Zoom Misrepresents Their Companies Security Protection

By Kayla Deruiter on October 8, 2020

Executive Summary:

The Zoom application has been essential during 2020 for individuals to communicate with friends, family, and colleagues while maintaining social distancing. Users were led to believe that Zoom was a secure application, but they have been exposed for not using end-to-end encryption and routing through China servers (Marks, 2020). Not only did this scandal result in the company being sued by consumers, but also the lack of trust and security from the community. Zoom had claimed that they had the most secure encryption, but during the surge of users in the start of the pandemic, they used transport layer security (TLS), which is less secure by allowing the decryption by the host company in the middle. The Chief Product Officer Oded Gal says that the company did not intentionally mean to deceive its consumers, but rather misused the term end-to-end encryption. The company has also agreed to limiting ties with China because of the posing threats from the Chinese government.

Open Source Intelligence (OSINT) Details:

Consumers take their privacy and security seriously when it comes to using applications, especially if the application claims to support that type of security. According to the Washington Post, the non-profit organization Consumer Watchdog is suing under a D.C. consumer protection law. They are expecting up to $1,500 for every incident when a D.C. user used zoom for non-business purposes, which could cost the company millions of dollars in this lawsuit (Marks, 2020). There are worries that if Zoom could lie about their security protection for years, then other companies could be doing the same, and if there are no consequences then it will happen again. Zoom admits to using mislead terminology on the encryption protection, and during the surge they “accidently” routed calls through Chinese servers because there was an increase in users during the start of the pandemic. The group Consumer Watchdog is accusing Zoom of not being honest about their ties with China, and the danger of Beijing stealing information from calls or wanting access to the content (Riley, 2020). Zoom is based in California, but has three companies in China with 700 employees that assist with the research and development. Although, the company plans to cut back on ties with China (Riley, 2020).

The difference between end-to-end encryption is that the company has been claiming to use it that it scrambles the message contents from when it leaves the sender’s computer until getting to the authorized recipients, and no one, not even the company can access the information within that message. The company has admitted to using TLS, which as I stated earlier allows the host company to decrypt communications in the middle and The Intercept released back in April that the company was using this connection. According to the Consumer Watchdog article, in response to law enforcement warrants, tech companies are not allowed to turn over decrypted versions of customer messages, which is controversial because it is needed to determine the lawful communications (Riley, 2020).

Zoom defends themselves by currently developing end-to-end encryption and adding it to their platform and security to video conferencing services. In May, the company obtained secure messaging and file-sharing Keybase to show their efforts (Spadafora, 2020). Keybase is a key directory that links social media identities to encryption keys, making it more secure. A Zoom spokesman reached out to TechRadar Pro to state “”We take privacy and security extremely seriously and are committed to continuous enhancements, including the timely beta testing and implementation of end-to-end encryption.”(Spadafora, 2020) This website also recommends some of the best antivirus software and business webcams for working from home.

Potential Impact:

Zoom has gone from $115 to $250 per share because of the increase of users during the pandemic (Marks, 2020), but because of this lawsuit and security protection scandal, the company could possibly go down and lose some consumers. I have seen consumers switch to more secure applications such as, Microsoft Teams, for professional calls to maintain security. At the beginning of the pandemic when switching to Zoom for a means of communication, there were incidents where individuals would go into random Zoom calls. Zoom solved this problem by adding passwords and waiting rooms for conferences to verify the individuals. We could see more security measures implemented by the company to come back after this security breach.

Significance:

As a college student who uses zoom frequently for meetings and classes, I personally would want to know I am using a secured application. When a company is untrustworthy and publicly gets exposed for misrepresenting anything within that company tarnishes the companies name and integrity. Information going through other countries, such as China, leaves room for interception of traffic, and the fact that Zoom was only using TLS makes us and our information vulnerable. Who knows what information the China government could have obtained from users within that time frame of no end-to-end encryption. We will see what changes the company will make and if they hold up their agreement to limiting ties with China.

Sources:

Marks, J. (2020, August 11). Analysis | The Cybersecurity 202: Zoom sued by consumer group for misrepresenting its encryption protections. Retrieved September 08, 2020, from https://www.washingtonpost.com/politics/2020/08/11/cybersecurity-202-zoom-sued-by-consumer-group-misrepresenting-its-encryption-protections/

RILEY, T., & MARKS, J. (2020, August 11). Zoom Sued By Consumer Group For Misrepresenting Its Encryption Protections. Retrieved September 08, 2020, from https://www.consumerwatchdog.org/news-story/zoom-sued-consumer-group-misrepresenting-its-encryption-protections

Spadafora, A. (2020, August 14). Zoom may have another major security worry. Retrieved September 08, 2020, from https://www.techradar.com/news/zoom-sued-over-misleading-security-claims