our other literature, it is in reference to the connection being encrypted from Zoom end point to Zoom end point,” and that “content is not decrypted as it transfers across the Zoom cloud.

Whether the paper is any different is sort of irrelevant if they're starting off from a place of bad faith. One time after another this company has 'accidents' like this, while removing CCP distinguished nonpersons from the platform. A sense of skepticism is certainly justified.

The whitepaper is fine, it's the comments from Alex Stemos that make me think they are abusing the term.

https://twitter.com/alexstamos/status/1268061792527241216

He did not say they can't monitor calls.

https://twitter.com/alexstamos/status/1268061795572314113

If they can enter the meeting, either they have to get confirmation from the host who would send the keys to the person entering the meeting or they already have the keys and can enter the meeting and decrypt the stream.

Is this before or after their new E2EE plans?
If implemented correctly, the server doesn’t get the key. Look up Diffie–Hellman key exchange for more information on how this is possible. This can be verified by auditing the client so you don’t need to trust Zoom.
What do you mean by auditing the client... Like audit the source code or something that we could do independent of the source code? (serious question)
You can audit the client either through source code or through very painful binary analysis.
This is true, but they are going to help law enforcement with calls that have bad content in them, the only way this can happen is if they have the ability to decrypt the streams or enter calls silently and get the keys.

Edit: Sorry for coming across a little brash, I'm quite a strong advocate of real encryption and this kind dilution of terms makes my blood boil because terms are being diluted and people have trust in something that betrays them.

> The Diffie–Hellman exchange by itself does not provide authentication of the communicating parties and is thus vulnerable to a man-in-the-middle attack.[1]

Whoever controls key distribution can control the encryption channel; without a way to verify public keys, all bets are always off. You're right that auditing the client is one (if not the only?) way to do this.

[1]: https://en.wikipedia.org/wiki/Diffie%E2%80%93Hellman_key_exc...

That's factually untrue, it's not "known".

To the contrary, you can pick the region for your servers, which presumably for 99% of people is precisely to avoid China:

https://blog.zoom.us/wordpress/2020/04/13/coming-april-18-co...

There was a time when outside traffic routed through china. I believe zoom said it was a mistake.

I'm not convinced that a setting alone should provide much confidence in terms of traffic routing considering that it can always be changed independent of what setting in the application you make.

> I believe zoom said it was a mistake.

Yes, zoom said it was unintentional.

For me, that's hard to believe. They weren't routing the call itself through China, they were just sending the encryption keys to a server in china. That seems pretty intentional. Even if they weren't routing the call through China from a user's perspective, their US server could still be sending the call data to China or recording the call for playback (from China) later. Their track record around security is so bad that I would stay as far away as possible.

I'm skeptical too.

Unfortunately for folks who are good actors in other non free countries countries... I find any sort of development or real world controls that are in a seriously non free country... automatically suspicious.

Even good individual developers who have the best of intentions in those places could be subject to pressure and the likelihood we'd ever hear about it is near zero in many of those places.

Granted that 'could' happen in more free countries, but I'll hedge my bets there as there's a great deal more likelihood I would hear about it.

A product developed almost entirely within China is beholden to the whims of the CCP. Especially a billion dollar company. There is literally no escaping this reality.

If the CCP wants the keys, they'll get them.

Super. Would be interesting to see how good it scales. 200 people in a town-hall meeting will be an interesting engineering challenge I would think.
Diffie–Hellman[0] is pretty cheap, you do it every time you visit a site with SSL enabled. Having the meeting leader do it 200 times to pass around a shared key generated on the client would be e2e and have minimal if any performance impact. There is probably a cleverer way to do it that I'm not aware of as well.

Edit: One issue is the client can run out of entropy but I think that would only happen on modern operating systems if you had hundreds of thousands of clients to negotiate with.

[0]https://en.m.wikipedia.org/wiki/Diffie%E2%80%93Hellman_key_e...

Keys will be held in safe keeping by the CCP.
"To make this possible, Free/Basic users seeking access to E2EE will participate in a one-time process that will prompt the user for additional pieces of information, such as verifying a phone number via a text message. Many leading companies perform similar steps on account creation to reduce the mass creation of abusive accounts."

Perfect instrument to collect more personal data.

Zoom is evil.

Also, fun note - just noticed Eric Yuan posted that and also created Zoom.

https://en.wikipedia.org/wiki/Eric_Yuan

Eric S. Yuan (Chinese: 袁征; pinyin: Yuán Zhēng; born 1970) is a Chinese-American billionaire businessman, and the CEO and founder of Zoom Video Communications, of which he owns 22%.

No wonder why they have to play party with CCP.

Wait, your point is that Zoom is evil because the founder is Chinese?
Because of its inevitable ties and implicit subservience to the CCP.
The only "relevant" information found in the quote in the GP comment is the nationality of the CEO. How does one jump from the CEO's nationality to inevitable ties and implicit subservience to CCP?
(comment deleted)
Nationality is not a race. Nationality implies a connection with a specific country. And when that specific country is a vast wasteland for human rights and privacy and civil liberties, then yes, it’s relevant.
ignoring the quote for a second we know a few things about this CEO and zoom.

1. zoom's application is sending data to Chinese servers separate from the application functionality servers.

2. the CEO is from china, I'm going to assume he has relatives in china.

3. we know CCP is a completely fucked up government with an absolutely horrible history of civil rights violations, genocide, etc.

I wouldn't put it past CCP to be pressuring the CEO by threatening relatives who live in china. this wouldn't be unheard of for CCP.

add the the unnecessary data transfer to chinese servers makes it look really bad.

its a fairly reasonable conclusion to draw that the CEO is compromised if all the above holds true.

more extreme conclusions could just as easily be drawn from that same data that he is literally a foreign agent for china.

I find myself agreeing with most of your points. I mainly took issue with taking a shortcut from "being born and raised in China" to being a hostile Chinese agent (and we don't even know if the CEO has relatives in China that can be leveraged anyway).
Didn't Zoom block a US based activist on the request of the Chinese government? I'm not arguing that there is complete subservience to the CCP but this censorship seems like a line was crossed.

https://www.nytimes.com/2020/06/11/technology/zoom-china-tia...

Edit: Let me also state that I'm not entirely sure what OP's argument was, considering the comment was deleted. I'm merely stating that there seems to be some cooperation with the CCP and Zoom.

I'm aware of Zoom's track record, and it could certainly be scrutinized, criticized, or even boycotted.

What we have here is going from "CEO was born and raised in China" to "No wonder why they have to play party with CCP" and "inevitable ties and implicit subservience to the CCP". I can't see the logical connection in the absence of other information. Don't you see a problem with assuming someone's motives purely from their country of origin?

Is it licit to at least keep it into account?

Or we need Xi Jinping's permission?

Yeah what the fuck, that was some weird casual racism you don't expect to see on HN.
I disagree it's "racism." It's how the CCP operates. We can say the same story for different super powers from previous times.

People suspected German Ambassador to USA for being a bosch spy.

Founder of a communications company isn't that far off. Huawei is a great example.

Founders of a company control the companies direction.

Except Eric is not any sort of govt or party representative.

He is a naturalized American of Chinese ancestry.

In history, this kind of scapegoating was counterproductive.

The CCP can and will exert pressure on family members to get expats and former citizens to do what they want. They're not the only country to do so, not by a long shot, but they are particularly brazen about it.

Though I think the CEO is less relevant than the critical amount of developers Zoom relies on that are directly living under and subject to CCP malfeasance.

