"[S]ince at least 2016, Zoom misled users by touting that it offered 'end-to-end, 256-bit encryption' to secure users' communications, when in fact it provided a lower level of security," the FTC said today in the announcement of its complaint against Zoom and the tentative settlement. Despite promising end-to-end encryption, the FTC said that "Zoom maintained the cryptographic keys that could allow Zoom to access the content of its customers' meetings, and secured its Zoom Meetings, in part, with a lower level of encryption than promised."
That's the concept of E2Z2EE (End2Zoom2End Encryption)
I'm sorry, I'm not a native English speaker. According to the Oxford dictionary customers are people who buy a product or service.
Zoom was thinking of giving only them E2E encryption, and actually I would pay for that service if I would trust Zoom. Currently I use telegram to speak with my friends, but the call drops quite often as we don't have stable internet connection.
If my English here is so bad why do I see ,,end user'' in Zoom's terms of license all the time, and customer for paying customers?
Can you provide a better legal definition than what I see? (Only the legal meaning of the word matters in the current context).
We're talking about hundreds of millions of people being effected vs few million people, it matters a lot. You would understand that it's very far from pedantry if you followed all announcements that Zoom had in the past.
I'm still not a native English speaker, but a Google search shows that non-paying customers are people who don't pay their bills, which is not the same thing as users who don't have bills to pay.
Also as I wrote, Zoom was thinking of selling E2E encryption as a payed feature, that's why the distinction really matters (I would happily pay for it if that would give me a strong assurance that I just don't have so far).
Non-paying customers can mean either customers who are delinquent in paying their bills, or customers that are using the service for free with permission.
I don't think I'd happily pay for Zoom, regardless of their encryption promises. I've personally struggled more with zoom call quality issues and hardware conflicts than I have with any other video conference provider.
Also anecdotally, I hear the opposite from every single person I know. Zoom has been the video conferencing system that works the best. Have you ever used Go2Meeting, WebEx, Teams? Constant struggles with those applications for me, my friends, and my co-workers.
You really have to use Teams every day to appreciate just how buggy it is on all three platforms. I used slack video for remote standups for a year or so and aside from the odd little hiccup it was boringly stable. Teams fails at least once a week.
So will they get fined more than Snapchat for lying about ephemeral messaging or will this be the usual American "slap on the wrist" thing we usually see to protect the investors?
” The European Commission has told its staff to switch to the encrypted Signal messaging app in a move that’s designed to increase the security of its communications.”
The EU isn't a single individual. It isn't even a group of individuals with aligned interests. As such, its many different heads shouldn't be expected to have consistent messaging. This is a draft so, as of now, it's factually untrue to say the EU are willing to ban encryption.
They would just have a single state-run CA and ban all E2E messaging apps from app stores. Only state employees would have access to an E2E messaging app that would only use govt certs from the CA. Any apps that continue to operate outside of an app store could have their domestic servers seized and anything foreign would be blocked by all domestic ISPs. The govt could allow for civilian apps to use weak encryption as some sort of compromise but anything the govt can't crack instantly would be banned. It would require a Great Firewall-level of control with the govt playing whack-a-mole for a while but with enough time and money, civilian E2E would be near impossible. Fortunately, this is still a pipe dream for even the most extreme statists but if large corporations can come around to the idea of giving the govt an unlimited backdoor to their internal communications, say good bye to any/strong encryption for the average person.
This level of planning is like the US govt outlawing all guns tomorrow, it just isn't going to happen any time soon since not only are gun-owners usually not the type to want to give up a gun, the prevalence of gun ownership is so massive that it would take equally massive resources to run a completely successful confiscation program.
> if large corporations can come around to the idea of giving the govt an unlimited backdoor to their internal communications, say good bye to any/strong encryption for the average person.
According to tha article, they won't be fined at all:
>"Today, the Federal Trade Commission has voted to propose a settlement with Zoom that follows an unfortunate FTC formula," FTC Democratic Commissioner Rohit Chopra said. "The settlement provides no help for affected users. It does nothing for small businesses that relied on Zoom's data protection claims. And it does not require Zoom to pay a dime. The Commission must change course."
Under the settlement, "Zoom is not required to offer redress, refunds, or even notice to its customers that material claims regarding the security of its services were false," Democratic Commissioner Rebecca Kelly Slaughter said. "This failure of the proposed settlement does a disservice to Zoom's customers, and substantially limits the deterrence value of the case."
If Zoom made clear to users that connections were not secured to the same standards as competitors, and that potentially hundreds of employees could be silently listening in on any call, I think that would have prevented them becoming a leader in video conference tech.
So the right fine here is their entire market cap. That would put them back at square one, which is where an honest competitor would be right now.
Is it really different from competitors like Cisco (webex, jabber, ...)? A big selling point of all those is phone dial in which can't be done with e2e encryption (the phone gateway run by the operator has to have the keys)
Wild optimism aside, you can sell one or even a thousand ZM shares at approximately the current market price, but you can't sell the entirety of the company at the same price. The pool of buyers is much smaller for such volumes.
I don't really think so. I think we are just moving away from inefficient meetings that are IRL. I would love to see all meetings go remote for many reasons. I think this will stay even once Covid is gone.
The market being $50B means there are $50B of sales to do per year.
Market cap is a multiplier of revenues, easily 10 or 20 for a tech company, that means a $1T market cap to be taken across the videoconference companies.
Wondering how numbers can be so high? Count $10 per month * 12 months in a year * 100 million employees in the US... that is $12B per year going to video software!
Actually, price / earnings (P/E ratio) is typically 10-20 for _any_ company in the S&P 500. When you look at big tech, the numbers are drastically higher:
- AMZN: 92
- GOOG: 34
- FB: 33
- NFLX: 76
- AAPL: 35
- MSFT: 35
Compare this to, say, 3M, at 19, or GM with 17.
edit: incidentally, apparently Zoom's P/E is... 527, which is grossly inflated even for a tech company. Tesla is also in the same category with a P/E of 834.
It is, but markets can stay irrational longer than you can stay liquid to paraphrase somewhat famous quip. I was also one of those people who tried shorting TSLA since I believe they are way overvalued. I agree with you, but the market has spoken.
P/E ratio formula is listed above correctly, however, earnings is earnings per share, not revenue. So the parent's market valuation rationale is whacky.
Side note - Go read about Japan's lost decade and you'll see how dangerously close our (US) current speculative investing environment is to theirs before it fell.
Market cap is the paper value of the company. It has little to do with the market. Zoom’s planned pivot is into boring markets like business VoIP.
Zoom went bananas because they won the space at a point in time that mattered. FaceTime is too proprietary and lacks features due to E2E, WebEx is run by incompetents, Google Meet is hard to use, and Teams is too complex. There’s a thousand other competitors with a few users.
Speculators poured billions into the consort and the valuation went nuts. That could go away in a week.
> I really think there is an unsustainable distortion happening.
Yes, soon any website can have their own videoconferencing using web technology like WebRTC. And implementation will be as simple as running "npm install".
> But Zoom, alone, already has a marketcap of $117.534B
Yes. Zoom having a market cap that's more than half of Intel? Come on now ...
Not defending them in any way - but don't think security was the primary reason for Zoom taking off. It was stability - it just worked and at the same time competitors didn't.
Everybody used to have Skype and I would have gladly handed over my data to MS if only it would have been able to do stable video calls. It was often a disaster for just 2-way calls, let alone group.
I think you may be viewing history through slightly rose-tinted glasses there - I used pre-MS Skype a lot and it was never anywhere near as reliable as Zoom is and didn't support group video chat at all. And the fact that it was P2P meant that some features that everyone would expect to work these days (offline messages, mobile support) were simply not possible at all.
I'm not sure what would be accomplished if the source leaked. Someone would still need to maintain both the client and now a new set of servers. This would be difficult given that Microsoft would almost certainly use whatever means they could to stop this from happening.
The client application was also the server application. Clients with good connections which appeared to always be online became super nodes which were the directory "servers" you would connect to. The code base contained a long list of previously known super nodes and would attempt to connect to those on first start. As it ran it would keep syncing the list of close super nodes. There were many hundreds of super nodes, so the odds of all of them changing or going offline were pretty slim.
I imagine some people at Skype probably kept a few instances of Skype running at the office. So they technically hosted a few super nodes, but it wasn't necessarily that they were running some vastly different server version of the app. It wasn't until Microsoft decided to cut down on the P2P aspect of the app and hardcode only Azure-hosted super nodes into the application that this changed.
