Video conferences and communications held on the Zoom platform are not actually end-to-end encrypted, a new report has revealed.
Zoom offers video conferencing technology and has enjoyed a huge growth in popularity in light of people around the world having to work from home due to the COVID-19 pandemic.
The company states on its website and an accompanying white paper that it supports end-to-end encryption for meetings held on the platform.
This would mean that the video and surrounding communications would not be able to be accessed at all by the company, similar to the protections used by WhatsApp and Signal.
But a new report by The Intercept has found that this is not the case, with the platform actually offering only “transport encryption” instead, the same protection used to secure HTTPS websites.
This form of protection means that the data is encrypted between the Zoom users and its servers, but the company could still access it in an unencrypted form.
The report said Zoom has been using “misleading marketing”.
The issue appears to be around the use of the phrase “end-to-end encryption”, with Zoom claiming their use of the phrase was not meant to imply the widely used definition of this form of encryption.
“When we use the phrase ‘end to end’ in our other literature, it is in reference to the connection being encrypted from Zoom end point to Zoom end point...content is not decrypted as it transfers across the Zoom cloud,” a Zoom spokesperson told The Intercept.
“Currently, it is not possible to enable E2E encryption for Zoom video meetings.”
Zoom has seen rapid growth since the outbreak of COVID-19 around the world, with an estimated 2.13 million downloads around the world on just the 23rd of March.
Stock in the company has surged from under $US70 in January to $US150 earlier this week, giving it a market cap of $US42 billion.
But this has led to increased scrutiny on the Silicon Valley company and its data privacy and security practices.
Along with the encryption issue, it was also recently revealed that the app had been sending data to Facebook even if the user didn’t have a Facebook account.
The company has said it has now disabled this feature.
New York Attorney General Letita James has opened an investigation into Zoom’s data privacy and security practices, asking it what new security measures have been put in place to deal with the vastly increased traffic.
James also questioned the company’s response to identified vulnerabilities and flaws, saying they could “enable malicious third parties to, among other things, gain surreptitious access to consumer webcams”.
A Twitter user also appears to have identified another issue with privacy on Zoom.
“If you’re having a committee meeting via Zoom and you use the chat function to privately write to someone, your colleagues may not see it in real time, but it shows up when the chat is downloaded and put in the minutes folder,” they posted.
In response, a Zoom spokesperson said this can be easily avoided depending on what feature is being used.
“If a host chooses to record a Zoom meeting to the cloud, only chats sent publicly (to everyone in the meeting) are saved,” the spokesperson said.
“If a host chooses to record a Zoom meeting locally, then chats sent publicly, as well as any private chat exchanges that the host who chose to record the meeting participated in during session, are saved.”
While Zoom’s stocks have risen rapidly in recent weeks, so too have shares in a mysterious China-based company that has the ZOOM ticker. After investors were apparently confused about which was the real video conferencing company, the SEC moved to suspend trading in the Chinese company, which hadn’t provided any update to the market in several years.