> The CCP can and will exert pressure on family members to get expats and former citizens to do what they want.

Could you give a few such cases?

Summary: Chinese government harass the relatives of the fugitive corruption suspects to force these suspects to return voluntarily.

That's definitely one area the Chinese system is vastly behind the international standard. But this has not been conscious to me.

When I was a child, we had horror stories of people sentenced to death penalty and were executed on superficial charges that sexual misconduct. And my parents have witnessed detained thief were beaten like wild animals by policeman, and the thief's scream was heart far in the then poor village.

These measures can even escalate during "Yanda", a nationally-coordinated clampdown on criminal activities. In [1], it was noted: "China's execution rate increases dramatically during Yanda campaigns."

Such brutal national campaigns are dying down, the most recent one [2] has much less cruelty. And historically such campaigns enjoyed universal domestic support.

As of today, the Chinese government has a high degree of popular endorsement to use whatever not-too-out-of-line measures to bring back the corrupted businessman or former government officials, who are prosecuted by the public attorneys. Thanks a grain of national pride, i.e., "those corrupted bastard not only embezzled our money, and they escape to the country that is unfriendly and can be benefited from those fortune".

[1] https://www.jstor.org/stable/23639486?seq=1 [2] https://www.economist.com/china/2019/02/28/china-is-waging-a...

I'll be honest, I'm not sure what your point is. Your response reads a bit like a defence of the practice, but I'm going to give you the benefit of the doubt (since there's an obvious language issue).

I will say... it's curious to me that you seem to be well aware of such practices but still challenged the parent to provide examples (the implication being, that they were misinformed).

Why did you ask the parent to provide examples if you knew of some already? What's your motivation?

#1 I was aware of the flaw in legal system. But the flaws I know was that the Chinese legal system was ineffective, inefficient, and quite a bit corrupted.

#2 I was not aware of the details of harassing on corruption suspects' relatives.

#3 I think it was reasonable to not able to link these 2 facts automatically together as self-evident.

I'm not at a desktop at the moment so I had to just Google for some examples. I was thinking of stuff like this:

https://www.businessinsider.com/china-uses-family-members-to...

Just to be clear, I'm not suggesting that China is unique in doing this. They are simply much more openly aggressive and nonchalant about it.

EDIT: I also think it was both reasonable and correct for you to ask for examples. Superpowers do enough sketchy things that we don't need to be muddying the waters with made up claims.

Which German ambassador are you talking about?
People also suspected Japanese Americans to be spies during WW2 and sent them to concentration camps. I hope we do not repeat the same mistakes.
Is the argument still that this man is a CCP agent because he comes from China? That's literally all the evidence that was provided in the parent post.

Do you not understand the racism behind assuming someone is a CCP agent based on nothing more than their race?

(comment deleted)
Chinese is also a nationality and that does have relevance if the person has ties to Beijing and the CCP. If the founder were Russian and had ties to Moscow would we be complaining about “casual racism?” It’s racist to suggest racism when a Chinese is involved when similar accusations wouldn’t have been made if the situation were Russian.
no, its not racism. Almost all independent American company is banned in China. Thats racism. Google, FB..etc..etc.
While I understand that on the surface seems "bad", you have to understand the CCP taps into people worldwide, and while I don't know his position per se, or finances -- or connection with China today.

It doesn't paint a great picture, especially with espionage and CCP tactics. Look at previous German and USA interference w/ GE, Bosch, -- it's the same story.

Except now it's highlight as "bad" to point out that connection.

I'm disgusted that in 2020, Americans continue to use the same racist, unfounded smears againts people based on their ethnicity just as they did when they were throwing Japanese-Americans into internment camps.
There are plenty of HN users who won't (or wouldn't, in an ideal world) use any US-based software because of NSA interference.

The issue is national origin, not ethnicity. Japanese Americans were thrown into camps for the same reason, but we're not talking about jailing anyone here. We're talking about avoiding a specific product.

Another difference is that Japanese Americans were put into camps regardless of how many generations removed from being Japanese they were. No one is arguing that CCP has control over Chinese Americans whose ancestors immigrated here in the 1800s. It's about people who literally grew up in China and/or still have close family there for CCP to threaten.

> The issue is national origin, not ethnicity. Japanese Americans were thrown into camps for the same reason

``` Of 127,000 Japanese Americans living in the continental United States at the time of the Pearl Harbor attack, 112,000 resided on the West Coast.[9] About 80,000 were Nisei (literal translation: "second generation"; American-born Japanese with U.S. citizenship) and Sansei ("third generation"; the children of Nisei). The rest were Issei ("first generation") immigrants born in Japan who were ineligible for U.S. citizenship under U.S. law.[10] ```

From https://en.wikipedia.org/wiki/Internment_of_Japanese_America...

What do you suggest?

Should there be a upper limit on the generations to be considered not originated from a nation state? According to what happened to WWII Japanese ethnic Americans, that number seems have to be > 3?

And remember that what happened in WWII Japanese internment camp is an evidence that "national origin" as an association was plainly wrong, from the same wiki page:

``` In 1980, under mounting pressure from the Japanese American Citizens League and redress organizations,[30] President Jimmy Carter opened an investigation to determine whether the decision to put Japanese Americans into concentration camps had been justified by the government. He appointed the Commission on Wartime Relocation and Internment of Civilians (CWRIC) to investigate the camps. The Commission's report, titled Personal Justice Denied, found little evidence of Japanese disloyalty at the time and concluded that the incarceration had been the product of racism ```

Emphasis on the last statement: `the incarceration had been the product of racism`.

There is a difference between US based software (e.g. servers located in the US), vs a CEO that's from the US (or China in this case). If the argument is that Zoom the company has routes traffic to China etc then fine I can get behind that. But if the argument is the CEO is from China I find that problematic. I mean it's not like internment of Japanese Americans is ok if it's limited to only first gen.

EDIT: Also sounds like you're saying that it's ok to avoid doing business with someone based on national origin, which I also find problematic.

> Also sounds like you're saying that it's ok to avoid doing business with someone based on national origin, which I also find problematic.

Sure, it can be problematic. I've seen articles about how Russian people in the software industry are having a very hard time because of what Putin's regime does. It's not fair for the people who have nothing to do with Putin and no exposure to him.

But what is the alternative? Putin and Kim have assassinated dissidents in Western countries. Do we assume people can't be coerced just because they left the borders of the authoritarian country?

Should the US government also remove its nationality restrictions for security clearances?

The alternative is to not discriminate based on national origin? Which is a protected class by the way. Nationality is also very different from national origin. Eric is an American citizen as far as I aware. You can point to the requirement to be bore in the US to run for presidency, but 1) that’s an edge case and 2) where is the line? Is it ok to discriminate again foreign born Americans but not against native born? What about native born Americans with relatives in China / Russian / North Korea.

I mean overall you really don’t find it an issue to blankedly judge an entire class of people based on what some people within that population does or could do?

> The alternative is to not discriminate based on national origin?

It absolutely is not a protected class. There are no protected classes when I am deciding whom I trust with my personal data. I can discriminate for any reason, including national origin.

> I mean overall you really don’t find it an issue to blankedly judge an entire class of people based on what some people within that population does or could do?

I would find that an issue if anyone (including me) were proposing it. We are not. You're attacking a straw man.

Here are the facts, regardless of Yuan's citizenship, race, etc:

1. Yuan grew up in China. He still has Zoom employees and family there.

2. China is controlled by a regime that has no qualms about using physical threats and violence to maintain control.

That's it. That's all I need to decide that I don't trust Zoom, if all of their extreme dishonesty and malware installations weren't enough. They haven't shown good judgment, and even if they did, it would be easy for CCP to put pressure on Yuan (or any other employee living in mainland China).