> don't think security was the primary reason for Zoom taking off. It was stability
Stability was the main draw, but company IT departments would have had more power to ban it if there were bigger and clearer risks of corporate secrets escaping.
Industrial espionage is real. There are many companies who are concerned about this and take active steps to keep data secret who would likely not have approved zoom use if they'd known e2e encryption wasn't to the level they were told.
Some folks are concerned with more than stability and ease of use.
Once can't just delegate responsibility like that. Any company should enage in some form of due dilligence before procuring software. If there are expecations of privacy then those should be proven by the company procuring the software, not the vendor.
No, if a company was really worried they shouldn't have opted for a cloud product with a (partly) Chinese-owned company. A lot of companies go through the trouble of giving their employees (especially management) "throw away" phones and/or computers when they send them to "problematic" places, in particular China, but then they install Zoom for their C-level and middle management executives to use, huh?
How would you verify e2e encryption on a proprietary protocol? Not every company that cares about privacy has crypto experts on staff. They should have a reasonable expectation that the vendor is telling the truth.
Any company IT department's power to ban something is inversely related to how much it's users want to use it. Also, the videoconference provider stealing company secrets it not part of most companies threat model. Teams and Slack are incredibly popular corporate tools, and neither of them offer this feature. WebEx is the only reasonably popular tool I can think of that supports it, and any security department that cared strongly about E2EE, would be asking questions like "do you perform key escrow" if they were thinking of migrating off something like that.
Because in order to operate a business (or any organization), you have to at some point decide on a group of service providers and other 3rd parties that you trust. For most organizations, trusting a major videoconferencing vendor is going to be within their risk tolerance. For some organizations (or for some use-cases within organizations) this wouldn't be acceptable (or perhaps trusting Zoom wouldn't be acceptable, where a different vendor might be), but at this point you're starting to stray outside of Zoom's target market and into a set of more specialized requirements.
Defending against sophisticated state-level actors goes even further beyond the requirements of most businesses. Unless you had a specific reason to believe that you were a target of such actors (dealing with national security, or matters of significant national strategic importance), you couldn't justify investing much resource into such defensive measures.
Users were unaware this was happening. "It just worked" because it would install itself in the background unbeknownst to the user, thus obviating the need to take time to install it when needed.
It's much easier to make a stable communication product if you don't need to worry about security and privacy.
Just look at the troubles and hurdles Signal messenger need to overcome to implement some features, while the competition that is not so security focused has them since forever.
> It was stability - it just worked and at the same time competitors didn't.
This is absolutely huge. We've tried Teams (and I have previously used Webex and Hangouts).
It seems like there is _always_ one person that struggles with other video services. Can't join, video/audio issues, CPU usage, latency, etc. Painful when 10%+ of a meeting is consumed by getting one last, key person trying to fix their issues.
I wish that was true, but in practice I think it wouldn't matter. Zoom was the only one ready with infrastructure, multiple clients, automatic quality adjustment, screen sharing options, scheduling, and many other needed features.
Otherwise we had hangouts/meet with very basic features and jet-taking-off Mac behaviour, chime which is really good but nobody heard of it (Amazon is not interested in that market apparently), Skype which aims for social chat consumers, slack which works only within the org, jitsi, and a thousand of me-too apps with very basic feature set.
Zoom could kick your puppy at the end of each call, and it would likely still be the best choice at the time :-(
You can care about privacy yet still prioritize not killing your company in a pandemic.
Very few things that are hosted are immune to employee buggery, that’s why companies invest in third party risk management; to assess those risks, which are always material and non-zero and determine if they are within the appetite of the organization.
Amazon doesn't seem interested in that app being used by random consumers. There's very few accessible guides around it. It's technically good, but it's not even a competitor as such.
You can be honest business or you can steal billions, get caught and pay a millions in fines. I think everyone can see a problem here. You pay back less then you stole so this is an active encouragement to steal.
Most recent example, morgan stanley fraud for bilions in profit pays fine of 1.5 mil [0].
Is this about the audio streams? I imagine that if at any time there are a million video streams happening, and zoom wanted to sneak into 1% of them, it would pretty much need 10000 vCPUs of compute to do that? The current tech scales affordably because only the encoded packets get transmitted between callers (via "selective forwarding units") without needing server-side re-encoding?
edit: That was for video streams. For audio streams, certainly the cpus cost is lower - about 10%.
> the right fine here is their entire market cap. That would put them back at square one
I don't think Zoom has transgressed anywhere nearly this badly, but even if I did it doesn't make sense to fine any company their entire value unless your goal is simply to destroy them. The company is only worth as much as it is because it is expected to continue as a company, and there would be no way for it to continue if it owed that much money to the government. Unless it was nationalized and run by the government, but I doubt you're proposing that? Which means instead the company liquidates, and its liquidation value is far less than it's value as a business.
A good punishment is government nationalizes it, paying shareholders nothing, then immediately sells those shares back onto the public markets. The government would earn close-ish to the market cap.
Effectively, allow the company to continue as before, but wipe out all shareholders. After all, they are the people who allowed this behaviour. They are the ultimate decision makers.
No, abandoning property rights is not even close to an appropriate punishment, even for those directly responsible for the fraud, let alone for ignorant shareholders.
I don't think anyone except crypto-nerds cares about this. Normal people just assume everything can be wiretapped and Zuckerberg and friends are always listening.
All they had to do was say "encrypted" instead of explicitly saying "end-to-end encrypted" when it very clearly wasn't end-to-end.
The former still could've been a bit weaselly and misleading (many non-technical users would probably have assumed "encrypted" implied total confidentiality), but what they actually did was so much worse. I hope they get hit hard on that.
It was encrypted, but not E2EE, so the only person who could have spied was Zoom itself, and we know the how too - by the same mechanism it performs a video recording, for example.
We just don't know if. But seeing as we've had zero reports of any real-world consequences that could only have come about by Zoom spying, combined with the fact that "spying on your customers" is anathema to your business model and therefore a risk no sane and rational board of directors would ever approve (moderate upside, enormous possibly business-ending downside if ever discovered)... Occam's Razor says no spying ever occurred.
"Zoom itself" spying sounds quite unlikely, "bribed underpaid Zoom intern" sounds a lot more likely, "the gvt. sending one of those silent warrants" sounds almost unavoidable.
Non-E2E encryption doesn't give access to just "the company" (which probably doesn't care to spy on you, true), but absolutely anyone who can bribe/trick/coerse anyone in their "supply chain" (from the CEO to the sysadmins, hosting provider, even janitor...). Not to mention a data leak due to a vulnerability in any part of their stack.
The company has shown complrte disregard for security multiple times in the past and I wouldn't be at all surprised if they had major security holes. And since they already lied about E2EE, it would be entirely safe to assume they would not have disclosed a breach either.
>You can't know, because it wasn't actually e2ee, eh
You can know that nobody external to Zoom spied on those streams as they were encrypted between client and Zoom servers. The fact that Zoom had access to your stream, in principle, is par for course.
>These are hard to quantify but they're not nothing.
And they got in trouble. There is the FTC slap and the PR cost associated with the negative publicity. That feels about right for the level of infraction. But when these kinds of articles come out, people are calling for regulatory bodies to 'make examples' of the companies in question. That's not how it works. That's not how it should work.
All network traffic in the US should be seen as the opposite of innocent untill proven guilty: Unless you can prove otherwise, everything we know of surveillance tells us that of course everything and everyone was spied upon. I can't think of any reason the NSA and/or CIA should not have spied when they do so on everything else they can get their hands on.
Years ago, this attitude was seen as paranoid and bonkers. Then Snowden proved it true. Not only true, but barely scratching the surface. What's actually happening is beyond the wildest fever-dreams of the most extreme 90s crypto-punk ever.
Why are people still able to pretend otherwise without being laughed out of the room?
> Why are people still able to pretend otherwise without being laughed out of the room?
It is a variant of a Bible Thumper & Bootlegger coalition.
A large portion of the population really doesn't want to believe it. A small population with a vested interest (and lots of relevant tools at its disposal) is happy to help them.
Along with is growth in users, Zoom has seen concerns spike about how it is protecting users’ privacy. The Senate advised members not to use the service, according to Ars Technica and the New York City Department of Education banned its use for remote learning. A group of state attorneys general are probing the company after one of the officials was “zoombombed” on a forum about the Census, meaning the chat box was filled with profanities.
Ellison’s support could prove useful to Zoom as it wades through the new challenges of becoming a consumer tech company. Ellison is an influential billionaire with ties to the Trump administration. He has supported Trump’s campaign and even told the President about an anti-malaria drug Trump ended up touting as a possible treatment for the coronavirus, according to The New York Times. Oracle CEO Safra Catz served on Trump’s transition team in 2016.
