PSA: Zoom shouldn’t be trusted for video/conference calls.

The short read: Should Zoom should be trusted to keep your group calls secret? Only as far as you would trust Microsoft, Google, or Facebook—as far as CLDC is concerned, not at all. If you must keep using Zoom, please make sure that everyone on your call knows that it is not a secure communications channel (think of it as a semi-open meeting or training in a public forum where you might be recorded). Limit your conversations to less sensitive topics.

Remember, all of your internal communications are worth protecting. If captured, they can be used against you to limit the success of your campaigns. There are also great alternatives.

We recommend these two options:

  • The super easy option (just click on one link to start videoconferencing) is https://meet.mayfirst.org. This works as easily as sharing a Zoom link, and it has worked very well in our tests with 20 people/devices or more.
  • Wire: top-shelf security for voice-only calls for up to 10 devices (so crowd around a laptop with your local comrades for massive coalition calls). Wire group calls do take some small effort to set up, and so they might work best for small groups that have regular calls. We can help you get up and running!

Now, the full story.

The best tech is easy to use, safe, secure, and widely used by friends, comrades, and coworkers. We all know an easy-to-use app when we see it, and getting everyone you know to use it takes engaging in convincing conversations and developing a shared security culture.

Reasonably safe and secure tech gives us confidence that we don’t have to trust unknown humans—and especially companies that we can safely assume don’t share our priorities as activists. Most would sell us out in a heartbeat or snitch under the slightest pressure.

End-to-end encrypted, open-source apps offer the best possible security.

End-to-end encryption means that the only people who can read your messages or listen to your calls are yourself and the people you want to communicate with. You don’t have to trust a company or anyone else with your information because the whole time your data is out of your hands, traversing the airwaves, Internet tubes, corporate servers, routers and switches, it’s encrypted. Anyone eavesdropping couldn’t make any sense of it.

Open source means that you don’t need to trust the developers to make an app that does what it claims to do—the underlying code can be audited for honest mistakes or deliberate backdoors.

For one-on-one voice or video calls, Signal and Wire provide exactly this level of best-possible security. However, the situation for group calls is much murkier. Enter Zoom: a company and an app that claims to provide end-to-end encrypted, high-quality conference calls.

Unfortunately, Zoom’s marketing materials appear to be highly misleading. They’ve failed to convince us that what the Zoom app is doing provides meaningful end-to-end encryption. That is to say, you just have to trust them.

The document describing Zoom’s technical design doesn’t specify any kind of public-key cryptography or other scheme that could enable end-to-end encryption. It states only that Zoom uses “AES-256 bit encryption,” which could mean anything. We have other grave concerns about the elements of their design that we can see directly:

  1. End-to-end encryption can be switched on or off on your Zoom account web page. This just amounts to a request to use end-to-end encryption, sent to your Zoom client via Zoom’s servers. Zoom staff could simply switch this off anytime they wish to.
  2. The cloud recording feature could be used by Zoom staff to obtain recordings of web conferences. These recordings can be accessed using your Zoom account webpage, not involving any client-managed encryption key.
  3. There’s no client-side key management or verification—just a username-password
  4. Zoom support staff (in a chat) confirmed that a back-end engineer could view a video, but that is “this true for any company.” In fact, this is not true, for example, for Wire or Signal.

Zoom has failed to respond to repeated email requests to clarify these points.

In the absence of something truly mind-blowing about Zoom’s security designs, the confidentiality of Zoom conference calls completely depends upon:

  1. Zoom following its privacy policies; and
  2. Zoom not receiving a legal order (including standing national security orders, e.g. the PRISM program) to record your group’s videoconferences.

In other words, Zoom needs to be trusted to always do the right thing by its users. It’s never a good idea to place 100% trust in a company to do the right thing. This makes Zoom’s technology is about as trustworthy as Google’s or Skype’s (Microsoft).

The take-home message?

Zoom.us should be regarded as semi-public, i.e. no more secure than Skype or Google Hangouts.

Despite their marketing claims that they use “end-to-end encryption,” conversations we have had with Zoom support staff indicate that Zoom stores a copy of all users’ private keys on their server. This fails the basic requirement of end-to-end encryption: that private keys should be held *only* by you and your friends/comrades/coworkers.

To make matters worse, Zoom has also had recent critical security issues (webcam remote activation) that the company has appears not to have taken seriously. Although, as far as we can tell, the two vulnerabilities described in this article have been fixed as of a July 14, 2019 update.

The company has responded to these concerns in these blog posts. According to Zoom, as long as you’re updating your apps, you’d be safe from those issues.

However, many in the security community have expressed dismay that, evidently, the company was aware but yet let the bugs go unpatched for 90 days, and then only issued fixes in response to public pressure. This does not indicate that the company prioritizes security. Unfortunately, this lines up perfectly with their extremely poor security guarantees.

“But I need to have video conference calls!”

Jitsi Meet (meet.mayfirst.org), is currently the best replacement for Zoom. Calling in from a regular phone (i.e. not using the desktop or mobile app) isn’t possible, and quality can suffer a bit if one or more people have slow internet connections, but it has worked well for us (in tests of ~20 people) and is getting better and better as the app and underlying tech are further developed. It isn’t end-to-end encrypted, but the privacy of your conference calls are protected by a movement technology organization, May First, which has made strong political commitments never to share the data of their users.

If you can live without video and want the best possible security, Wire does end-to-end encrypted voice-only calls for up to 10 connections.

In case you can’t convince your comrades or coworkers to switch away from Zoom just yet, please at least spread the word that Zoom is not providing Signal-level encryption. If you and your crew are a target, Zoom makes it pretty easy for your calls to end up in the hands of the State.

Please stay tuned for more details on how to set up secure videoconferencing and some best practices!