If Yuan had no family in China, no employees, and enough bravery to speak against CCP, I would not feel this way. I am not judging an "entire class" of people.

By the way, every firm that requires security clearance does judge entire classes of people as security risks. The question I asked, which you didn't answer, is whether you think that's also inappropriate.

Yes you're free to make personal choices based on whatever factor you like. You can decide based on vendor's national origin, race, sex whatever. I just don't think it's right on those factors alone.

You listed 2 things. First is where he's from, the second is the politics of the country. You are then basing your judgement (at least in this comment) purely on those factors. The implication here is you wouldn't trust your data to anyone that was born, grew up and has family and / or employees in China. I mean most of the large tech companies have some employees in China. How is this not judging an entire class (or group if you'd like) of people?

As far as security clearance, they are at least in theory assessed based on established facts about a particular person. e.g. being born in China doesn't automatically disqualify you as far as I'm aware. If you know otherwise or can point to examples, I'm open to being corrected.

I mean if it's been established that Eric has connections to the CPP then that's a different matter and we can look at that. My objection is with "Eric is a Chinese-American billionaire businessman so we shouldn't trust him".

I see your point about a person's family still living in China, and hence giving leverage to CCP to put pressure on them. However, the argument that where people grow up gives them inherent alignment with the government of that country, and they can only be "cleansed" through generations is at best bogus, and at worst ammunition for racism.

Not to justify atrocities happening in China or getting into Whataboutism, but just to give an analogy, would it be fair to consider any US expat an accomplice in or a proponent of separating migrant children from their families at the border?

Did we read the same comment? https://news.ycombinator.com/item?id=23553503

It explicitly argues that he's evil because he has a Chinese name and Wikipedia describes him as Chinese-American. There's no equivocating about the software being China-based, or him having close family in China for the CCP to threaten.

And discriminating against people for national origin is considered so bigoted it was explicitly included in the 1964 Civil Rights Act. Your reasoning is sound, but you should seriously reconsider your basic ethical principles.

> Japanese Americans were thrown into camps for the same reason, but we're not talking about jailing anyone here.

Yet.

At the risk of a slippery slope fallacy, institutional xenophobia ain't controlled by an on/off switch. Dehumanization is a gradual process, and establishing an attitude that people associated with an enemy are aligned with that enemy is part of that process. At first those associations might seem reasonable, going for officials and other important figures, and then perhaps their family, and so might the actions against them, like added scrutiny and surveillance of their communications and travels. The problem is that both ends of that are prone to scope creep - the target set broadens ever so slowly (citizens, ex-citizens, descendants of (ex-)citizens, their descendants, and so on, almost always excused with "well we need to be sure that $CURRENT_TARGET is not part of $PREVIOUS_TARGET"), while the actions worsen ever so slowly (surveillance, profiling, travel restrictions, property confiscation, imprisonment, sterilization, execution) as the rhetoric heats up from "we just want to make sure these people aren't the enemy" to "these people are the enemy and shall be treated as such".

Personally, I'd prefer to nip that in the bud rather than watch 1800's-era sinophobia reenact itself at the expense of my Chinese-American friends and colleagues. I also have enough self-awareness to know that if I would be upset by people writing me off as "will probably help oppress minorities and political dissidents if his government tells him to do so" simply because I happen to be a citizen of a country with a track record for oppressing minorities and political dissidents, then I should refrain from doing so to a citizen (let alone ex-citizen) of a different country with those same tendencies, even if those tendencies are, in my opinion, much stronger.

I don't see how this isn't just discriminating based on national origin.

It'd be one thing if there are actually some nefarious ties between Eric and CCP, but all we are going by is he's originally from China and there could be influence by CCP on people from China. It's not bad to point out a connection, it's bad to point out a possible connection based on nothing more than where the guy is from.

There is plenty of evidence suggesting that Zoom collaborates with the CCP without it, there was undue pressure to terminate activists without users from China.

It is best to focus on these sorts of links rather than someone merely being from China.

That I'm fine with. If there is evidence that suggest Zoom is doing something unsavory then we should call them out on it. But suggesting Zoom isn't trustworthy simply because the CEO is Chinese is distasteful.
A lot of Chinese values are at odds with American values. Someone who is genuinely pro-Chinese values threatens things we often take for granted here in America
Unfortunately, I have to post this comment again, from just 3 days ago [1]. Also remember that Eric Yuan is an American citizen, not a Chinese citizen. He switched. Original comment:

When will this meme die?

Zoom is NOT a Chinese company. It is incorporated in and headquartered in the US. Like any American company ever, it follows US laws in the US, and local laws in other companies where it operates. End of story.

Yes their culture certainly has stronger cultural internal ties to China, due to the number of Chinese employees, but what has that got to do with anything? At the end of the day, they're a public, profit-driven corporation trying to make lots of money across the entire world.

It's not like they're secretly and nefariously doing the CCP's bidding, which seems to be the veiled suggestion people keep making.

Seriously, every time someone brings up that Zoom is "really" a Chinese company, it comes across as borderline racism or conspiracy-mongering or both. And while I'd usually never comment on someone using a throwaway account, in this case when you're pushing these kinds of shady "stronger than the more-commonly-discussed" insituations, I think using a throwaway here is representative of exactly the kind of astroturfing that spreads malicious rumors without evidence.

[1] https://news.ycombinator.com/item?id=23510886

> Yes their culture certainly has stronger cultural internal ties to China, due to the number of Chinese employees, but what has that got to do with anything?

A lot.

How is it racist to suggest that Zoom has Chinese influences (seemingly not farfetched based on the equity ownership mentioned above and not at all disputed based on the technicality of Zoom being a US company)?
It is not racist to suggest that the Chinese government influences companies. It is racist to suggest that Chinese people are automatically predispositioned to certain actions.
Fair enough and I don't think anyone here will find that statement controversial. I think what bothers me in some of the dialogue here is what I perceive as an attempt to play "hide the ball" by pretending that CCP interests don't run counter to the interests of liberal democracies by labeling raised concerns as racist. No one framed anything in racial terms to begin with so I don't see why it needs to be placed in that context.
It's racist to suggest that Chinese people (NOT the similarly-colored Taiwanese) feel some weight from the dictatorship were they live/grew up/have parents in?
That was never suggested. Zoom is developed almost entirely in China, which means it is effectively a Chinese company under full influence of the CCP.
Really? And which part of "local law" required Zoom to close accounts of US citizens in the US who weren't breaking any US Laws?

https://news.sky.com/story/zoom-disables-accounts-of-chinese...

>The suspension targeted Humanitarian China, an organisation based in the US, after it held a call with roughly 250 people, including a number who dialled in from China.

Same reason why Google censored itself for China in 2006. Did people think Google was a 'Chinese company'? Note that this was before Google set up a presence in China.

http://news.bbc.co.uk/2/hi/technology/4645596.stm

I don't see how it's the same. In Zoom's case organization was in US and call organization was in US and company works by US laws. Why would they censor these accounts? Google on the other hand had to do it to operate in China, had to submit to Chinese regulations.

The same would be if they blocked Gmail of US citizens because of discussions related to China.

I think you're missing the point. Google censored itself in china based on Chinese requests. Zoom censored itself in the US based on Chinese requests.

There's a pretty big difference IMO.

I guess I don't consider that the same thing at all. They're censoring searches coming from china to google.cn (hosted in China). They didn't really have a choice, the servers are in China, the users are in China.