It is was a prelude to what happened to TikTok. Or almost happened to TikTok as now with the Trump administration is gone, it makes no sense to do a deal with Oracle.
Even with open source software you will never know what is actually running on the servers. It's best to assume none of the services are e2e encrypted and you should provide your own encryption on top of the medium you communicate with if you require privacy. By own encryption I mean exchanging keys and encrypting offline using oss tools.
> Even with open source software you will never know what is actually running on the servers.
If the clients are open-source and properly implement end-to-end encryption, and you verify that they are not sending your keys to the servers, then what is running on the servers is irrelevant.
Yes, but the servers only transfer encrypted payloads for which the servers do not have the decryption keys, and you can verify that just by looking at the clients (which are open source in this scenario). That is the entire point of end-to-end encryption.
Are you saying that MITM is not possible? For example your client will receive a key prepared by rogue server and it will decrypt and encrypt conversations on the fly. You wouldn't be able to tell unless you find a way to verify the person on the other side tried to exchange different keys.
Resisting MITM is the entire point of end-to-end encryption.
Verification can be made with the security code that WhatsApp uses, and the safety number that Signal uses (same thing, different name). Other systems have other, similar methods.
You can verify that they match in order to verify that you're not communicating with a man-in-the-middle, and if the key changes then both apps show a prominent warning.
Granted, a lot of people may not actually bother to verify.
Correct, but if there is something between you and other user and can intercept key exchange then it can decrypt and encrypt anything on the fly. I think you would have to exchange keys offline to have true e2e experience.
Not only is the source closed and proprietary, the company and the product themselves have terrible reputations when it comes to security. Why would anyone even consider trusting whatever encryption they offer?
Pretty scandalous stuff. But to be fair it seems pretty likely that any or all of the major players (Apple, Google, MS, Facebook, AWS, etc) to be maintaining some sort of back-door access to the channels they control for spying purposes.
I suppose the risk with Zoom is leaks due to incompetence rather than leaks due to government intervention.
Apple claims that FaceTime is end-to-end encrypted (and makes some pretty strong statements about not having access to the content of communications). Facebook similarly claims that WhatsApp is end-to-end encrypted. Whilst I have little love for either company, do you have any evidence that these claims are lies?
I mean, I agree with you, and I guess the "surely Apple is not blatantly lying about being unable to read the content of your communication" argument has eroded a bit after Zoom's behaviour. But the penalties (both in terms of reputation and in terms of monetary fines) for this kind of misbehaviour are already large, and are likely to increase over time, and it seems an unnecessarily extreme risk for these companies to take.
But yes, impossible-to-verify claims are not worth very much at all.
I don't... did you even read TFA? All the order says is that they can't lie about it again. They don't have to pay anything, they don't have to actually fulfill their prior claims, and the other parts of the agreement they likely already comply with, and if not it'll be quite cheap (relatively) to do so.
Yes, but they endured reputational damage, and companies hypothetically lying about it now could reasonably expect to have to pay something in future enforcements, which is what I was trying to get at in my previous comment. Reading it now, it was really sloppily worded by lumping together those things, but I'll leave it as it was so that the rest of this thread makes sense.
> they don't have to actually fulfill their prior claims
Given that they don't claim it any more, I'm not sure that they could be forced to start doing it -- put another way, not having E2E encryption is not a crime as long as you don't claim to have it.
How much actual reputational damage could they have possibly endured? I haven't noticed any fewer people using Zoom.
It's a consent order. They're willingly agreeing to it in order to avoid other costs (like fines and a lengthy trial). There's no "forced to" involved.
I think this probably varies a lot between social groups; I know of many people (including non-technical) who were motivated to explore alternatives after reading news articles about Zoom's behaviour. A bunch of non-technical friends subsequently started to use meet.jit.si for meeting up, playing board games, etc, for example.
Zoom's revenue is in corporate accounts, just like Slack - my 10k ppl company uses branded enterprise accounts on both systems, we even have VOIP via them with DIDs. Companies of size do not pivot quickly on telecom and messaging system changes, it takes a lot more than a single issue or two for our money to not be in their pockets.
As for fines, companies already do sophisticated risk analysis so that the average outcome would be far more than the average potential cost. I know oil companies do highly sophisticated risk and reward calculations with violations.
As for 3reputational damage, that’s a long term effect. A few events won’t have a lasting impact. If it turns out that Apple Key Chain is not e2e, or worse iOS exfiltrates key material from apps, that would be major news, but soon people will forget (if they ever cared in the first place) and keep buying iPhones unless the misbehavior is a recurrent problem. A company like Apple will make it extremely difficult to discover such misconduct.
What penalties? The NSA boasted (internally) about how much they were spying on Skype, and I'm not aware of Microsoft having been penalized in any way for lying about it, probably even the opposite?
Whatsup is "end to end encrypted", but I had seen an article here on HN about how Whatsup would snatch your data before it begun transit, if needed - for "security reasons" - after performing a local analysis on the messages. I don't know if this has been implemented as of yet, but you can see the intent for circumventing actual encryption - they can do it, and since e2e has become a bother, they certainly will.
I've got https://news.ycombinator.com/item?id=25058783 . There is substantial evidence that the American spying agencies are willing to use anything with a reputation for neutrality as a vehicle for spying.
"Apple has a market incentive not to lie!" is an argument I find compelling, but the NSA has a bigger incentive to make Apple lie, and more power than Apple. If Apple & friends were ever offering a truly secure communication channel it is unlikely that was/will be allowed to continue.
Why would any company with valuable IP use Zoom after this security blunder, along with the fact they "accidentally" routed domestic US calls via China. Zoom is software developed almost entirely in China, meaning it is subject to Chinese law and the very strong influence of the CCP.
It is fact to say that Zoom could be compelled by the CCP to plant backdoors in software to siphon valuable IP for use by Chinese companies, as is usually the case with CCP-aligned companies like Huawei (Huawei had a cash incentive program for employees who delivered stolen IP to them).
A better analogy would be if the car didn't come with airbags, but even that is not as good because you have no way of knowing if someone listened into your conversations whereas airbags let you know just fine.
Ford once paid $300M for a faulty airbags thing, but that was negligence whereas this is fraud. Of course this isn't a lethal risk.
I would think the case would have legs. Haven't a clue how much for.
Why does there have to be damages? You paid for something, and didn't get it.
Go to the supermarket, but a box that says "ten apples".
You get home and open it, there's just five apples. You'll want money back. What "damages" do you have to prove?
It's much more complicated when other risks are involved. It's like someone sold you a bun by labeling it as gluten-free, but it was not. Maybe you're just slightly intolerant and nothing lasting happened to you, but you could still sue them.
Unlike that example, it's difficult to know if there were direct damages, but some big companies can come together and try to make a case and sue them and demand huge compensations. Zoom could have spied on your conversations and sold your information to competitors even though they sold the product claiming that they couldn't.
If a company signed a contract with Zoom in which e2e encryption was stated.
It sounds like OP is referring to a breach of contract. Even if they can't prove damages, they could still be entitled to some other remedy, like a partial refund. It would depend on the language of the contract, of course.
I don't understand how the FTC arrived at the conclusion they're not E2E? Or have I missed something?
>Despite promising end-to-end encryption, the FTC said that "Zoom maintained the cryptographic keys that could allow Zoom to access the content of its customers' meetings, and secured its Zoom Meetings, in part, with a lower level of encryption than promised."
Not wonderful but that still, technically, is an E2E encryption scheme. Is it not? Or do they mean one end terminates in Zoom's servers and it's not E2E through the whole pipe, but rather two pipes stitched together?
Agreed it's not as secure as they marketed, but this seems to suggest if you want to offer E2E you need a specific kind of key storage to meet this new precedent. Good in practice, but maybe the FTC are not the right people to placing such a hurdle down?
I'm not sure what you mean by "you need a specific kind of key storage". You don't need any kind of key storage for e2e. You only need to facilitate the key exchange as a server, then push the opaque data both ways. If zoom (the company, not the software client) can get the encryption key, the call is not e2e encrypted.
What kind of hurdle do you see? What you've described isn't e2e encryption, the FTC is absolutely correct.
The FTC not doing something unreasonable here, I would wager you are by implying they're placing undue hardship on a company that peddles bald-faced lies.
Most videoconferencing systems are not E2E-encrypted. They encrypt the link between each participant and the central server. This makes implementation simpler in a few ways.
A good E2E-encrypted system would involve Zoom never having the keys at all, so "key storage" would be irrelevant.
