Despite being the most popular video conferencing choice for online classes at City, and one of the global leaders in the industry, Zoom has come into conflict with the Federal Trade Commission for “deceptive practices”. Zoom has long claimed in its advertising that its calls are protected by “end-to-end encryption”, but according to the FTC this is misleading.
According to a Zoom statement in March, the phrase “end-to-end encryption” simply means that “content is not decrypted as it transfers across the Zoom cloud.” This may be true, but according to the FTC complaint, Zoom not only kept the cryptographic keys necessary to decrypt those calls but also stored unencrypted recordings of certain calls on their servers for up to sixty days.
Basically, encrypting a call recording means translating it into code, similar to writing secret messages with a spinning alphabet wheel but a lot more complicated. Normally when a service uses “end-to-end encryption”, only the sending and receiving computers know the shift that can correctly decode the message, but Zoom quietly kept those keys on hand. This would have allowed them to unscramble and watch at least some call recordings, which is what led the FTC to object.
To be clear, it does not appear that Zoom’s statements were false. The calls were encrypted, they could just be decrypted easily. The fact that Zoom neglected to explain the entire process led the FTC to conclude that “Zoom’s misleading claims gave users a false sense of security.”
Zoom recently reached a legal settlement with the FTC requiring them to take meaningful steps to address these concerns, although there are no financial requirements. The company already rolled out part one of a four part update to implement more secure end-to-end encryption in October, although part two will not arrive until sometime in 2021. In the meantime, just know that if there’s anything you want to keep secret you probably shouldn’t talk about it on Zoom.