TECH TALK

Comment on this article

End-to-End Encryption in Video Conferencing Solutions: What It Is and Why It Matters

by Soo-yeon Hwang


As so many people got confined at home amid the COVID-19 pandemic, the popularity of video conferencing solutions such as Zoom soared. It is used for not only work, but also personal gatherings. People found it as an alternative to in-person meetings in the age of social distancing.


Yet, it was recently uncovered that Zoom’s claim of end-to-end encryption was, in fact, not quite right.[1] It turns out that it was a misleading marketing on Zoom’s part, and what it actually provides is transport encryption instead of true end-to-end encryption.


So what is the difference? What is end-to-end encryption, and why does it matter?


Wired explains end-to-end encryption as the following[2]:


End-to-end encryption is a system of communication where the only people who can read the messages are the people communicating. No eavesdropper can access the cryptographic keys needed to decrypt the conversation—not even a company that runs the messaging service.


(…)


But increasingly, privacy-conscious communications tools are rolling out a feature known as “end-to-end encryption.” That “end-to-end” promise means that messages are encrypted in a way that allows only the unique recipient of a message to decrypt it, and not anyone in between. In other words, only the endpoint computers hold the cryptographic keys, and the company’s server acts as an illiterate messenger, passing along messages that it can’t itself decipher.


This means that even if the server running the communication service gets hacked, the hacker will not be able to eavesdrop on the communication because the cryptographic key used for message encryption is unknown to the server.[3]


On the other hand, transport encryption is encrypting connection between one end point to another, where the end point can include the service provider’s servers. Zoom’s encryption technology is akin to HTTPS where the connection between the web browser and the web server is encrypted.[4] This is fine when there are only two end points involved such as in HTTPS’ case. However, in case of messaging services including video conferencing, the service provider relays the communication in between two end points, and is considered another end point. What happens is that the message is encrypted in transit from one end point to the next and gets decrypted whenever it arrives at an end point. In other words, it is encrypted at the source end, but decrypted at the service provider’s server, and then encrypted again between the server and the receiving end.


What matters here is privacy concerns. With transport encryption, there is no guarantee that the messages are protected from the service provider’s eyes because it can hold decrypted copies of the communication. Or it could be subpoenaed or get hacked, and a third party would get access to the messages. If you want better privacy, you want end-to-end encryption so that the trace of communication does not get left behind in the service provider’s possession.


Consider cases where you are holding a mission critical meeting for your business or government agency over video conferencing due to everyone having to work from home. Therefore, the US Senate and several international governments are telling their staff not to use Zoom.[5]


So, are there any other video conferencing solutions that offer end-to-end encryption? There are a few[6],[7],[8], the most popular of which might be Apple’s FaceTime. But, unfortunately, none of the alternatives seem to offer free as well as enterprise solutions that are easy to use and as cross-platform as Zoom. There is a reason why Zoom has become so popular despite its misleading security claims.


Copyright 2020 by Soo-yeon Hwang.


About the author: Soo-yeon Hwang is the Web Services Librarian and Assistant Professor at Sam Houston State University. She has a PhD in Communication and Information from Rutgers University, and MS in Information from the University of Michigan, Ann Arbor. She has professional experience in software development, technical writing, testing, and technical support.



[1] https://theintercept.com/2020/03/31/zoom-meeting-encryption/

[2] https://www.wired.com/2014/11/hacker-lexicon-end-to-end-encryption/

[3] The Wired article referenced above explains ways that end-to-end encrypted communication can still be snooped, though, for example by impersonating the message recipient or hacking end-user computers.

[4] See reference #1 for more details and what Zoom spokesperson said.

[5] https://www.zdnet.com/article/us-senate-german-government-tell-staff-not-to-use-zoom/

[6] https://www.vice.com/en_us/article/m7qwgx/what-is-the-most-secure-video-conferencing-software

[7] https://blog.mozilla.org/blog/2020/04/28/which-video-call-apps-can-you-trust/

[8] https://www.forbes.com/sites/kateoflahertyuk/2020/04/04/zoom-alternatives-5-options-for-people-who-care-about-security-and-privacy/