The issue here is merely that Zoom claimed to be E2E-encrypted when they were not. They could have simply said "encrypted" and there would be no issue.
Wouldn't E2E encryption of a call with 40 participants require each user to have 39 times the upload bandwidth, in order to send 39 video streams encrypted with different keys? And potentially several times the computational cost on the client, in order to downsample video according to the different available download bandwidth of every other participant?
Is there anyone doing group videoconferencing with E2E encryption, for more than a handful of participants?
Typically, the central server does not transcode. Participants simulcast a few bitrates, and the central server forwards to each other participant the sub-stream with the appropriate bitrate for the bandwidth capacity of that participant. This is compatible with E2E encryption, by individually encrypting each sub-stream. Participants can share a session key that is unknown to the central server.
FaceTime supports group calls and claims E2E encryption for them. WhatsApp does too, I believe? I'm not sure how many participants you can have.
>Wouldn't E2E encryption of a call with 40 participants require each user to have 39 times the upload bandwidth, in order to send 39 video streams encrypted with different keys?
I think you use public key cryptography to securely distribute an encryption key for that call. So the host sends 39 messages encrypted with different keys containing a shared key. Then everyone uses the shared key to encrypt/decrypt the call data.
If you want my popular products then nobody can answer because you'd know of them already. So I'll generalize to what group video tools are e2ee:
-> Jami (according to their website, I only ever used their chat and regular one-on-one calls)
-> Wire (client and server open source, but not community-lead development)
-> WhatsApp (if you trust Facebook, proprietary back-end)
And if you consider open source & on-premises / "can be completely locked off from the Internet so only you can access it" software to be end to end encrypted (if you personally run the server, you're one of the endpoints):
-> Jitsi Meet (full e2ee is under development, collab with Matrix I think)
-> BigBlueButton
-> Apache OpenMeetings (I never used this one, can't vouch for it)
Signal and Threema don't do group calls as far as I can quickly find online, correct me if I'm wrong.
Anyhow, plenty of options whether you like to self host (saves a ton of CPU on encryption and lets the server do stream mixing) or have full end to end encryption. Why do you care whether they're used by a billion people / "popular"? You can still choose to use them and improve the status quo because why not?
Oh right sorry, Telegram indeed doesn't do group calls. Removed them from the list. Thanks!
As for Jitsi, BigBlueButton, and OpenMeetings, no indeed they don't do encryption currently, hence them being in the second section with open source self-hostable conference software rather than the e2ee section above. To me, depending on the use-case (if you can self host on a trusted system) that would be equally secure and also doesn't leak metadata (who calls who) to some central system.
Wire's most recent system (launched a few weeks ago to make the video conferencing more efficient, bumping max participants from 4 to 12) also tries to avoid learning who is in a conference with who, but fact is that if you observe their datacenter there'll be traffic going to certain IP addresses that starts and stops at the same time.
For what it's worth, to add my experience/recommendations: I really liked the BBB setups I've been in (largest was a hundred or so people) and would recommend that if you're looking for an alternative. Wire also works reasonably and because it's end to end encrypted you don't need your own setup to get started, but isn't as open source oriented as BBB/Jitsi and the CPU load from the encryption during video or screen sharing is quite significant. Jami, last I tested, was quite buggy, but that was way before the pandemic. Full disclose: so far I've only had to decline one Zoom request and so I've never been in a Zoom® call (not a single of our clients uses Zoom, yet people use the brand name as a synonym for video call? I don't get it), so I can't compare any of these with Zoom.
The "trust no-one" mantra would still apply to your own team, and unless you're putting tons of money into this project a free software platform us probably more trustworthy. There's more risk of outside infiltration but also far more bug checking and security testing.
Yeah, I get the impression that if some guy frauds a bunch of rich guys, he goes to jail, but if a corporation frauds millions of users, they're just politely asked to behave.
I don't see how democracy has anything to do with wanting to secure video calls or not but anyways, how is this worse than trusting anything from the US? Not trying to add whataboutism, but curious if you have the same look on security when made by companies that share data with someone that realistically could come after you for anything done in those calls. PRC clearly can't unless you live in PRC while the FBI and CIA operate in most of the world, more often than not hand in hand with local police or agencies.
No, instead they target political dissidents and find any possible family you might have in China and threaten to hurt them if you don't either return to the PRC or commit suicide [1], much better.
> Zoom has agreed to a requirement to establish and implement a comprehensive security program, a prohibition on privacy and security misrepresentations, and other detailed and specific relief to protect its user base
What a slap on the wrist. "You blatantly lied to your customers for years. How about you just continue to implement the thing that you were working on anyways."
I don't think punishment is always the best solution but it seems that you should at least set some sort of example.
Punishment is the best solution. Incentives are what drive behavior, and learning that you can get away with lying will just lead to more getting away with lying.
When it comes to training humans and animals, positive punishment is far less effective than most other training techniques like positive reinforcement. Don't Shoot the Dog[1]!
Unfortunately, the positives are customer adoption, and customers have already adopted zoom. This is like continuing to feed the dog treats because it's what you're used to, regardless of the outcome of their actions.
But more generally, it's not obvious that individual, "reptile-brain" incentives translate to large company leadership. I'd be hugely skeptical of applying positive psychology to international corporate leadership, but what do I know anyway.
Agree with your first paragraph, less so the second. People learn corporate leadership in steps, starting with a small group. The style of successful leadership doesn't change IMO, just the number of variables and possibility for greater success/failure.
So we should all remember that Zoom is probably depressed right now and could probably use some support from its friends. Maybe urge GCal to send it a nice note.
My gripe is the companies who failed to implement because they couldn't do security in a way that was easy to use and resulted in a good user experience, but chose to be honest.
I hate the
(1) cheat to win and vanquish your competitors
(2) when you're caught, say you're sorry,
(3) win anyway because your competitors are gone
progression. It seems like the penalty for that should be existential or at least something painfully severe.
That's the point. It's the companies that are little known that get squashed. I don't know much about the space, but I tried Google and chose zoom instead because it was easier— and I pay for Google. I tried Jitsi. But what about the ones we haven't heard of, struggling to solve the problem that Zoom lied about solving, but because they're honest they never took that step forward.
It's like RealPlayer. By the time the courts catch up, the game is over.
Several people are on zoom instead of Google, for instance, even though I pay for Google. I don't know the other players in the space.
Zoom, unbelievably, built a better video conferencing solution than any product by any other company. Their top competitors were Google, Microsoft, and Cisco - several orders of magnitude larger than them.
In this case, I believe the underdog won.
InfoSec cuts both ways in the market. Sure, products with lower standards “poison the well.” But purchasers with burdensome, pointless, obsolete security audits do far more damage to the ecosystem. It certainly cost my startup a tremendous amount of potential growth. We far exceeded security standards like SOC Type II, but still had to bend how we solved security/user problems to Excel sheet checklists.
Zoom was facing a similar issue - they delivered “secure enough” until it wasn’t. Then they, in months, made massive, productive, effective changes that addressed the new issues from skyrocketing growth.
If our standards for good actors in the tech space is higher than that, I don’t know how humans can achieve them.
Not necessarily. Corporations are more than just sum of the people - they are a process that runs on top of people. People themselves are replaceable - and if you change the behavior of one to something the corporation doesn't want, it'll replace that person with someone new. You want to change the behavior of the corporation itself - and that's best done by creating monetary incentives and disincentives (i.e. punishment). The corporation will adjust the behavior of people on its own.
In other words: "appealing to the people" instead of addressing the corporation itself is like trying to heat up a climate-controlled room by lighting a small fire in it. You'll be fighting the AC unit all the way and causing lots of unnecessary damage, when the right way to do it is to adjust the thermostat on the AC unit.
With an alternative analogy, pushed to the limit, it's like trying to change someone's mind by appealing to the neuron. When there's a system advanced enough to exhibit adequate emergent behavior (which most big companies probability are), the subsystems are less and less important for the macro-system's outcomes. There are neural networks with fewer neurons than the population of the corporate leadership at Zoom that we still don't really understand.
Actually intermittent reinforcement is much more effective. If it's offered every time, then when it is not offered it is less likely to trigger the desired behavior. Operant conditioning using intermittent reinforcement trains to not expect the reinforcement mechanism every time, so when it doesn't come, the desired behavior is still displayed:
>What a slap on the wrist. "You blatantly lied to your customers for years. How about you just continue to implement the thing that you were working on anyways."
Honestly - that's inline with the severity of the crime.
>I don't think punishment is always the best solution but it seems that you should at least set some sort of example.