What they aren't doing is actively blocking users from China getting to www.google.com, and they aren't censoring searches Chinese users do on www.google.com because those resources aren't hosted in China and aren't subject to Chinese law.

Zoom on the other hand IS blocking users from China accessing resources in the US and while they may have "undone" the ban, they banned US users from their platform for breaking a Chinese law that they aren't subject to. Namely talking about the Tienanmen Square massacre.

they didn't have a choice not to use servers in China?
They actually didn't. Their options were filtered servers in China or no services in China at all. We can collectively be upset at their decision but they ARE beholden to their shareholders as a public company. Abandoning the Chinese market entirely is something they could've tried, but their major shareholders made it pretty clear there would be a change of leadership if they tried.

Unless you've got a magic bullet to give Wall Street a conscience, that wasn't going to happen.

Ok it was the fault of their major shareholders, but then it's ok to make them pay their decision, I think (hoping that they're still holding those shares).

By the way, in general my understanding is that the "beholden to their shareholders as a public company" (and thus forced to make the most remunerative decisions) belief is a myth, a public company is free to make ethical choices (if its major shareholders don't oppose them).

Zoom claimed they had to remove Chinese participants from the US-hosted meeting but didn't have the functionality to do that so (wrongly) banned the US hosts.

They said it was wrong to do, reinstated those accounts, and are building the functionality to enforce those Chinese laws without ever impacting users outside China.

That's from their blog. https://blog.zoom.us/wordpress/2020/06/11/improving-our-poli...

I'll ignore for a second the fact they refused to even acknowledge Tiananmen Square in that post, despite the fact that as was pointed out they're a US company that isn't beholden to China and they're posting in English on their US-based website.

They are actually admitting that they're going to prevent people IN CHINA from connecting to a meeting that is presumably hosted IN THE US. That doesn't make it better, it makes it WORSE. You're basically telling the world that China will dictate how you operate WOLRDWIDE not just in China.

I'm sure that if the US had as strict control over our/their internet as China does over theirs, non-US sites would be forced to operate differently for peers in the US too.
(comment deleted)
They're the same "local laws" that fine foreign companies billions of dollars for doing business in Iran.
Let's be 100% clear.

Based on a complaint from china regarding non-Chinese citizens with non-china accounts, zoom cancelled the non-china accounts.

Full stop. Let that sink in.

If you are wondering who zoom will accommodate you have your answer. This is a fact. This is what we are calling "racism"?

Defending something as "NOT a Chinese company" or not a Chinese citizen (as if those would allow certain assumptions about the actions of individuals) is still xenophobic framing. People are people and are capable of independent thought and actions.

We can be upset at power structures and at their effects. Taking that further to make assumptions about groups of people is racist.

"Chinese" are not a race, and assuming that groups of people are somewhat more likely to be subject to some power structure, is not racism or xenophobia.

You'll get a Liu Xiaobo once in a while, but much more often you'll have people that, while easily wonderful as people per se, are disgracefully forced, or have been convinced to, do some things that they shouldn't do.

(comment deleted)
Dude, you need to think first. Handing over data to CCP ? thats genocide.
(comment deleted)
You started a wretched flamewar with this post. That was vandalism.

Nationalistic and ethnic flamewar will get you banned here. So will personal attacks and insinuated slurs.

People have been hounded off this site in the past by comments along these lines. That's shameful, and we want no more of it.

No, we're not defending communism or the communist party. We're trying to defend Hacker News against (a) mob behaviors and (b) self-immolation. Here are some recent comments about this, which include other links to plenty of past explanations.

https://hn.algolia.com/?dateRange=all&page=0&prefix=false&qu...

Their argument doesn't make sense.

The objective behind verifying accounts is to prevent spammers creating lots of spam accounts and using those to spam.

However, spammers rarely care if their spam is encrypted, so putting E2E behind verification won't do anything as far as spammers are concerned - they'll happily keep spamming using the unencrypted accounts.

There's some other reason behind this that isn't about reducing spam.

I think their concern is paedophile rings using large group E2EE for live child abuse with completely anonymous accounts.
Only 4 comments in and we hit one of the four boogymen of the civil rights apocalypse. How many comments until we get to domestic terrorism or illegal drugs?
> one of the four boogymen of the civil rights apocalypse

The public is willing trade away privacy in exchange for protection from certain categories of risk. Instead of denying that, one can lean into it by ensuring strict definitions and enforcement options within those categories while preserving full privacy for those without. Arguing pedophile rings and terrorism are a cost of a privacy policy is a good way to sink that policy.

I would make a cogent argument to rebuff your straw man, but it's not worth my time if you don't share a priori assumptions with me about E2EE being uncrackable. It's just math. I don't see why the talk of trade-offs even is relevant to the discussion. People will use secure tools with E2EE or they will suffer the consequences of not doing so. Doing illegal things is already illegal. Banning or watering down E2EE so that it becomes no long E2EE is throwing the baby out with the bathwater.
Your mistake is bringing a technical argument to a political question.

My personal political answer to "how to have end-to-end encryption and prevent its use for child rape" would be to tax the companies which profit from E2EE, and use that money to fund death squads, which livestream dragging child rapists out of their home, anywhere in the world, and beating them to death with truncheons.

I'm joking, of course (or am I?) but I do consider this the general shape of a viable solution. E2EE is essential for a modern life which isn't a hellish surveillance dystopia, and the detection and prosecution of child rape is criminally underfunded.

> E2EE is essential for a modern life which isn't a hellish surveillance dystopia, and the detection and prosecution of child rape is criminally underfunded.

Yup. This.

This is creeping a little close to populist rhetoric. The crimes you've described are obviously awful but angry politics will only lead to knee-jerk solutions.

In which ways do you think it is underfunded?

It's clearly underfunded in relation to the difficulty in prosecuting these cases. Banning E2EE is a way of lowering the bar of difficulty in prosecuting these cases. The crime is reprehensible, and worthy of enforcement due to the heinous nature of abuse. Curtailing abuse via violating human right to encrypt is not the way to end abuse. Thus, more funding is likely justified, if it leads to an end to abuse. This social benefit of reduction and elimination of abuse should not come at the expense of human rights and E2EE.
I see, so your main concern here is prosecution. It is indeed true that prosecution is understaffed and underfunded. I feel there are other problems at play too.

CPS should be able to spot children in abusive homes and respond to reports of unusual activity. They should be able to spot clearly unstable caretakers.

Counsellors and teachers should be able to spot unusual behaviour from children. Mental health services can help someone escape falling into such a situation in the first place by keeping them from falling into depression which leads them to rely on such a person.

Local police shouldn't dismiss leads so readily. This is the it is impossible for him or her to do such a thing mindset which prevails so frequently.

Parents shouldn't trust their relatives so readily and should keep an eye out. 90% of cases happen at home.

If they stopped showing off their crimes online, would the entire system come to a crawl? I'm worried by how much of a reliance there is on divining crimes off the internet.

What if the only practical way to 100% stop all crime is to shutdown the internet?

Now, I'm not saying there is nothing that can be done to reduce it. I very much hope there can be, especially if counsellors can find warning signs and we can better figure out how to spot the danger signs, both online and off.

Facebook took a good step forward by putting warnings up to minors when someone outside of their social circles has contacted many others, although there are other things which could be done.

