This is a problem that happens more often than we care to admit. Many services billing themselves as private, or at least presenting the illusion to the expectation of privacy, are outright lying to consumers. This is because no company that does business in China can truly be private, as according to their laws. China does contain about 1/7th of the world’s total population, making it difficult for companies to turn down such a significant prospect. Many don’t, and the privacy of everyone suffers.
Popular virtual meeting service Zoom is the latest to come under fire for its deceptive practices and eagerness to meet the demands of the constantly overreaching Chinese government. They mislead all of their users and went the extra mile to make China feel included – to the detriment of everyone who relies on Zoom.
The Company Lied about End to End Encryption
Zoom is utilized primarily for remote business meetings, where it is reasonable to expect that members of a company will be talking about sensitive financial data, trade secrets, and other potential moves that they’re not willing to share with the public or their competition. The end to end encryption promised by Zoom was a huge draw for these companies. They need to be able to conduct virtual meetings with the same level of privacy they’d expect when everyone is sitting behind a closed door at the same table.
With true end to end encryption, all parties involved in a digital meeting or conversation have exclusive copies of an encryption key. They’re the only ones with these keys. Other people who do not have these keys will not be able to access the video, audio, photos, or text associated with this conversation. This was not the case with Zoom, and a little digging makes the move look deliberate.
The Way Things Are Actually Encrypted
Encryption keys are generated and sent from Zoom’s cloud based key management system. In some meetings, a key may be granted to a special connector server to help facilitate the call. This is somewhat of a security flaw in and of itself, but it’s not the largest problem. The cause for concern is that 5 out of 73 of Zoom’s encryption servers are located in China.
On the surface, this move makes sense. Having servers in and around China would help to support Zoom’s digital infrastructure as it serves users in that region. The problem comes with the conflict of operating in China and the implications that come with that.
Another troublesome discovery is that Zoom meetings connecting remote participants that both happen to be located in the United States are sometimes routed through Zoom’s Chinese servers, which is needless and potentially deliberate. The Citizen Lab, a research group, placed test calls to duplicate the phenomenon. They found that US based calls can be, and sometimes are, routed through encryption servers in Beijing.
Chinese Laws and Chinese Employees
Nothing can be encrypted in China. In order to conduct any sort of business in China, you need to be compliant with their policies. China does not allow privacy to any of its citizens. The open internet is blocked, everything is censored, and the government demands complete access to any and all transmissions made online or by phone. The policy is to openly spy on all communications.
By having servers in China, Zoom has to consent to the Chinese government’s ability to access any data funneled through China. China requires access to those encryption keys, meaning that a spy is onboard every time a Zoom meeting utilizes those servers. The fact that calls where all participants involved are located in the US are being routed through unsafe Chinese servers suggests that the Chinese government has a purpose for wanting information from those calls.
What That Means In Our Current Circumstances
Everyone is quarantined, placed under “Stay at Home” orders, and non essential businesses are required to close in many parts of the world. Because of this, Zoom’s utilization has skyrocketed. People need a way to meet from quarantine, and Zoom provides one of the only options. This massive uptick in users and meetings makes more and more sensitive information vulnerable.
This places a sense of urgency around the situation. It was already a major privacy risk, but it’s even bigger now that Zoom meetings are becoming a primary mode of function for businesses rather than a supplemental or occasional way to facilitate meetings across long distances. More critically sensitive information is being shared online than ever before, and these servers in the hands of spies for the Chinese government place everyone’s trade secrets at risk.
How Does Zoom Plan to Fix It?
Yuan, Zoom’s CEO, has provided some lackluster answers. He first clarifies that Zoom never specifically built tools or infrastructure that would deliberately hand over the keys to sensitive information to foreign governments and that the company has not worked directly with law enforcement in any capacity. Despite this, the problem still exists.
Zoom is attempting to reinforce password safety while acknowledging that dozens of prominent researchers have been coming forward with their privacy concerns relating to the service, exposing major flaws that may not have been deliberate in the design of Zoom.
Human rights group Access Now is putting pressure on Zoom to release a transparency report that would detail how many requests for information it has received from governments or other relevant authority figures, as well as how many of those requests it has complied with. Zoom is promising to deliver on a transparency report, but the results remain to be seen.
Privacy Oriented Alternatives to Zoom
The best course of action is to avoid using Zoom entirely. There are too many privacy risks associated with the service. Unless and until Zoom is able to restructure and prove that they’re no longer placing sensitive data in the hands of the Chinese government, Zoom should not become a meeting alternative for businesses.
For now, there are always truly end to end encrypted services like PrivateMail, which utilizes OpenPGP encryption to keep business communication safe between the sender and recipient. Paranoid encrypted cloud storage allows for attachments and streaming media to be send securely. Best of all, PrivateMail cannot provide information on any encrypted content, because we don’t hold the keys, you do. It’s how privacy was meant to be.