I'm not a fan of regulatory bodies making examples of companies for minor infractions. And this is a very minor infraction.
From my perspective, making security guarantees about a product is the same whether that product is software or hardware. If somebody guaranteed that their ferris wheel had x safety feature, then it turned out to be untrue, nobody would call that a minor infraction.
I agree. I see false advertising as a serious crime.
Obviously we should be utilizing critical thinking ourselves, but I think that we also need the threat of punishment. Because if we have that threat one critical thinker can report the problem and it will be solved for everyone. If there is no punishment then there is no incentive for companies to tell the truth.
Especially if one is ideologically committed to light touch regulation / free market economics. This makes false advertising a particularly serious crime because it introduces a false information asymmetry between the customer and supplier that damages the effective functioning of the market.
Certainly with government access to messages. The minds in charge would never let such an opportunity slip. They are set in the cold war of terror and that won't change for the current generation. So it is still not a good idea to use Zoom.
Exactly. Any small startup owners would see jail time. Similar case in recent History is Trump non-profit (please no flamewars). There are tens of thousands of business-owners rotting in jail today because they embezzled half a million bucks or more - here with Trump charity you have case of at least $2 million stolen plus self-dealing and basically living your whole life/paying personal bills out of charity and what does the judge do? - "Here Mr. Trump is a $99 training seminar on "How not to steal" from your own charity. Go get you and your children watch this online class and report back when you done".
> a prohibition on privacy and security misrepresentations
Why did they have to "agree" to that? Shouldn't that already not be allowed? Also, this sounds a bit like they're allowed to misrepresent other things...
I think the assumed implication with E2EE is that no one other than the partcipants can get at the content of your communications. To do that you need:
1. All cryptographic keys controlled by the users.
2. Some way to confirm you are actually connected to who you think you are connected to.
3. A way to confirm that the code you are running is not leaking keys/content.
So Zoom failed on all 3 points. There are lots of things out there claiming E2EE that fail on one or more of these points. Almost all fail on point 2 unless the user does things that they almost never do. Is the FTC going to come up with a E2EE definition for trade and start prosecuting those that don't meet that definition? Otherwise it would seem unfair that they only went after the entity that ended up in the general media.
> almost all fail on point 2 unless the user does things that they almost never do
Are you referring to the "scan this QR code to verify your partner's key" function in secure messaging apps? I definitely use that. I try to keep all my primary contact's keys verified. It's harder during COVID when you're not meeting up in person as often, because anything besides meeting in person and verifying the two devices directly exposes you to another unverified channel.
It's very hard to bootstrap this stuff. Sure, "web of trust" but that's hard too. Speaking of which, didn't Keybase get bought by zoom to help with exactly these issues?
Telegram's crypto is shoddy [1]. It may not be a complete train wreck, but if you value good crypto and privacy, Signal is probably your only option. It also offers E2EE group chats, unlike Telegram.
A deeper issue is how hard it is to "know" if companies hawking products with security implications (which is nearly everything, today) are lying.
I'm not even talking about the gradient ranging from innocent bugs to incompetent coders and how that gets papered over. When you buy shoddy physical goods, there are typically characteristics you can't hide, like cheap materials. But with software like this of course the only function your average person can verify is that the transmission happens, not how it is encoded. Neither Grandma nor your manager are likely to break out tcpdump to check.
And of course the DMCA complicates this in the US, and things are even worse for researchers elsewhere.
Third party audit and reputation are the only fixes I see. And the second one requires a commercial environment that rewards it. The current one doesn't; it rewards novelty and lies, so that's what we get.
I agree. I am writing my project a certain way to achieve a goal I call reimplementability.
This means that I try to design in such a way that a reasonably competent dev could sit down and rewrite the whole system in a couple hours/days/weeks.
I completely agree, and that's a huge topic unto itself.
Briefly, the issue with auditing, as with most things, is incentives over time. The difference between fraud in finance and software engineering is how long the bezzle[1] lasts. In finance, it can last a very long time in up economies, leaving Big Three auditors plenty of time to scurry off. In software you have to deliver at some point, leaving lying auditors exposed to discovery by security researchers immediately.
There is certainly still room for shenanigans if not set up correctly, but less than in finance.
You're right, but 3rd party audits can help, especially because the precedent set by Arthur Andersen w/ Enron. It destroyed their business completely when their fraud was discovered, so there would be a strong incentive for auditors to get it right. As you said, not a silver bullet, but it's a step up from nothing.
> It destroyed their business completely when their fraud was discovered...
I suppose rebranding and transferring assets is kind of like a Chapter 7 "destroyed their business completely", but no one involved went to jail, no one lost their Series 7 or any other kind of licensing, no one was ever barred for life from ever managing at a public company ever again, etc. Sure, to laypeople a selling off of assets and rebranding sounds pretty "destroyed...completely", but unless there are lifelong, severe, natural person repercussions, business people are thrilled with the results. No clawbacks, no offender registration, can always point the blame elsewhere in future discussions (like job interviews). This is mostly regulatory theater, and all net upside for those who benefited by unethical action or by unethical omission.
Nobody at Arthur Andersen went to prison and SCOTUS reversed their conviction. The firm may have gone up in smoke, but nobody was actually punished for their crimes. Who at Ernst and Young has gone to prison for Wireguard or WeWork? None by my count.
Auditors operate off money, too. I have seen this first hand. If I tell them about an egregious violation and they don't even bother to write it down, I know what type of "auditor" I am dealing with. If they write it down and the issue is not resolved, same thing.
How 'hard it is to "know"' is irreverent, and you agree to this when you accept the 'contract'. This isn't an issue of honesty, in fact; quite the contrary. They are extremely honest. It's just in the fine print.
Legal / Terms of Service / Terms of Use / Usage Policy
I find that a majority don't even hide unreasonable conditions in 'legal' terms anymore. Whilst there may be tens, hundreds, of pages in that ToS you tick before using the product - there's a few solid, clear, one sentence dot points that protect from all issues. The best of these is similar to: "We reserve the right to amend, change, or otherwise modify this agreement with - or without - notice.", or "We reserve the right to withdraw services/solutions with - or without - notice." Some, like the famous early React licenses (by Facebook), had indemnity clauses for simply using the product - even if your then legal engagement was entirely unrelated to your use of React. Impacted by Cambridge Analytica? Sorry. Many years ago you experimented with React. Immunity.
I don't think a third party audit is a fix. Even dismissing these previous statements. The volume of 'independent' auditors that are then found corrupt, or otherwise bias/incompetent in result, is pretty regular news. More often than not. Based on some experience with how contracts and engagements go with big corporations - some even factor in known 'expected losses' (such as fines, failing to meet SLA, etc) in their actual budget of contract.
The real fix is users taking responsibility. Don't like the ToS (And, believe me; you won't..). Don't accept it.
(@USERS, not @_jal) But don't complain that the product you did, or did not, pay a cent for - but blindly accepted the ToS - fails to deliver to your expectation. Sure.. It suggested, or possibly even states 'end to end encryption'. But the ToS clarifies context of that.
437 comments
[ 3.1 ms ] story [ 327 ms ] threadThat's the concept of E2Z2EE (End2Zoom2End Encryption)
Zoom was thinking of giving only them E2E encryption, and actually I would pay for that service if I would trust Zoom. Currently I use telegram to speak with my friends, but the call drops quite often as we don't have stable internet connection.
Can you provide a better legal definition than what I see? (Only the legal meaning of the word matters in the current context).
We're talking about hundreds of millions of people being effected vs few million people, it matters a lot. You would understand that it's very far from pedantry if you followed all announcements that Zoom had in the past.
Not that it should matter in the context of the feature being described.
Also as I wrote, Zoom was thinking of selling E2E encryption as a payed feature, that's why the distinction really matters (I would happily pay for it if that would give me a strong assurance that I just don't have so far).
At least their feet will held to the fire!
/s
Tbh though, they will only be held to account, if another big player wants to cripple them and take their market.
” The European Commission has told its staff to switch to the encrypted Signal messaging app in a move that’s designed to increase the security of its communications.”
This was February 2020, has something changed?
https://news.ycombinator.com/item?id=25028411
This level of planning is like the US govt outlawing all guns tomorrow, it just isn't going to happen any time soon since not only are gun-owners usually not the type to want to give up a gun, the prevalence of gun ownership is so massive that it would take equally massive resources to run a completely successful confiscation program.
You mean like what happened with PRISM ?
They don't even need to tell their customers that they lied [2]
1: https://www.ftc.gov/system/files/documents/cases/1923167zoom... 2: https://www.ftc.gov/system/files/documents/public_statements...
