Matthew Green on Zoom Not Offering End-To-End Encryption To Free Users (twitter.com) 39
Earlier this week video conferencing service Zoom said it will not offer its forthcoming, complete version of end-to-end encryption to its free users so that it can work better with law enforcement to curb abuse on the platform. Matthew Green, who teaches cryptography at Johns Hopkins, looks at the broader implication of this move: Obviously I don't think you should have to pay for E2E encryption. The thing that's really concerning me is that there's a strong push from the US and other governments to block the deployment of new E2E encryption. You can see this in William Barr's "open letter to Facebook." But this is part of an older trend. Law enforcement and intelligence agencies can't get Congress to ban E2E, so they're using all the non-legislative tools they have to try to stop it. And, it turns out, this works. Not against the big entrenched providers who have already deployed E2E. But against the new upstarts who want to use crypto to solve trust problems.
And the Federal government has an enormous amount of power. Power over tools like Section 230. Power to create headaches for people. But even without Congressional assistance, the executive branch has vast power to make procurement and certification decisions. So if you're a firm that wants to deploy E2E to your customers, even if there's a pressing need, you face the specter of going to war with an immensely powerful government that has very strong negative feelings about broad access to encryption. And this is a huge problem. Because some companies have infrastructure all over the world. Some companies carry incredibly valuable and sensitive corporate data (even at their "free" tiers) and there are people who want that data. Encryption is an amazing tool to protect it. The amazing thing about this particular moment is that, thanks to a combination of the pandemic forcing us all online, more people than ever are directly exposed by this. "Communications security" isn't something that only activists and eggheads care about. Now for companies that are exposed to this corrupt dynamic, there's an instinct to try to bargain. Split the baby in half. Deploy E2E encryption, but only maybe a little of it. E2E for some users, like paying customers and businesses, but not for everyone. And there's some logic to this position.
The worst crimes, like distribution of child abuse media, happen in the free accounts. So restricting E2E to paid accounts seems like an elegant compromise, a way to avoid getting stepped on by a dragon. But I personally think this is a mistake. Negotiating with a dragon never ends well. And throwing free-tier users into the dragon's mouth feels even worse. But the real takeaway, and why I hope maybe this issue will matter to you, is that if the Federal government is able to intimidate one company into compromising your security. Then what's going to happen to the next company? And the next? Once the precedent is set that E2E encryption is too "dangerous" to hand to the masses, the genie is out of the bottle. And once corporate America accepts that private communications are too politically risky to deploy, it's going to be hard to put it back. Anyway, this might be an interesting academic debate if we were in normal times. But we're not. Anyone who looks at the state of our government and law enforcement systems -- and feels safe with them reading all our messages -- is living in a very different world than I am.
And the Federal government has an enormous amount of power. Power over tools like Section 230. Power to create headaches for people. But even without Congressional assistance, the executive branch has vast power to make procurement and certification decisions. So if you're a firm that wants to deploy E2E to your customers, even if there's a pressing need, you face the specter of going to war with an immensely powerful government that has very strong negative feelings about broad access to encryption. And this is a huge problem. Because some companies have infrastructure all over the world. Some companies carry incredibly valuable and sensitive corporate data (even at their "free" tiers) and there are people who want that data. Encryption is an amazing tool to protect it. The amazing thing about this particular moment is that, thanks to a combination of the pandemic forcing us all online, more people than ever are directly exposed by this. "Communications security" isn't something that only activists and eggheads care about. Now for companies that are exposed to this corrupt dynamic, there's an instinct to try to bargain. Split the baby in half. Deploy E2E encryption, but only maybe a little of it. E2E for some users, like paying customers and businesses, but not for everyone. And there's some logic to this position.
The worst crimes, like distribution of child abuse media, happen in the free accounts. So restricting E2E to paid accounts seems like an elegant compromise, a way to avoid getting stepped on by a dragon. But I personally think this is a mistake. Negotiating with a dragon never ends well. And throwing free-tier users into the dragon's mouth feels even worse. But the real takeaway, and why I hope maybe this issue will matter to you, is that if the Federal government is able to intimidate one company into compromising your security. Then what's going to happen to the next company? And the next? Once the precedent is set that E2E encryption is too "dangerous" to hand to the masses, the genie is out of the bottle. And once corporate America accepts that private communications are too politically risky to deploy, it's going to be hard to put it back. Anyway, this might be an interesting academic debate if we were in normal times. But we're not. Anyone who looks at the state of our government and law enforcement systems -- and feels safe with them reading all our messages -- is living in a very different world than I am.
Comment removed (Score:3, Insightful)
Re:So privacy..., (Score:5, Insightful)
Re: (Score:2)
Re: (Score:2)
It's sad that this is the level of nuance that gets modded up on Slashdot. The person it is replying to has been modded troll and redundant despite being entirely correct.
Privacy is a human right, it must be free. Anyone offering a free service must respect it. That's the basis of GDPR, for example.
Re: (Score:2)
Re: (Score:2)
*Anything* is only for people who can afford it. The question is whether Zoom is somehow obligated to provide free users privacy.
I'd say it depends on whether a reasonable person would expect the free version to be private. If Zoom had been up front about the risks of the free version I don't think they'd have an obligation to provide a more secure service. The thing is the reports I've had is that they weren't up front about the lack of security until they were called on it.
Re: (Score:2)
Not "up front" about it?
They explicitly lied about having end-to-end encryption. Full stop.
I blocked it at my organization and, despite attempts from them to contact me to get their product unblocked, I fail to see what they could possibly say to regain trust after that.
Never mind the numerous security flaws and poor security design that came to light in recent months.