Should they be allowed to contact them through onion routing during such situations? Where do you draw the line of when such technologies can be used? Is it better not to open this can of worms and risk a slippery descent? What are the chances of false positives, will it unfairly impact relatives? Will it give a black mark to privacy technologies and civil liberties to be associated with automatic blocks? What if minors want to engage in activism, should this be limited? At what point does pushing and pushing start the lie about your age shenanigans again?

This is about Facebook here but it ties back to arguments about doing this or that for the greater good.

Is a more grounded approach better? Ensure minors are well-educated of the risks and dangers online? Invest in mental health services to avoid minors falling into depressive slumps where they might be susceptible to such criminals? In the rare event they drag anyone back home, whether they think they're of a similar age or not, they bring them before the parents first?

Next thing you know, people will be using E2EE to stream gasp copyrighted material!
Yeah - I'm pretty sure this is the real concern and verifying a phone number is reasonable trade-off.

I know this argument is often quickly dismissed on HN since people see child abuse or 'going dark' as an easy excuse for the government to leverage to get more control (and it has been used for this), but that doesn't mean the problem isn't serious or doesn't exist.

See this: https://www.nytimes.com/interactive/2019/09/28/us/child-sex-...

The resources fighting this are relatively small in comparison the scale of the problem: https://www.freethink.com/videos/child-exploitation

The people carrying out the abuse are sophisticated.

I have a friend that works at WhatsApp and their entire team is focused on trying to remove groups that exist to share child abuse imagery (via metadata since content is encrypted).

I fall on the side that secure encryption is critical for all of the reasons that technical people normally argue that it's critical and breaking it doesn't work/is a bad idea, but I also understand and empathize with the difficulty encryption by default causes for the organizations fighting this abuse.

That said, I have serious disagreements with Zoom unrelated to this particular e2ee issue (https://zalberico.com/essay/2020/06/13/zoom-in-china.html), I think they don't actually care about protecting the speech of their users or securing content from authoritarian governments. It's still good to avoid them for that reason alone.

> The people carrying out the abuse are sophisticated.

In this case wouldn't they build their own solutions (potentially based on existing open-source solutions like Asterisk + Linphone or Jitsi Meet) or they might've built them already?

Phone numbers are also very easy to obtain anonymously, so I am not sure SMS verification would help track down abusers when it'll lead to a prepaid SIM or some innocent user's phone that happened to be compromised by malware.

Yes, some would - but not all.

I agree that these reasons are why it's not a good idea to break or outlaw encryption since bad actors can still use it and good people that need it are blocked, but this doesn't mean that making it the default doesn't enable more abusers to get away with it that might be caught otherwise.

There's a spectrum of sophistication, if it's harder more of them will make more mistakes that make them easier to catch.

So how do you define that giving away phone numbers is the right trade-off in the "spectrum of sophistication"? It effectively means lack of anonymous communications for everyone, i.e. global surveillance (personally identifiable metadata is in the hands of Zoom).
I didn't say it was 'right', I said it was 'reasonable' - and there aren't easy answers to this.

Also to clarify, specifically a reasonable trade-off for Zoom (I don't think there should be a general law that requires IDs for video software use or something).

Zoom is not a company I would use at all if you're looking for secure communications (https://zalberico.com/essay/2020/06/13/zoom-in-china.html).

If you care about secure communication you should be using something else.

(comment deleted)
> Phone numbers are also very easy to obtain anonymously, so I am not sure SMS verification would help track down abusers when it'll lead to a prepaid SIM or some innocent user's phone that happened to be compromised by malware.

It depends on which country really. In some places in Europe it became almost impossible to do that (sadly).

People would give more support to government efforts to fight child abuse videos, if the government stopped using child abuse control tech to violently suppress human rights.
(comment deleted)
Indeed, E2EE will enable criminals to go undetected. And this is a real problem. However, it’s an arms race that will end with criminals having proper, strong E2EE anyways. Trying to reverse this is like trying to reverse entropy, the toothpaste does not go back into the tube. It may seem like it is still doable now, but I’d be willing to place bets that feeling will evaporate shortly.

Of course, criminals are ordinary people too. They care about convenience and network effects as much as anyone. Which is why I think it’s insane that governments want to jeopardize the trust people have in proprietary, huge E2EE platforms that actually have the means to aid them in investigations. Yes, breaking the crypto may not be an option, but at least collecting useful metadata for use in investigating, and potentially ethical hacking, is an option.

I fear the day when the trust is gone because there is a very real possibility that some day many will be using decentralized E2EE chats, maybe even P2P. It’s not just conjecture of course, Matrix exists today and is already very impressive (in my opinion) in terms of usability.

The internet is opening up the concept of having nearly private communication with pretty much any individual in the world. It isn’t free of implications, but also, as more of our lives move online I feel its absolutely crucial that every day people can feel confident they’re not being monitored. The problem of CSA and other criminal behavior existed before the internet and it will certainly exist after. It’s absolutely past time to re-evaluate laws surrounding child protection, which seem to me to mostly be reactionary at this point (in that many of them are spawned as a result of a specific incident.)

> Indeed, E2EE will enable criminals to go undetected. And this is a real problem.

This is not the problem. The argument is hollow.

People need to take child protection laws out of political discourse, as it's now approaching silly.

If you think this strengthens the case against encryption laws, I suggest you rethink. There’s plenty of valid arguments against banning strong encryption and this isn’t one. You can’t simultaneously argue that E2EE keeps people’s conversations private to eavesdropping and then suggest that it doesn’t prevent eavesdropping for law enforcement purposes- at face value it does, and image hash databases to prevent the spread of known CSAM exist today; see, for example, Project Arachnid. And yes, law enforcement eavesdrops for law enforcement purposes. That’s why wiretap warrants exist. Whether its a good thing is another argument entirely, but it is indeed the status quo.
> There’s plenty of valid arguments against banning strong encryption

There are no valid arguments against encryption

> And yes, law enforcement eavesdrops for law enforcement purposes

Lawful eavesdropping is an oxymoron

Do you think there is no situation where it can be lawful for a law enforcement agency to perform a wiretap?
Yes
Well this is probably not the case if you are an American. See US code title 18 section 2516 paragraph 1.
Wiretap is a misnomer. Undermines security.

Put plainly, there will always be crimes you won't be able to catch. You prioritise resources on the most pressing ones and build up resources in the real world to tackle them in other ways. Dystopian lists on the client to control what you're allowed to say or think or report your thoughts back to the government still violates the principle E2EE is built upon.

There is no middle-ground. You either are secure or you are not. The genie is out of the bottle either way.

> Indeed, E2EE will enable criminals to go undetected. And this is a real problem. However, it’s an arms race that will end with criminals having proper, strong E2EE anyways.

Individual child abusers aren’t part of a monolithic organization with training on how to secure their comms and practice OpSec.

The number of criminals who still create evidence against themselves on unencrypted platforms (SMS, phone, etc) is significant, despite E2EE options already being available. People are even being arrested for rioting after admitting on public TikTok videos to participating.

I think the only way criminals will standardize on E2EE is if every platform and communication mechanism is E2EE by default. Otherwise they will continue to make mistakes or think they can slip under the radar.

> I think the only way criminals will standardize on E2EE is if every platform and communication mechanism is E2EE by default. Otherwise they will continue to make mistakes or think they can slip under the radar.

FWIW, I believe this is the future if lawmakers don’t prevent it. A look at some E2EE software today:

- WhatsApp

- Matrix

- Signal

- iMessage

- Firefox Send

- MEGA

- ...

The list will grow.

In my opinion, E2EE today is like TLS 10 years ago. TLS was once a nice-to-have when it came to communication that was not strictly necessary to encrypt. Today, TLS is more sophisticated, stronger, and easier to implement than ever, and damn near a necessity for anything, even toys.