>"Today, the Federal Trade Commission has voted to propose a settlement with Zoom that follows an unfortunate FTC formula," FTC Democratic Commissioner Rohit Chopra said. "The settlement provides no help for affected users. It does nothing for small businesses that relied on Zoom's data protection claims. And it does not require Zoom to pay a dime. The Commission must change course."
Under the settlement, "Zoom is not required to offer redress, refunds, or even notice to its customers that material claims regarding the security of its services were false," Democratic Commissioner Rebecca Kelly Slaughter said. "This failure of the proposed settlement does a disservice to Zoom's customers, and substantially limits the deterrence value of the case."
So the right fine here is their entire market cap. That would put them back at square one, which is where an honest competitor would be right now.
That doesn't make sense.
I guess it's the same on Zoom and your company doesn't pay for it.
But Zoom, alone, already has a marketcap of $117.534B (https://finance.yahoo.com/quote/ZM/)
I really think there is an unsustainable distortion happening.
Market cap is a multiplier of revenues, easily 10 or 20 for a tech company, that means a $1T market cap to be taken across the videoconference companies.
Wondering how numbers can be so high? Count $10 per month * 12 months in a year * 100 million employees in the US... that is $12B per year going to video software!
- AMZN: 92
- GOOG: 34
- FB: 33
- NFLX: 76
- AAPL: 35
- MSFT: 35
Compare this to, say, 3M, at 19, or GM with 17.
edit: incidentally, apparently Zoom's P/E is... 527, which is grossly inflated even for a tech company. Tesla is also in the same category with a P/E of 834.
Side note - Go read about Japan's lost decade and you'll see how dangerously close our (US) current speculative investing environment is to theirs before it fell.
Zoom went bananas because they won the space at a point in time that mattered. FaceTime is too proprietary and lacks features due to E2E, WebEx is run by incompetents, Google Meet is hard to use, and Teams is too complex. There’s a thousand other competitors with a few users.
Speculators poured billions into the consort and the valuation went nuts. That could go away in a week.
Yes, soon any website can have their own videoconferencing using web technology like WebRTC. And implementation will be as simple as running "npm install".
> But Zoom, alone, already has a marketcap of $117.534B
Yes. Zoom having a market cap that's more than half of Intel? Come on now ...
Everybody used to have Skype and I would have gladly handed over my data to MS if only it would have been able to do stable video calls. It was often a disaster for just 2-way calls, let alone group.
I imagine some people at Skype probably kept a few instances of Skype running at the office. So they technically hosted a few super nodes, but it wasn't necessarily that they were running some vastly different server version of the app. It wasn't until Microsoft decided to cut down on the P2P aspect of the app and hardcode only Azure-hosted super nodes into the application that this changed.
Stability was the main draw, but company IT departments would have had more power to ban it if there were bigger and clearer risks of corporate secrets escaping.
Some folks are concerned with more than stability and ease of use.
This would mean using only libre/open source software like Jitsu or Linphone, as one could verify the code or higher experts to verify the code.
If this was happenening in any other industry (except fonance?), the perpetrators would be in jail.
That doesn't justify zoom making false claims--I just don't think the companies you're describing would be using zoom.
Defending against sophisticated state-level actors goes even further beyond the requirements of most businesses. Unless you had a specific reason to believe that you were a target of such actors (dealing with national security, or matters of significant national strategic importance), you couldn't justify investing much resource into such defensive measures.
Also due to deception, it auto reinstalled on macs until they were caught.
Just look at the troubles and hurdles Signal messenger need to overcome to implement some features, while the competition that is not so security focused has them since forever.
That is what was great about zoom. The security becomes important after it works.
They did not provide the service the advertised: they provided something much inferior (and that's actually unsuitable for many industries).
It's not really really about "what would clients have done otherwise". It's a matter of giving money back.
If you pay me to write a program, and it only does half of what I promise, wouldn't you want [part of] your money back?
This is absolutely huge. We've tried Teams (and I have previously used Webex and Hangouts).
It seems like there is _always_ one person that struggles with other video services. Can't join, video/audio issues, CPU usage, latency, etc. Painful when 10%+ of a meeting is consumed by getting one last, key person trying to fix their issues.
Otherwise we had hangouts/meet with very basic features and jet-taking-off Mac behaviour, chime which is really good but nobody heard of it (Amazon is not interested in that market apparently), Skype which aims for social chat consumers, slack which works only within the org, jitsi, and a thousand of me-too apps with very basic feature set.
Zoom could kick your puppy at the end of each call, and it would likely still be the best choice at the time :-(
Very few things that are hosted are immune to employee buggery, that’s why companies invest in third party risk management; to assess those risks, which are always material and non-zero and determine if they are within the appetite of the organization.
So there was a competitor after all?
But that's not how capitalism works.
You can be honest business or you can steal billions, get caught and pay a millions in fines. I think everyone can see a problem here. You pay back less then you stole so this is an active encouragement to steal.
Most recent example, morgan stanley fraud for bilions in profit pays fine of 1.5 mil [0].
Reality is borrowing from Kafka.
[0] https://coinweek.com/bullion-report/morgan-stanley-mitsubish...
edit: That was for video streams. For audio streams, certainly the cpus cost is lower - about 10%.
FaceTime is the big E2E service. Most anything else allows dial in, and is not E2E. Zoom’s sin is bad marketing copy.
I don't think Zoom has transgressed anywhere nearly this badly, but even if I did it doesn't make sense to fine any company their entire value unless your goal is simply to destroy them. The company is only worth as much as it is because it is expected to continue as a company, and there would be no way for it to continue if it owed that much money to the government. Unless it was nationalized and run by the government, but I doubt you're proposing that? Which means instead the company liquidates, and its liquidation value is far less than it's value as a business.
Effectively, allow the company to continue as before, but wipe out all shareholders. After all, they are the people who allowed this behaviour. They are the ultimate decision makers.
Which competitors offered true E2E?
I think mostly they were (misleadingly/lyingly) promissing something above what most of their competitors offered, no?
The former still could've been a bit weaselly and misleading (many non-technical users would probably have assumed "encrypted" implied total confidentiality), but what they actually did was so much worse. I hope they get hit hard on that.
Did they? Which people? When? How?
Also, think of the competitors of zoom who lost customers to them due to their lying, that's a harm too, eh?
These are hard to quantify but they're not nothing.
It was encrypted, but not E2EE, so the only person who could have spied was Zoom itself, and we know the how too - by the same mechanism it performs a video recording, for example.
We just don't know if. But seeing as we've had zero reports of any real-world consequences that could only have come about by Zoom spying, combined with the fact that "spying on your customers" is anathema to your business model and therefore a risk no sane and rational board of directors would ever approve (moderate upside, enormous possibly business-ending downside if ever discovered)... Occam's Razor says no spying ever occurred.
And that's not what Occam's Razor means.
Non-E2E encryption doesn't give access to just "the company" (which probably doesn't care to spy on you, true), but absolutely anyone who can bribe/trick/coerse anyone in their "supply chain" (from the CEO to the sysadmins, hosting provider, even janitor...). Not to mention a data leak due to a vulnerability in any part of their stack.
The company has shown complrte disregard for security multiple times in the past and I wouldn't be at all surprised if they had major security holes. And since they already lied about E2EE, it would be entirely safe to assume they would not have disclosed a breach either.
You can know that nobody external to Zoom spied on those streams as they were encrypted between client and Zoom servers. The fact that Zoom had access to your stream, in principle, is par for course.
>These are hard to quantify but they're not nothing.
And they got in trouble. There is the FTC slap and the PR cost associated with the negative publicity. That feels about right for the level of infraction. But when these kinds of articles come out, people are calling for regulatory bodies to 'make examples' of the companies in question. That's not how it works. That's not how it should work.
Why are people still able to pretend otherwise without being laughed out of the room?
It is a variant of a Bible Thumper & Bootlegger coalition.
A large portion of the population really doesn't want to believe it. A small population with a vested interest (and lots of relevant tools at its disposal) is happy to help them.
Along with is growth in users, Zoom has seen concerns spike about how it is protecting users’ privacy. The Senate advised members not to use the service, according to Ars Technica and the New York City Department of Education banned its use for remote learning. A group of state attorneys general are probing the company after one of the officials was “zoombombed” on a forum about the Census, meaning the chat box was filled with profanities.
Ellison’s support could prove useful to Zoom as it wades through the new challenges of becoming a consumer tech company. Ellison is an influential billionaire with ties to the Trump administration. He has supported Trump’s campaign and even told the President about an anti-malaria drug Trump ended up touting as a possible treatment for the coronavirus, according to The New York Times. Oracle CEO Safra Catz served on Trump’s transition team in 2016.
