Tech

Senator backing anti-crypto bill calls out Zooms lack of end-to-end crypto

EnlargeYuri Samoilov Follow / Flickr

Richard Blumenthal, the US senator sponsoring a bill that critics say will limit the use of encryption, is calling for an investigation of video-conference provider Zoom, in part over its false claim it offered… end-to-end encryption.

The Connecticut Democrat is a sponsor of the EARN IT (Eliminating Abusive and Rampant Neglect of Interactive Technologies) Act bill that would create incentives for companies to make changes to their platforms. In return, the companies would receive liability protections for any violations of laws related to online child sexual abuse material. Critics of the proposed law, who include the Electronic Frontier Foundation and Sen. Ron Wyden (D-Ore.), say it's a Trojan horse designed to allow the government to weaken end-to-end encryption.

A pattern of privacy infringements

Citing a "pattern of security failures & privacy infringements," Sen. Blumenthal on Tuesday called for the FTC to investigate Zoom. Chief among cited privacy infringements is the claim on the Zoom website that meetings were end-to-end encrypted, meaning video, audio, and text was encrypted at all times in transit, and couldn't be decrypted by Zoom or anyone else, other than conference participants. A post published last week by The Intercept reported that Zoom meetings, in fact, used what's usually called transport encryption, which allows Zoom to decrypt meeting data.

Researchers from Citizen Lab, the University of Toronto group that investigates security and hacking, further reported serious weaknesses in Zoom's encryption regimen. One flaw was that Zoom "rolled its own" encryption scheme, meaning it used custom algorithms rather than standards that had been widely tested over years. Another flaw: the company's use of servers located in China to route meetings for North American participants and distribute encryption keys.

Blumenthal on Tuesday wrote: "The facts & practices unearthed by researchers in recent weeks are alarming—we should be concerned about what remains hidden. As Zoom becomes embedded in Americans' daily lives, we urgently need a full & transparent investigation of its privacy & security."

The facts & practices unearthed by researchers in recent weeks are alarming—we should be concerned about what remains hidden. As Zoom becomes embedded in Americans' daily lives, we urgently need a full & transparent investigation of its privacy & security.

— Richard Blumenthal (@SenBlumenthal) April 7, 2020

While Tuesday's tweets don't explicitly refer to Zoom's encryption transgressions, Blumenthal addressed them directly last week when he penned a letter to Zoom CEO Eric Yuan. His tweet accompanying the letter included a link to The Intercept article.

Millions of Americans are now using @zoom_us to attend school, seek medical help, & socialize with their friends. Privacy & cybersecurity risks shouldn't be added to their list of worries. I'm calling for answers from Zoom on how it handles our private data. https://t.co/CEg1P3T3S1 pic.twitter.com/Vl9XyvxZjb

— Richard Blumenthal (@SenBlumenthal) March 31, 2020

"Despite claims in security papers and advertisements that Zoom offers end-to-end encryption for its meetings, technical analysis from The Intercept found that it does not protect the privacy of communications using this form of encryption," Blumenthal wrote in the March 31 letter. "Zoom users deserve clear and correct answeRead More – Source