Granted... E2EE is necessarily harder, since it requires application-level implementation of crypto primitives, things definitely get complicated. Still, I believe the state of the art will continue to improve and tooling with it. Eventually there will probably be defacto libraries and maybe even OS frameworks to deal with E2EE key management, trust, etc.

To be clear, I view this as strictly a good thing and an inevitability. I don’t think transport encryption and encryption-at-rest are good enough anymore for private communication. Of course for public sites like Twitter or Tiktok it’s all you would logically get, but for any group or direct communication I now believe E2EE is slowly becoming the new baseline, and it’s mostly the complexity of it that hampers adoption.

Now that iMessage and WhatsApp are E2EE though, there is a lot of messages flowing that, exploits notwithstanding, are “truly” private, today, and I think the number will only go up. The only real question in my mind is, who’s next?

As far as criminals making slip-ups, this is guaranteed; even the best make mistakes obviously. But assuming all criminals are foolish and stupid is a mistake; I believe there’s a lot of selection bias in there, since we don’t get to find out those who truly never get caught. Time will tell if any of this really matters, or, if, as usual, it’s just another panic that has no tangible effects. I vote on the latter, but I still do believe proliferation of E2EE will change the game in ways we can’t really anticipate 100%.

> I know this argument is often quickly dismissed on HN since people see child abuse or 'going dark' as an easy excuse for the government to leverage to get more control (and it has been used for this), but that doesn't mean the problem isn't serious or doesn't exist.

When a company says they want your phone number in order to use their resources, so they can take steps to avoid having their resources used for (certain) crimes, that's well within the bounds of reasonable.

The problem most people have is when the government tkes away the use of _super important feature_ from the populace as a whole (even using their own resources), because it _can_ be used for crimes.

Those are two VERY different things.

> Yeah - I'm pretty sure this is the real concern and verifying a phone number is reasonable trade-off.

It's not a reasonable trade off in countries where you get you legs broken, skin flayed alive, and head cut off: https://www.telegraph.co.uk/news/2019/11/18/russian-mercenar...

A likelier explanation, is they want an easy way to wash their hands off when being pressed.

It's not Zoom's job to solve every use case for every person in every situation.
If you read the rest of my comment beyond the first line (particularly my blog link), you'd see that I agree with you when it comes to companies taking an ethical stand against authoritarian governments.

What you're arguing is a strawman, we agree more than we disagree.

> If you read the rest of my comment beyond the first line (particularly my blog link),

I read, and I think your argument is hollow, and, assuming your goodwill, you are not understanding the matter at all, and if not, I see an ill intent.

I do not appreciate all what you say at all. Any argument against encryption must be quashed without exceptions, and second thoughts.

It is only since the start of 21st century, the experience akin to "legs broken, skin flayed alive, and head cut off" has been a grim reality for far more than a million people by now, mostly for, really, nothing. What are talking about this! And what you talk about?

Attack this argument, not something not even having a passing genuine relation to the matter.

As you’ve responded here and elsewhere, calling an argument “hollow” is not a substantive disagreement.

It seems any argument that you don’t already agree with (basically only your exact position) is classified this way.

The rest of your comment is basically incoherent, and the parts that do make sense are obviously wrong. It’s also a willful misinterpretation of my position.

People were flayed before the 21st century. Acknowledging the issues with encryption is a critical requirement in making an effective defense of it. I am not arguing against encryption.

If this is an issue you actually care about (which it sounds like it is), learning how to build consensus and honestly consider the positions of others would be a valuable skill to develop.

As it stands you’re doing more harm to the pro-encryption position (which is also my position) with how you’re attempting to defend it.

Are we talking about recirculation of existing content or new cases of abuse? How much of it is new? How much of it is duplicates? How much of it involves the platform facilitating crimes to produce it? One article noted something very alarming, that resources are diverted from more serious crimes to chase these ones.
I highly doubt paedophiles are watching child abuse streams on zoom.
Please, don't derail the discussion with something as silly as this.
If I recall from their previous statement, it's not about spammers, it's about people sharing child abuse photos.
If I recall from their even more previous statement, it was already E2EE, but that turned out to be a lie...
It's really more about being able to trace accounts to people period, as allowed through the Patriot Act: https://en.wikipedia.org/wiki/Patriot_Act#Title_II:_Enhanced...

Child pornography gets held up to the public a lot because it's a crime nobody can defend and walk away the same they were, no matter what you say. If you publicly contest this move for privacy reasons, you're automatically defending the worst child molester someone's mind can come up with.

It isn't just that. People will cherry-pick the worst incident that ever happened on a platform involving children and compare everything else to that and say that if you support privacy you're supporting this everywhere.

The one, admittedly terrible incident, will shock people and they will push exaggerated means to "stop" it. Ones which just so happen to feed tons of information into the NSA machine.

People come up with stories of live-streamed child pornography too but do these children live in some parallel universe where crimes can be committed against them without recourse? What is the police doing? Did they not find suspicious behaviour in a neighbourhood? Did a counsellor not pick up on it?

Yeah sure, child pornography is awful but why is this part of the equation the only one that is ever mentioned? Why is it always about encryption or anonymity?

You also signed up an account for banks, they collect a ton of data on all your payments, got a problem with that? You gonna say yeah Zoom is not a bank, but your prose is the data collection part
> Why care about privacy in one area when this completely unrelated area does it worse?
It's perfectly ok to be against data collection in any form even when you are subjected to it on another service. Just because someone is subjected to data collection knowingly, does not mean they condone it.
> You also signed up an account for banks, they collect a ton of data on all your payments, got a problem with that?

Yes.

First rule of HN commenting: Assume bad faith.
While I share your distaste for such assumptions.

I believe Zoomed has earned the privilege of folks being highly skeptical of their actions / motivations.

Is there any E2EE app that doesn't require verification? Whatsapp does. Even Signal requires a phone number.
Tox.chat

with added bonus of no central server

Discord recently demanded my cell phone number to be able to type messages. I declined, contacted customer service, who offered no other way to authenticate. I will not be using Discord anymore and will recommend to everyone I know to avoid it as well.

There is no need to use my cell phone or any telephone number when you already have a means of communication via email or any other channel.

If you live in the US, burner SIMs are cheap and anonymous.
It’s still only opt-in. Users have to submit an application (including text message verification and other personal info) to gain access to E2E encryption. Zoom has shown that it does not care about privacy.
Well to be fair if it was enabled by default it would break dial in (with traditional telephone) support as E2E doesn’t allow for that. This is a reason why even some large paying organisations haven’t enabled E2E
Why can't that be the opt-in part?
Agreed, to rephrase my concern: By default accounts don’t even have the option to enable E2E encryption in a meeting. There’s no button to press that will turn on encryption if nobody’s dialing in. Your user account has to go through a separate review process to get the “privilege” of encrypting your meeting.
Isn't it fair to say that this brings Zoom more-or-less exactly in line with the privacy vs law enforcement balance of a normal telephone call?

Writing from the UK, I'm reasonably sure that (a) all my phone calls are not recorded and (b) the phone number and duration of every call absolutely is recorded (this has to be shown on your phone bill!) and is available to the police when needed.

Speculating further, with the right court orders / warrants the normal E2E encryption algorithm for a particular user could be replaced with a "law enforcement decryptable" one and, hey presto, it's a Zoom equivalent of a proportionate wiretap that only covers future calls. Certainly a lot better than encrypting the calls of all users with such an algorithm "just in case".