If the clients are open-source and properly implement end-to-end encryption, and you verify that they are not sending your keys to the servers, then what is running on the servers is irrelevant.
Verification can be made with the security code that WhatsApp uses, and the safety number that Signal uses (same thing, different name). Other systems have other, similar methods.
You can verify that they match in order to verify that you're not communicating with a man-in-the-middle, and if the key changes then both apps show a prominent warning.
Granted, a lot of people may not actually bother to verify.
The only relevant vulnerability is stealth updates infecting the client, but the client could disallow it as well.
I suppose the risk with Zoom is leaks due to incompetence rather than leaks due to government intervention.
All e2e claims with closed source software must be dismissed by default. The burden of proof is on the seller.
But yes, impossible-to-verify claims are not worth very much at all.
Yes, I did. Thanks for asking.
> They don't have to pay anything
Yes, but they endured reputational damage, and companies hypothetically lying about it now could reasonably expect to have to pay something in future enforcements, which is what I was trying to get at in my previous comment. Reading it now, it was really sloppily worded by lumping together those things, but I'll leave it as it was so that the rest of this thread makes sense.
> they don't have to actually fulfill their prior claims
Given that they don't claim it any more, I'm not sure that they could be forced to start doing it -- put another way, not having E2E encryption is not a crime as long as you don't claim to have it.
It's a consent order. They're willingly agreeing to it in order to avoid other costs (like fines and a lengthy trial). There's no "forced to" involved.
I think this probably varies a lot between social groups; I know of many people (including non-technical) who were motivated to explore alternatives after reading news articles about Zoom's behaviour. A bunch of non-technical friends subsequently started to use meet.jit.si for meeting up, playing board games, etc, for example.
As for 3reputational damage, that’s a long term effect. A few events won’t have a lasting impact. If it turns out that Apple Key Chain is not e2e, or worse iOS exfiltrates key material from apps, that would be major news, but soon people will forget (if they ever cared in the first place) and keep buying iPhones unless the misbehavior is a recurrent problem. A company like Apple will make it extremely difficult to discover such misconduct.
I wrote:
> the penalties (both in terms of reputation and in terms of monetary fines) for this kind of misbehaviour
You wrote:
> What penalties?
"Apple has a market incentive not to lie!" is an argument I find compelling, but the NSA has a bigger incentive to make Apple lie, and more power than Apple. If Apple & friends were ever offering a truly secure communication channel it is unlikely that was/will be allowed to continue.
https://www.acquired.fm/episodes/the-zoom-ipo-with-santi-sub...
It is fact to say that Zoom could be compelled by the CCP to plant backdoors in software to siphon valuable IP for use by Chinese companies, as is usually the case with CCP-aligned companies like Huawei (Huawei had a cash incentive program for employees who delivered stolen IP to them).
http://cryptome.org/echelon-nh.htm
"Where are the wheels?"
"Well... we delivered most of what was purchased so you don't get to complain."
Ford once paid $300M for a faulty airbags thing, but that was negligence whereas this is fraud. Of course this isn't a lethal risk.
I would think the case would have legs. Haven't a clue how much for.
Go to the supermarket, but a box that says "ten apples". You get home and open it, there's just five apples. You'll want money back. What "damages" do you have to prove?
Unlike that example, it's difficult to know if there were direct damages, but some big companies can come together and try to make a case and sue them and demand huge compensations. Zoom could have spied on your conversations and sold your information to competitors even though they sold the product claiming that they couldn't.
It sounds like OP is referring to a breach of contract. Even if they can't prove damages, they could still be entitled to some other remedy, like a partial refund. It would depend on the language of the contract, of course.
>Despite promising end-to-end encryption, the FTC said that "Zoom maintained the cryptographic keys that could allow Zoom to access the content of its customers' meetings, and secured its Zoom Meetings, in part, with a lower level of encryption than promised."
Not wonderful but that still, technically, is an E2E encryption scheme. Is it not? Or do they mean one end terminates in Zoom's servers and it's not E2E through the whole pipe, but rather two pipes stitched together?
Agreed it's not as secure as they marketed, but this seems to suggest if you want to offer E2E you need a specific kind of key storage to meet this new precedent. Good in practice, but maybe the FTC are not the right people to placing such a hurdle down?
I'm sure I've missed something though.
At no point is there encryption directly from one user to anothre.
Our company had stop using zoom for security reasons.
Ah, thank you. That was the bit I was missing.
Silly question I know but I couldn't wrap my head around the wording
The FTC not doing something unreasonable here, I would wager you are by implying they're placing undue hardship on a company that peddles bald-faced lies.
A good E2E-encrypted system would involve Zoom never having the keys at all, so "key storage" would be irrelevant.
The issue here is merely that Zoom claimed to be E2E-encrypted when they were not. They could have simply said "encrypted" and there would be no issue.
Is there anyone doing group videoconferencing with E2E encryption, for more than a handful of participants?
FaceTime supports group calls and claims E2E encryption for them. WhatsApp does too, I believe? I'm not sure how many participants you can have.
I think you use public key cryptography to securely distribute an encryption key for that call. So the host sends 39 messages encrypted with different keys containing a shared key. Then everyone uses the shared key to encrypt/decrypt the call data.
Both are news "aggregators"
I remember reading a while back that Zoom claimed a few times they were e2e-encrypted, but what they meant was transport encryption.
-> Jami (according to their website, I only ever used their chat and regular one-on-one calls)
-> Wire (client and server open source, but not community-lead development)
-> WhatsApp (if you trust Facebook, proprietary back-end)
And if you consider open source & on-premises / "can be completely locked off from the Internet so only you can access it" software to be end to end encrypted (if you personally run the server, you're one of the endpoints):
-> Jitsi Meet (full e2ee is under development, collab with Matrix I think)
-> BigBlueButton
-> Apache OpenMeetings (I never used this one, can't vouch for it)
Signal and Threema don't do group calls as far as I can quickly find online, correct me if I'm wrong.
Anyhow, plenty of options whether you like to self host (saves a ton of CPU on encryption and lets the server do stream mixing) or have full end to end encryption. Why do you care whether they're used by a billion people / "popular"? You can still choose to use them and improve the status quo because why not?
Some notes:
- Wire has published a detailed whitepaper on e2ee. https://wire-docs.wire.com/download/Wire+Security+Whitepaper...
- Jami (formerly GNU Ring) has an interesting post about having e2e here: https://security.stackexchange.com/a/162603/243716
- Jitsi e2e is testable, but they note that it's not completely finished. Key exchange has to be done manually.
- https://github.com/bigbluebutton/bigbluebutton/issues/9893 suggests BigBlueButton don't have e2e yet
- Wikipedia claims "no encryption protocol" for OpenMeetings https://en.wikipedia.org/wiki/Apache_OpenMeetings
---
So that leaves Wire and Jami. Thanks for the info!
As for Jitsi, BigBlueButton, and OpenMeetings, no indeed they don't do encryption currently, hence them being in the second section with open source self-hostable conference software rather than the e2ee section above. To me, depending on the use-case (if you can self host on a trusted system) that would be equally secure and also doesn't leak metadata (who calls who) to some central system.
Wire's most recent system (launched a few weeks ago to make the video conferencing more efficient, bumping max participants from 4 to 12) also tries to avoid learning who is in a conference with who, but fact is that if you observe their datacenter there'll be traffic going to certain IP addresses that starts and stops at the same time.
For what it's worth, to add my experience/recommendations: I really liked the BBB setups I've been in (largest was a hundred or so people) and would recommend that if you're looking for an alternative. Wire also works reasonably and because it's end to end encrypted you don't need your own setup to get started, but isn't as open source oriented as BBB/Jitsi and the CPU load from the encryption during video or screen sharing is quite significant. Jami, last I tested, was quite buggy, but that was way before the pandemic. Full disclose: so far I've only had to decline one Zoom request and so I've never been in a Zoom® call (not a single of our clients uses Zoom, yet people use the brand name as a synonym for video call? I don't get it), so I can't compare any of these with Zoom.
p2p tech that uses e2e and only uses servers to establish a key handshake
you, people should believe or trust no one! thats the number one rule for [e2e, or else] security I think.
I wish executives would start going to jail over this stuff. Bet they'd stop lying to their customers then.
so, drop Zoom, use a Free and Open-Source alternative. Example: Jitsi (jitsi.org) . It has more rough edges, but it works.
