Zoom's Encryption Keys Are Sent to China
In end-to-end encryption, normally the key is generated and stored on your smartphone or laptop. However, Zoom will manage the keys over the company's servers, a few of which are based in China, according to Citizen Lab.
Zoom says it offers end-to-end encryption on your video conferences to help ward off spying, but don’t believe it. The San Jose-based company is not only holding on to the encryption keys, but also sending them to China in some cases, according to a watchdog group.Citizen Lab tested the video-conferencing service to see where the encryption
keys were being generated. “During multiple test calls in North America, we observed keys for encrypting and decrypting meetings transmitted to servers in Beijing, China,” researchers Bill Marczak and John Scott-Railton wrote in a Friday report.
The keys are likely being sent to China because Zoom has subsidiary offices in the country. The company’s own SEC filing shows the company employs 700 staffers in China for research and development purposes.
Of course, bad actors can easily spy on your Zoom meetings if you've made the session public or failed to guard their passwords. The lack of security has resulted in a wave of Zoom-bombing incidents, prompting the FBI to warn the public about the phenomenon.Encryption, on the other hand, can protect your messages from prying eyes as they get hosted in a database or sent over a network. In a true end-to-end encryption system, the key is generated and stored on your smartphone or laptop, which prevents the provider itself (or law enforcement) from decrypting your messages. However, in Zoom’s case, the company manages the keys from its own servers.
“A scan shows a total of five servers in China and 68 in the United States that apparently run the same Zoom server software as the Beijing server,” the researchers said in the report.According to Citizen Lab, Zoom likely has company offices in China to help it cut down on labor costs. But it also means those offices fall under the jurisdiction of the Chinese government, which has the power to pressure domestic companies to hand over information.So far, Zoom hasn’t commented on the report. But on Wednesday, it addressed the controversy over its approach to encryption. While Zoom does hold on to encryption keys, it has no system in place to readily decrypt the video sessions, according to Oded Gal, Zoom's chief product officer.“Zoom has never built a mechanism to decrypt live meetings for lawful intercept purposes, nor do we have means to insert our employees or others into meetings without being reflected in the participant list,” Gal wrote in a blog post.
Tags:
Tech