Why on Earth would you trust Zoom, a company which has repeatedly done extremely sketchy things, to implement their closed-source proprietary platform in this specific way?

It would be easier to just lie about the encryption being end-to-end.

Personally, I will never use Zoom for anything, a decision I came to when my OS vendor (Apple) pushed a security update for my OS to get rid of Zoom.

I wasn't really trying to comment on their overall trustworthiness - I just don't think you have to stretch very far to imagine how a conversation between ≥1 Zoom employee who genuinely does care about privacy ("our users are demanding E2EE") and law enforcement agencies ("we demand or are entitled to certain powers") might have resulted in the offering being announced today.
> Writing from the UK, I'm reasonably sure that (a) all my phone calls are not recorded

With 5 / 14 eyes and no specific privacy doctrine in the UK, I have no idea why you would have that assumption at all.

Maybe not recorded indefinitely, but it seems very possible to voice to text and store that forever.

Are they going to use that information for marketing purposes? Free but only if you give them info seems too good to be true.
Does anyone actually trust Zoom, though?
I sure don't. I encourage people to use Jitsi.
I'm quite frustrated they are calling this end to end. I can't find it now but a tweet earlier indicated that they have the keys and can help law enforcement with investigations which means it's can't be end to end.
It’s the new corporate offering of e2emitm
or rather, e2e2e
Now I'm seriously scared, I found that hex sequence in the ESI of my last browser crash
You should copyright and license it to Zoom
Any centralized E2EE service has the (public) keys; that's the only way to distribute them to users. You have to trust (or verify, in the case of Signal) them to deliver authentic keys rather than MitM'ing you.
It wouldn't be a problem if anybody at all had the _public_ keys, I think he meant the private ones.
This is the same company that said that it "won't encrypt free calls so it can work more with law enforcement"[1]. I'd stay away.

[1]: https://news.ycombinator.com/item?id=23399924

This blog post specifically says that it's a walk-back of the policy announced in your link.
My read on this is that they found a way to backdoor all supposedly E2E-encrypted calls and legal compliance is no longer a problem for them. Perhaps I’m being too cynical.
It's E2EE properly, but just ignore that "CCPBot" user in your server that isn't visible anywhere.
If working with law enforcement was to important to them why did they backtrack so quickly. Seems suspicious at best.
Why trust any company that put out the initial policy in the first place?

Have they had a fundamental turnover in management, indicating a new pro-privacy culture? Did they move their development out from under the thumb of the CCP?

No and no?

So what’s changed?

If they weren’t trustworthy before, they certainly aren’t now.

One thing that has changed is that their userbase broadened.

They were mostly focused on workplace meetings. If that's your focus, then most of your users are employees of some company whose contact information you have. Users with unverified identities are a corner case that you may not feel is worth trying to get right.

Thanks to the pandemic, they have millions of new users who use Zoom for personal purposes (meeting with friends and family, etc.). What once was a corner case isn't anymore. It might even be their most common type of user.

I'm not arguing that Zoom can necessarily be trusted, but I can see a plausible reason how they could have gotten to where they are on this issue.

> One thing that has changed is that their userbase broadened.

Their userbase changed in the two weeks since they announced their policy?

I agree they should be cluing in by now. I'm just saying it could be growing pains from shifting from a B2B business to a B2C business. That difference has huge effects on product design and on your mindset. Being slow to realign your mindset with reality isn't necessarily the same thing as being dishonest or disreputable.

But yeah, while feeling that you can't trust them because they don't know what they're doing is not the same as feeling that you can't trust them because they're in cahoots with someone (governments, etc.) against your interests, in the end they're both forms of feeling that you can't trust them.

They have more users, but so what? They suddenly found (privacy) religion, so now they can be trusted? That certainly sounds like a leap of faith. A blind one.

Stop looking at the empty words they say, and start looking at their very intentional and malignant actions over the last few months/years.

I guess "broadened" could be interpreted two ways. I don't mean the numbers grew. I mean that userbase came to incorporate new, different types of users.
Maybe they listened to feedback and updated their priors?

Why do you believe their real intention was revealed a week ago, and not today?

Updated their priors? Review their history. Their "real intentions" have been "revealed" multiple times over the past several months (or years). It's a litany of privacy-related blunders. This is pure PR; words to distract you from their many misdeeds.

Trust, but verify, yes? Well, they're verifiably full of crapola.

So why would you trust?

Is it though? End to end encryption doesn’t mean they don’t pass the key back to themselves.

It’s a bit of weaseling here. They say they’re offering E2E and that might be true, and it could also be true they are sticking with their original vision of cooperation with law enforcement because they “are aware criminals use the service”.

There is no required mutual exclusion.

This wasn't the only problem with Zoom, and it was an egregious problem. Zoom has lost all presumption of good faith, and in fact earned the presumption of bad faith as far as I'm concerned.
I think this is too little too late, mine (and many other's) opinion on them has been tarnished.

Good for them, but it's still going to be an uphill battle imo.

Big brother still watching you.
Has Zoom ever had their application(s) audited for security? Without an independent, external audit I don't know why they should be trusted that they've actually done e2e completely or correctly.
Any E2E implementation is worthless if the service provider controls the keys and doesn't allow the user to verify it (or alerts the user in the event of a key changing). Otherwise the service provider can simply swap the keys when they want to eavesdrop on someone and the users would be none the wiser. I don't believe that zoom has such measures, so any audit into whether E2E was implemented properly is pointless.
That was my thought exactly, but I read the zoom whitepaper (https://github.com/zoom/zoom-e2e-whitepaper/blob/master/zoom...), and it looks like the scheme addresses many of those issues.

Some things that looked like good steps:

> we will allow the SSO IDP (Identity Provider) to sign a binding of a Zoom public key to an SSO identity, and to plumb this identity through to the UI.

> Second, we allow users to track contacts’ keys across meetings. This way, the UI can surface warnings if a user joins a meeting with a new public key.

> we will implement a mechanism that forces Zoom servers (and SSO providers) to sign and immutably store any keys that Zoom claims belong to a specific user, forcing Zoom to provide a consistent reply to all clients about these claims. Each client will periodically audit the keys that are being advertised for their own account and surface new additions to the user.

> In Phase IV, we look to the future where Bob should sign new devices with existing devices, use an SSO IDP to reinforce device additions, or delegate to his local IT manager.

All of this of course relies on a zoom client actually doing everything described in the whitepaper, but it certainly looks like a good faith effort to implement real, functional e2ee

Give us your mobile number so we can hand it over to the PLA so they're able to launch targeted attacks at dissidents?
Are you dissident ? Know any ?
“No one is free until we are all free.” -- Rev. Dr. Martin Luther King, Jr.
Doesn't help if they close down your account for saying the wrong thing....
I commend Zoom for listening to the outcry over E2EE being limited to paid users. Between this move and their quick acknowledgement of mishandling the shutdown of accounts when asked by China, they're doing a better job than most of responding to criticism.
Agreed. I am always confused about the smackdown following a reversal from an arguably bad decision. We should be welcoming in hopes other companies note that being responsive is a good thing.

Otherwise, it is just being stuck between rock and a hard place with no place to move.

What good are the apologies when they keep making new "mistakes"?
I would argue that it is harder on us as it requires engagement and being a conscious customer.

Sadly, it is not really new. Companies will typically attempt to extract maximum amount of milk with minimum amount of moo. If they keep making mistakes, we need to keep making noise.

Not fun, but someone has to do it.