[1] https://en.wikipedia.org/wiki/Operation_Fox_Hunt
What a slap on the wrist. "You blatantly lied to your customers for years. How about you just continue to implement the thing that you were working on anyways."
I don't think punishment is always the best solution but it seems that you should at least set some sort of example.
[1] https://www.amazon.com/Dont-Shoot-Dog-Teaching-Training/dp/0...
But more generally, it's not obvious that individual, "reptile-brain" incentives translate to large company leadership. I'd be hugely skeptical of applying positive psychology to international corporate leadership, but what do I know anyway.
--Mitt Romney [0]
So we should all remember that Zoom is probably depressed right now and could probably use some support from its friends. Maybe urge GCal to send it a nice note.
[0] https://www.npr.org/sections/itsallpolitics/2011/08/11/13955...
I hate the
(1) cheat to win and vanquish your competitors
(2) when you're caught, say you're sorry,
(3) win anyway because your competitors are gone
progression. It seems like the penalty for that should be existential or at least something painfully severe.
It's like RealPlayer. By the time the courts catch up, the game is over.
Several people are on zoom instead of Google, for instance, even though I pay for Google. I don't know the other players in the space.
Zoom, unbelievably, built a better video conferencing solution than any product by any other company. Their top competitors were Google, Microsoft, and Cisco - several orders of magnitude larger than them.
In this case, I believe the underdog won.
InfoSec cuts both ways in the market. Sure, products with lower standards “poison the well.” But purchasers with burdensome, pointless, obsolete security audits do far more damage to the ecosystem. It certainly cost my startup a tremendous amount of potential growth. We far exceeded security standards like SOC Type II, but still had to bend how we solved security/user problems to Excel sheet checklists.
Zoom was facing a similar issue - they delivered “secure enough” until it wasn’t. Then they, in months, made massive, productive, effective changes that addressed the new issues from skyrocketing growth.
If our standards for good actors in the tech space is higher than that, I don’t know how humans can achieve them.
In other words: "appealing to the people" instead of addressing the corporation itself is like trying to heat up a climate-controlled room by lighting a small fire in it. You'll be fighting the AC unit all the way and causing lots of unnecessary damage, when the right way to do it is to adjust the thermostat on the AC unit.
https://www.sciencedirect.com/topics/psychology/intermittent...
Honestly - that's inline with the severity of the crime.
>I don't think punishment is always the best solution but it seems that you should at least set some sort of example.
I'm not a fan of regulatory bodies making examples of companies for minor infractions. And this is a very minor infraction.
From my perspective, making security guarantees about a product is the same whether that product is software or hardware. If somebody guaranteed that their ferris wheel had x safety feature, then it turned out to be untrue, nobody would call that a minor infraction.
Obviously we should be utilizing critical thinking ourselves, but I think that we also need the threat of punishment. Because if we have that threat one critical thinker can report the problem and it will be solved for everyone. If there is no punishment then there is no incentive for companies to tell the truth.
https://www.theglobeandmail.com/opinion/article-participatin...
Exactly. Any small startup owners would see jail time. Similar case in recent History is Trump non-profit (please no flamewars). There are tens of thousands of business-owners rotting in jail today because they embezzled half a million bucks or more - here with Trump charity you have case of at least $2 million stolen plus self-dealing and basically living your whole life/paying personal bills out of charity and what does the judge do? - "Here Mr. Trump is a $99 training seminar on "How not to steal" from your own charity. Go get you and your children watch this online class and report back when you done".
Unbelievable.
Why did they have to "agree" to that? Shouldn't that already not be allowed? Also, this sounds a bit like they're allowed to misrepresent other things...
1. All cryptographic keys controlled by the users.
2. Some way to confirm you are actually connected to who you think you are connected to.
3. A way to confirm that the code you are running is not leaking keys/content.
So Zoom failed on all 3 points. There are lots of things out there claiming E2EE that fail on one or more of these points. Almost all fail on point 2 unless the user does things that they almost never do. Is the FTC going to come up with a E2EE definition for trade and start prosecuting those that don't meet that definition? Otherwise it would seem unfair that they only went after the entity that ended up in the general media.
Are you referring to the "scan this QR code to verify your partner's key" function in secure messaging apps? I definitely use that. I try to keep all my primary contact's keys verified. It's harder during COVID when you're not meeting up in person as often, because anything besides meeting in person and verifying the two devices directly exposes you to another unverified channel.
It's very hard to bootstrap this stuff. Sure, "web of trust" but that's hard too. Speaking of which, didn't Keybase get bought by zoom to help with exactly these issues?
Yes. Or read the weird numbers/letters over the phone. Or look at the strange image and compare it somehow.
For all I know there is something out there that wants you to compare a tune...
I trust Telegram’s E2E, but not Zoom - unless Zoom’s client is on GitHub with deterministic build steps?
[1] https://security.stackexchange.com/a/49802/29703 (a bit dated but AFAIK nothing changed)
A lot dated. The current thing is described here:
* https://core.telegram.org/mtproto
I'm not even talking about the gradient ranging from innocent bugs to incompetent coders and how that gets papered over. When you buy shoddy physical goods, there are typically characteristics you can't hide, like cheap materials. But with software like this of course the only function your average person can verify is that the transmission happens, not how it is encoded. Neither Grandma nor your manager are likely to break out tcpdump to check.
And of course the DMCA complicates this in the US, and things are even worse for researchers elsewhere.
Third party audit and reputation are the only fixes I see. And the second one requires a commercial environment that rewards it. The current one doesn't; it rewards novelty and lies, so that's what we get.
Third party audits aren't a silver bullet. Enron and Worldcom had third party audits.
This means that I try to design in such a way that a reasonably competent dev could sit down and rewrite the whole system in a couple hours/days/weeks.
Briefly, the issue with auditing, as with most things, is incentives over time. The difference between fraud in finance and software engineering is how long the bezzle[1] lasts. In finance, it can last a very long time in up economies, leaving Big Three auditors plenty of time to scurry off. In software you have to deliver at some point, leaving lying auditors exposed to discovery by security researchers immediately.
There is certainly still room for shenanigans if not set up correctly, but less than in finance.
[1] https://moneyfyi.wordpress.com/2013/11/15/5358/
I suppose rebranding and transferring assets is kind of like a Chapter 7 "destroyed their business completely", but no one involved went to jail, no one lost their Series 7 or any other kind of licensing, no one was ever barred for life from ever managing at a public company ever again, etc. Sure, to laypeople a selling off of assets and rebranding sounds pretty "destroyed...completely", but unless there are lifelong, severe, natural person repercussions, business people are thrilled with the results. No clawbacks, no offender registration, can always point the blame elsewhere in future discussions (like job interviews). This is mostly regulatory theater, and all net upside for those who benefited by unethical action or by unethical omission.
https://www.wsj.com/articles/string-of-firms-that-imploded-h...
https://news.ycombinator.com/item?id=24802741
Nobody at Arthur Andersen went to prison and SCOTUS reversed their conviction. The firm may have gone up in smoke, but nobody was actually punished for their crimes. Who at Ernst and Young has gone to prison for Wireguard or WeWork? None by my count.
Reproducible builds remove this requirement.
https://en.wikipedia.org/wiki/Reproducible_builds
Legal / Terms of Service / Terms of Use / Usage Policy
I find that a majority don't even hide unreasonable conditions in 'legal' terms anymore. Whilst there may be tens, hundreds, of pages in that ToS you tick before using the product - there's a few solid, clear, one sentence dot points that protect from all issues. The best of these is similar to: "We reserve the right to amend, change, or otherwise modify this agreement with - or without - notice.", or "We reserve the right to withdraw services/solutions with - or without - notice." Some, like the famous early React licenses (by Facebook), had indemnity clauses for simply using the product - even if your then legal engagement was entirely unrelated to your use of React. Impacted by Cambridge Analytica? Sorry. Many years ago you experimented with React. Immunity.
I don't think a third party audit is a fix. Even dismissing these previous statements. The volume of 'independent' auditors that are then found corrupt, or otherwise bias/incompetent in result, is pretty regular news. More often than not. Based on some experience with how contracts and engagements go with big corporations - some even factor in known 'expected losses' (such as fines, failing to meet SLA, etc) in their actual budget of contract.
The real fix is users taking responsibility. Don't like the ToS (And, believe me; you won't..). Don't accept it.
(@USERS, not @_jal) But don't complain that the product you did, or did not, pay a cent for - but blindly accepted the ToS - fails to deliver to your expectation. Sure.. It suggested, or possibly even states 'end to end encryption'. But the ToS clarifies context of that.
https://zoom.us/terms