[Cryptography] Zoom misrepresented end2end encryption

Henry Baker hbaker1 at pipeline.com
Wed Apr 8 22:29:09 EDT 2020

FYI --


Zoom Accused of Misrepresenting Security Measures in New Lawsuit

Catie Keck  Today 3:40PM

Following extensive reporting on egregious security failures, video
conferencing company Zoom is now being sued by a shareholder over
allegations of fraud and overstating the security protocols in place
on its service.

In the lawsuit filed Tuesday in the U.S. District Court for the
Northern District of California, plaintiff Michael Drieu--on behalf of
individuals who purchased Zoom securities after the company went
public last year--accuses the company of making "materially false and
misleading statements" about its product and failing to disclose key
information about the service. Namely, the suit cites Zoom as claiming
that its product supported end-to-end encryption, when in fact it
supports a different form of encryption called transport
encryption--as the Intercept reported last month--that still allows
Zoom to access data.

Additionally, the suit alleges that Zoom's security failures put users
"at an increased risk of having their personal information accessed by
unauthorized parties, including Facebook," that these facts would
necessarily result in a decline in users, and that the company's
responses to ongoing reporting on myriad problems on the service were
"misleading at all relevant times." The suit states that the fallout
from these incidents was exacerbated by the covid-19 crisis, during
which time users of the service jumped from just 10 million to 200
million in a matter of months as schools and organizations turned to
Zoom amid social distancing measures and shelter-in-place orders.

The suit cites documentation related to Zoom's IPO as evidence that
the company misrepresented the security protocols in place for
protecting users. Specifically, the suit states, Zoom said it offered
"robust security capabilities, including end-to-end encryption, secure
login, administrative controls and role-based access controls,"
and--in what was clearly an embarrassing claim by the company--that it
strives "to live up to the trust our customers place in us by
delivering a communications solution that 'just works.'"

Zoom did not respond to multiple requests for comment.

The last few weeks have had a devastating impact on Zoom's public
image, as the company various companies and educational institutions
have stopped using the service amid reporting on security failures as
well as so-called "Zoombombings." These events--wherein hackers access
meetings that include everything from remote grade school classes to
addiction support groups in order to post porn and other lewd or
disturbing imagery--have prompted a warning from the Federal Bureau of
Investigation as well as multiple state investigations into Zoom's
security measures.

Amid ongoing reporting on the company's overt failures, Zoom CEO Eric
Yuan issued a public apology last week addressing the issues.

"We have strived to provide you with uninterrupted service and the
same user-friendly experience that has made Zoom the
video-conferencing platform of choice for enterprises around the
world, while also ensuring platform safety, privacy, and security,"
Yuan said. "However, we recognize that we have fallen short of the
community's--and our own--privacy and security expectations. For that,
I am deeply sorry, and I want to share what we are doing about it."


Oops!  You really don't want to misrepresent yourself in your S-1
IPO document.

I really think that Zoom wants to do better, so I hope that these
lawsuits don't put them out of business.

Some of Zoom's competitors, however, have far worse systems; the
only difference is, these competitors never claimed to have had
privacy or security (cough, cough, Google, cough, cough, Microsoft,
cough, cough, Facebook, cough, cough).

More information about the cryptography mailing list