Re: (Score:1)
It's a business decision. I believe there are free alternatives that are encrypted. I am curious to see if the government can shut them down
You're using Zoom, what privacy??? (Score:3)
Honestly, I'd say it depends a lot on how the paid accounts for E2E access works. You can get a lot of privacy by being a small fish in a vast ocean, especially if you take advantage of some languages being incredibly friendly to obfuscation.
But if you want E2E for free, there's options out there. Zoom's not where I'd go to discuss things of incredibly dubious legality no matter what it offers in the way of E2E, not when I could go elsewhere easily enough and get a free throwaway account on some obscure s
Re: (Score:2)
So privacy is only for those that can afford it. Hmm...
You're not wrong, but the other way to look at it is Zoom is providing a free service. 20 years ago, only the richest of the rich could afford something like live video conferences. Let's be grateful for that before we grouse about how they could offer even more.
To put it another way, they could guarantee poor people's privacy by not offering free accounts at all. You can't be monitored if your'e not using the service.
Re: (Score:2)
Someone modded this as troll. Have we got Zoom shills with mod points?
Re: (Score:2)
Might just be an useful idiot.
Re: (Score:2)
So the police should pay to use Zoom then, with its end to end encryption, instead of Slack for coordination? Or should we make it free for all when they're defunded?
I'm pretty sure people are not talking about defunding the police 100%, just all the money they spend on the military-grade hardware they're purchasing and using to oppress -- I mean "protect" -- people and/or other things that they may want to have/do but are ultimately either unnecessary to do the work of policing or unhelpful for the populace. Localities obviously need police, what they don't need are personal armies. People equating "defunding" and "abolishing" are either incorrect, uninformed, or de
free (Score:1)
Obligatory... (Score:1)
If encrypting exposes them to extra legal costs... (Score:3)
If deploying end-to-end encryption exposes them to extra costs defending their and their customers' rights to communicate that way, I can understand why they'd chose to only make it available to those who give them revenue to cover the costs.
I don't have to like it. Or agree that it's a good idea business-wise. But I can understand how the business school types might make that call.
Re: (Score:1)
He has a point... (Score:2)
I have to agree with him that trying to go up against the Federal Government would be almost impossible. It may very well be a choice for him to keep Zoom running, or to do an all out fight on this legislative mess our government has created.
Would it be possible to encrypt the video and audio, end-to-end, before it goes over the zoom network? We have snap-filters, so why not encrypted filters?
--
You haven't been bit till a dragon does it. - Tamora Pierce
Re: (Score:2)
Would it be possible to encrypt the video and audio, end-to-end, before it goes over the zoom network? We have snap-filters, so why not encrypted filters?
--
You haven't been bit till a dragon does it. - Tamora Pierce
Possible? Likely. Easy? Likely not. There are issues with implementing the encryption, but the killer for general use is probably that you need a separate key management.
What's up with that? Who needs Zoom? (Score:2)
Aren't there open source solutions that the government can't order around? And if there are, why aren't more people using them, and stop worrying about the damn cops snooping in?
Re:What's up with that? Who needs Zoom? (Score:4, Informative)
Yes. I use Jitsi. You can use the hosted service [meet.jit.si] for free, or run your own instance (which is what I do.) More details on their security page [jitsi.org].
Alternatives (Score:1)
Zoom owes you nothing (Score:1)
The baker doesn't owe you a cake.
Twitter doesn't owe you a free speech zone.
Facebook doesn't owe you a filtered speech zone.
No one, especially someone giving you something for free, owes you anything.
Zoom doesn't provide free e2e encryption? Oh boo boo, use something else. If your privacy is so important yet you can't afford to pay for a commercial service, the know-how for one time pads and a burner phone are cheap. "B71E90GI4" into your burner phone all day long.
Matt's mising the point. (Score:4, Insightful)
The worst crimes, like distribution of child abuse media, happen in the free accounts. So restricting E2E to paid accounts seems like an elegant compromise, a way to avoid getting stepped on by a dragon.
Zoom wants make money off child abusers too by pushing them to use the paid version.
Starts with wrong assumption. (Score:2)
Congress can't ban it. Encrypted speech is free speech.
Re: (Score:2)
Congress can't ban it. Encrypted speech is free speech.
Doesn't stop them from trying. They remind me of 3 year olds: you haven't seen persistent until you've seen a tricycle motor try to bust into a cookie jar.
Re: (Score:2)
Then E2E is banned under the Law
Only then, can You stop the ban by suing in Federal Court to get the law declared "unconstitutional".
You may be successful; you may not but it's worth a try.
See ObamaCare's judicial history for an illustration of how the system works.
Re: (Score:2)
Really? (Score:2)
The amazing thing about this particular moment is that, thanks to a combination of the pandemic forcing us all online, more people than ever are directly exposed by this. "Communications security" isn't something that only activists and eggheads care about.
Granted, in addition to 'activists and eggheads', some companies care about it. Other than those, who cares? The implication is that in this pandemic, (and perhaps the current civil unrest), are the makings here of a grass roots movement of some kind to protect the right and the freedom to encrypt one's online communications. I would be ecstatic if that's the case, but I'm just not seeing it. Even among those for whom it's a hot-button issue right now, I think most will totally forget about it if / when thi
So use something else (Score:2)
I like Jitsi [jitsi.org]. It's open-source, and you can run your own instance if you'd rather do that than use their cloud service. It works pretty well, although not quite as well as Zoom when you have a large number of participants in the conference. For a handful of participants, though, it's great.
Bad guys will just pay (Score:2)
Any bad guys (drug dealers, pedophiles, terrorists etc) who are using Zoom to communicate will just pay up for the paid version so they can hide their stuff from the cops.
Doesn't really matter (Score:2)
The latest version of Zoom for linux has switched to Pulse Audio. So your dingus is out there on the 'Net for everyone to tug on (or listen to). Even when you are not running Zoom.