Zoom isn’t actually end-to-end encrypted

Zoom states on its website and in its security white paper that it supports end-to-end encryption for its meetings. But new research from The Intercept reveals that’s not exactly true.

The Intercept asked a Zoom spokesperson whether video meetings that take place on the platform are end-to-end encrypted, and the spokesperson said that “Currently, it is not possible to enable E2E encryption for Zoom video meetings.”

Zoom does use TLS encryption, the same standard that web browsers use to secure HTTPS websites. In practice, that means that data is encrypted between you and Zoom’s servers, similar to Gmail or Facebook content. But the term end-to-end encryption typically refers to protecting content between the users entirely with no company access at all, similar to Signal or WhatsApp. Zoom does not offer that level of encryption, making the use of “end-to-end” highly misleading.

Zoom, however, denies that it’s misleading users. The company told The Intercept, “When we use the phrase ‘End to End’ in our other literature, it is in reference to the connection being encrypted from Zoom end point to Zoom end point,” and that “content is not decrypted as it transfers across the Zoom cloud.”

Zoom’s in-meeting text chat does appear to support E2E; Zoom said it does not have the keys to decrypt those messages.

Zoom also told The Intercept that it only collects user data that it needs to improve its service, including IP addresses, OS details, and device details, and doesn’t allow employees to access the specific content of meetings. It also said that it doesn’t sell user data of any kind. However, it’s possible that the company could be compelled to hand over meeting recordings for legal proceedings.

Zoom did not respond to a request for comment.

Read More