Zoom and the art of the big pivot
On 29th April, the privacy-tech initiative at HasGeek hosted ‘Zoom and the art of the big pivot’ — an interview of Micah Lee, by Vivek Durai, that delved into how journalists at The Intercept_ stumbled onto the story of Zoom’s security issues.
It all started with Yael Grauer — Lee’s co-author on two articles about Zoom’s security lapses — talking to Slack, Zoom and other companies providing team communication tools and whose uses have exploded since the pandemic (and the forced remote work scenario). “She was trying to understand their product’s privacy features, and was asking them a bunch of questions, including questions about how it was encrypted — specifically as Zoom was saying that it was end-to-end encrypted. As most stuff on the internet is not end-to-end encrypted, it was kind of a big deal”, Micah Lee adds.
Zoom’s website featured a security whitepaper that claimed Zoom was end-to-end encrypted. “So if you’re having a Zoom meeting, where they say that it is end-to-end encrypted and you trust this, then if you have a sensitive business meeting talking about trade secrets or whatever, you might feel very confident about using it for this meeting, but it turned out that it wasn’t true.”
Yael was asking them specific detailed questions about how their encryption works. A Zoom spokesperson said that currently it is not possible to enable end-to-end encryption for Zoom video meetings. Instead, Zoom video meetings use a combination of TCP and UDP. TCP connections are made using TLS and UDP connections are encrypted with AES using a key negotiated over TLS — which, if you ignored the tech jargon, is pretty standard protocol for most tools. This is what sparked off the controversy — were Zoom’s security claims not in line with their product protocols? What repercussions does this have for users across the world?
And that’s how the investigation into Zoom’s security claims was launched by The Intercept, with Micah Lee and Yael Grauer at the helm. Their story was published by the Intercept at the end of March. Since then there have been several other takedowns of Zoom.
To add more context, there are three levels of transport security used by most products:
1. Unencrypted (like HTTP): where your ISP can spy on your meetings and also insert itself.
2. Point-to-point encrypted (HTTPS, Zoom, Telegram, etc): where your ISP can’t interfere, but Zoom itself can (or Telegram or other service provider, as per their terms of service).
3. End-to-end encrypted (as in the case of WhatsApp and Signal): where even the service provider (WhatsApp, Signal) can’t see what’s going on.
As per Zoom, they claimed to be end-to-end encrypted, but instead only offered point-to-point encryption. Micah Lee feels that Zoom has some of the gears in place to make the transition, but not all of them. “They aren’t too far off from matching their claims, but will they do so, is the pertinent question here,” Lee speculates.
Anchoring this interview was Vivek Durai, the founder of paper.vc. Via Random, a popular private market-focussed business intelligence newsletter, he brought a different perspective to products such as Zoom. He dwelt on the challenges that companies such as Zoom face as they manage a massive but continuing pivot to adapt to a large base of discerning home users.
Vivek led the conversation around to several other interesting topics:
The Zoom investigation also pursued the ‘Chinese angle’. Intrigued? Well, (as most of us know) participants who want to join a Zoom meeting are sent an encryption key via a server. When Covid-19 started spreading, with China being one of the first-hit areas, their demand for remote working increased. Zoom had to scale up rapidly in China, and they added many new in-country servers. Later the demand expanded worldwide. Due to an oversight while installing, some conversations happening outside the country were being hosted on servers in China. This in itself needn’t have been a problem if the data was encrypted, and embedded. As even if your traffic was going through China, and the Chinese authorities could compel Zoom to hand over copies of users’ meetings, only encrypted copies could be shared — and they couldn’t spy on you without hacking your devices. But as it turned out, several of the servers generating these encryption keys were located in China, and THAT was a real problem. Zoom has promised that this isn’t the case any more.
Other questions covered included:
- What is the scope for open source, collaborative tools to enter this space? What challenges do they face while competing with the tech giants?
- Why has user security become such an important topic in recent years? How does it affect our increasingly digital lives?
- What are the trade-offs product developers or managers face while prioritising product development? How do they balance concerns of usability versus customer privacy?
- Will the increasing demand for privacy have a whole bunch of folks getting building new tools? Can we harness this paranoia for good?
- There are many other tech products that are proving crucial during the lockdown, what lessons can they learn from Zoom’s case?
Watch the video of this talk here: https://hasgeek.com/rootconf/security-privacy-tech/videos
With inputs from Kiran Jonnalagadda and Zainab Bawa