Exactly. And it's not like which video calling service one uses is a hill to die on. There are plenty of alternatives that aren't routinely bending the knee to authoritarian governments.
Honestly, "reward good behavior" is the best approach, to be combined with "condemn bad behavior".
Zoom is primarily an enterprise product. They have chosen to have some form off verification to lower the amount of abuse on their platform.

If you want privacy you simply have to choose another product or service.

You aren't entitled to use their service without paying for it.

I've got to wonder who wants their e-to-e connection to root through servers physically in China.

Zoom seems to be a poster child for the surveillance state.

What does this even mean? E2e is specifically designed to address this problem.
Define "end-to-end encryption" for me, Zoom?
Zoom seems to be a poster child for the surveillance state.

Does anyone reasonably want their "encrypted" conversation to route through servers physically in China?

If they're actually encrypted, I don't care much security-wise, but I do performance-wise. Given that Zoom works reasonably well, I very much doubt that they're sending all my data to and from China. You don't run a service like this without servers in lots of places.

I'd hope that when I Zoom with my coworkers two miles south of me in Austin, we're using AWS/Azure/Google Cloud/whatever servers in Texas, or at least within a couple thousand miles.

As long as zoom is closed source from end to end, they could pretend to use quantum entanglement over IP, for all I care.

I still use it, don't get me wrong. My threat model for the use case that I make of zoom does not need strong encryption, only being script kiddies proof.

with closed source, hosted software E2EE is as much about trust as it is about technology since you can't verify its implementation. arguably, if trust is there, E2EE doesn't get you much anyway other than for scenarios where the company itself is breached.

in any case, if the trust isn't there, you can't validate the E2EE, so your risk profile with regards to using the software doesn't change much.

Apple FaceTime is also closed source, E2E and verifiable
What is the process for verifying that FaceTime isn't leaking the encryption keys to Apple's servers?
I don’t know, but as a black box it’s been extensively looked at. But nothing is unhackable even E2E.
How would one know that this black box works the same for every user? What would stop Apple from distributing a compromised update to everyone or to selected users?
Yep any protocol and any app can have this problem.
The protection against this problem is to have the app (or the platform it's running on) check before installing an update that the hash of the binary it has downloaded has been recorded in a public transparency log.

With closed source software, though, this doesn't give as much confidence, since a company could create a version which they send to everyone but which contains an "if (userId == NSA_TARGET)" conditional branch.

You can verify closed source E2EE as long as you can inspect the traffic going client-server. The problem is that most E2EE apps allow auto-updating, so baking in something that transmits info to a third party is easy (but detectable with enough eyes on the code).
But what's stopping the software from, say, having a backdoor that is only exposed under certain conditions? For example, if you are under an FBI investigation. I suppose you could automate the verification on a per-call basis. Unfortunately, every bit over the wire would need to be seen by a fool-proof algorithm to ensure your safety. Seems not tractable.
Agreed. You can only verify E2EE for the traffic you inspect, not for traffic you don't. If they open-sourced the client it'd help a lot, but I'd also like to point out that you probably have stuff in your current device that has DMA and network access that is not open source either (PSP, IME, 4G modem, and so on) and that could break that encryption too.

If you are under serious investigation I wouldn't trust anything "smart" manufactured in a country under that investigations jurisdiction.

Yup fair point. Circling back to Zoom, I think the trust part of this has been violated enough that such an inspector tool ought to be considered strictly necessary to use it if you are security minded. So in the end, there's not much of a point to the announcement imo.
If the closed source E2EE app is sending encrypted messages but leaking bits of the key in how those messages are padded, for example, how would you detect that?

As for the threat model of open source E2EE apps auto-updating to an insecure version, you're right that this needs some extra defences. One way would be to use a binary-transparency log[0] to make sure that the open source project had publicly committed to a specific binary at least 24 hours in advance of pushing the auto-update.

This system relies on there being auditors out there who would raise the alarm if a malicious update was released, or a hash was included in the log for which there was no corresponding (reproducibly buildable) source code.

[0] https://wiki.mozilla.org/Security/Binary_Transparency

I imagine you mean inspecting everything that gets transmitted besides the -2E part, but even if you could there are a thousand ways for not-really-safely-encrypting a communication without you being able to notice
Aside from whatever the Zoom news story of the day is, it's completely unsurprising that they're eating WebEx's lunch. I just tried scheduling a meeting and it was outrageously bad.

The bright green "Start" and "Schedule Meeting" buttons just pop up an error. The correct button to progress is the dark grey (as if disabled) "Next" button.

It prompts me to create a "personal conference number", whatever that is. This errors and tells that I need set a PIN in my preferences. I search for the preferences for a while and eventually find that I _do_ have a host PIN set...

At this point I gave up.

Gripes on the participant side: Why does it ask me to provide my name in the browser when joining a meeting before launching the app which already knows my name? Why do I have to manually press the refresh button to discover scheduled meetings?

Cisco pulled a Boeing with the development of one of their crown jewels, and Zoom swooped in, even with shady practices, and snatched up significant market share.

I think Cisco bought webex largely because Cisco's big expensive conferencing hardware / software were under threat and they wanted in on what would replace it.

Cisco itself has time and again bought its way into things that aren't their core competency and they fumble around with them.

They bought Flip video for 590 million years ago, despite the fact that every person in Cisco's office had a smart phone in their pocket that would render it relatively useless...

I think video conferencing applications are often doomed to turn into behemoth messes for some reason that I can't figure out.

Since Zoom's first 41 employees were from Webex, somebody should compare the streams and files and see if there are similar markers.
Ugh. And Google Meet us even worse. My kids' schools use it, for supposed privacy reasons. Audio is absolutely terrible. Echoey as hell. UI is a disaster. You have to install a third party Chrome extension just to get grid view, which keeps breaking.

My work uses Zoom, and it's night and day and smooth everything is.

As a big ol' disclaimer, I work at Google. However, it's no longer necessary to install a 3rd party extension for grid view, it was added natively a few months ago.

Also IMO there's been some drastic improvements to audio quality lately. My very noisy fan that triggers my mic in Discord is totally inaudible in Google Meet, even when I'm talking.

Good to see they're listening and customers are able to bring some accountability here. But it still seems like their heart isn't really in this move.

At work we have been looking at two fantastic "indie" alternatives:

https://whereby.com

https://team.video

To anyone who likes to argue Zoom is a US company, I'm sorry but that argument holds no water for me after this [1]:

> The statement raises questions about Zoom bowing to Chinese pressure. Unlike many Western social media platforms, it is not blocked in China. The company did not explain under what law the meetings – which were hosted outside mainland China – were deemed to be illegal.

For meetings outside of China where the Chinese government should have no jurisdiction, Zoom choose to cooperate.

Some obvious follow-up questions:

1. Where will the keys be stored? On servers in China or elsewhere? Will it depend on where the account holders are? Or are the private keys truly local?

2. What safeguards are in place to prevent further "cooperation" with Beijing in relation to supposedly encrypted traffic?

3. Zoom is not blocked in China, which is pretty rare for a supposedly US-based company. What concessions did they make to get this exemption?

4. Under what circumstances will any of your data be stored in, routed through or otherwise be accessible in mainland China?

Given China's philosophy that Chinese companies are nothing more than extensions of the state, these are entirely reasonable questions to ask. Were I the decision maker for any large company or government organization, I personally would consider use of Zoom to be too much of a security risk. And I don't think that's the slightest bit alarmist.

[1]: https://www.theguardian.com/world/2020/jun/12/zoom-admits-cu...

Is funny how people deriding Zoom either they give E2E or not