
Zoom says it won’t encrypt free calls so it can work more with law enforcement - sneak
https://twitter.com/nicoagrant/status/1268020841054269440
======
vjeux
This series of tweets from Alex Stamos has more specific information and
tradeoffs being considered:
[https://twitter.com/alexstamos/status/1268061790954385408?s=...](https://twitter.com/alexstamos/status/1268061790954385408?s=21)

~~~
rpastuszak
I feel like "we need to protect the children" is the new reductio ad hitlerum.
This is such an easy way to shut down a conversation.

 _Do you want to:

a) accept lack of E2EE

or

b) do you hate children? Pick one._

Hurry up, your precious internet points™ are at stake here.

~~~
endgame
[https://en.wikipedia.org/wiki/Four_Horsemen_of_the_Infocalyp...](https://en.wikipedia.org/wiki/Four_Horsemen_of_the_Infocalypse)

~~~
csharptwdec19
I thought it was the Four Chans of the Infopocalypse? _shrug_

------
jrochkind1
You think it's just cover for it being a hard technical problem for zoom?

But... what the fuck?

Also... I have a paid account. How can I tell if my connection is encrypted or
not? Is it only if all other parties have paid accounts? Is there an
indicator?

Under an "encrypt some calls" approach, if even paid users can't tell easily
and reliably if they have an encrypted connection... basically nobody can
count on it.

~~~
zys5945
I don't think zoom provides e2e encryption. iirc zoom decrypts all messages at
their server before encrypting it again and forwarding it to the destination.

~~~
jrochkind1
Huh, right.. so this makes it all even more confusing.

Are they saying that WHEN they implement true e2e encryption, it will only be
for paid accounts?

Or are they saying the encryption they've already got, which they are
inaccurately calling "e2e" when it is not, was formerly enabled for free
accounts, but no longer will be?

Or something else?

(Who would have thunk that lying and calling something "e2e" that wasn't would
end up confusing!)

I also still don't understand if you get the encryption (whichever one they
are disabling for free accounts) if the 'host' is a paid account but some/all
of guests are not...

------
esotericn
A thought:

Sometimes the distinction between physical and digital security is brought up
in these discussions, the idea that physical security is imperfect (you can
always break a lock) but that digital security may truly be impenetrable. This
is a false dichotomy.

If people have a conversation in a pub or on a park bench, then law
enforcement can surveil them individually or bug the venues in a targeted
manner.

But the same methods can also be applied to digital communication. This is
opsec 101 right - if one happens to be a high value target, one would totally
expect their house/apartment to be surveilled - no amount of digital privacy
can make up for a pinhole camera installed on the wall behind one's monitor,
LE doesn't even need the keys, they see the content directly.

I think the argument that digital security is 'too perfect' falls apart if you
take into account the reality that physical security is a component of that.
"If you control the physical hardware" and all that.

TL;DR Digital security is just a subset of physical security. You can always
just drill through the side of the safe.

~~~
everdrive
I think it's pretty clear that unencrypted communication with law enforcement
access allows for the discovery of individuals you'd never find via
traditional means. Over the years, I've seen this argument brought up a number
of times, but oddly seldom explicitly stated:

It seems like law enforcement wants to be able to use digital communication to
discover criminals, and

privacy experts want law enforcement to rely on HUMINT, a traditional warrant,
and physical access.

I believe the second method is far more just, but I seldom see anyone
acknowledge that it's almost certainly less effective.

~~~
vorpalhex
Youtube generates several minutes of video per wall clock second. Now many of
those videos are innocuous, but one must assume that occasionally someone
uploads a video of a street fight or something more grotesque that is of
interest to law enforcement or intelligence apparatuses.

That's public. You can analyze all of those. The NSA is free to pull them just
as much as you and I.

And they don't as far as we can tell. Is it the cost of analyzing that much
content? Is it that the NSA doesn't care? Is there something difficult about
stripping audio off a video for keyword spotting?

Well I have a theory, and the theory is based off what little comes out of
that side of the community. The theory is that the NSA can't meaningfully
process the data it ingests. There's too much, it's too hard to query and they
hit the same roadblocks of telling the difference between an actual crime and
a videogame or fiction story.

So then we must ask, why do they want more? They have more data than they can
analyze, why even bother ingesting more? It's not because it helps their
mission, it's not because there's some value to it.

Well, why do we see, regular businesses fall into this trap? A billion points
of analytics data that they can't make sense of. When I see it, it's because
it's easier to blame a lack of data than to explain the difficulty of the
problem. You can always say "Well I just don't have enough data" but it's much
harder to explain that a bunch of crappy error-filled data isn't good for
anything except wild goose chases. Adding more bad data doesn't improve the
quality of your data, it just adds more of it.

~~~
ballenf
I think it would feel pretty good to have a database of potentially
incriminating evidence against a wide swath of the population that could be
used if a person became a high-profile target. For example, if you're in one
of those videos and then run for public office 10 years later you better hope
the intelligence agencies like your positions and don't want to tank your
chances.

So, no, they can't process all of it. But they can more easily trawl it for
specific data they need. Especially 10 years from now.

~~~
everdrive
It's a fine supposition, but these suppositions often get passed around as if
they're true and self evident. The reality is you don't have distinct
information about what the government is collecting. Instead, what you have is
information about what's probably possible.

From that standpoint it makes sense to err on the side of caution, and assume
it's all being collected. But, while this is an effective risk calculus, it's
different from having access to the ground truth.

------
upofadown
This all seems rather moot:

1\. There is no way to verify that you are actually connected to a particular
person. i.e. Zoom has no identity management.

2\. The client is closed source and can't be verified.

3\. Zoom can trivially impersonate any participant as they control the
servers. They can MITM at will and they won't get caught at it.

This discussion is like talking about the security of the bank vault door when
you are planning to make the vault out of drywall.

~~~
sitkack
Not being E2EE, it doesn't matter what Zoom logs or does or doesn't know,
packet captures can definitely record this information. This is basically
extortion from Zoom, pay us or information will be in the clear that you
probably don't want to be.

~~~
upofadown
They encrypt "end point to end point" now. It's just that they have easy
access to the keys. I was suggesting that what is being proposed for the
paying customers might not have any real value over what they are doing now.

------
heimatau
The craziest thing with this is that this is even a discussion.

US citizens should have a 'right to privacy'. But that's been stripped away
due to post-9/11 reforms, among others.

~~~
extra__tofu
Whether or not you have a 'right to privacy' does not mean Zoom has to provide
it. You can choose a provider who allows you to exercise that right.

~~~
gitaarik
Yes, but the quote says:

“Free users for sure we don’t want to give that because we also want to work
together with FBI, with local law enforcement in case some people use Zoom for
a bad purpose,”

So they want to keep the data unencrypted so they can give it to the feds.
That doesn't sound like privacy to me.

edit: So I mean, something like that should not be allowed by law. Though it's
rather the FBI that is breaking the law here, but Zoom explicitly says they
want to work together with them. So that means they approve that injustice,
making them also unjust. If they would encrypt their data to protect their
user's privacy, they would not be unjust on this aspect.

~~~
jdm2212
It's not obvious to me why Zoom should have any less right than, say, a hotel
to block people using its service for criminal activity.

A hotel that suspects you're taping child porn in one of its rooms is well
within its rights to call the police. If Zoom has reason to believe you're
distributing child porn in a Zoom room, why shouldn't it be allowed to take
action, too?

~~~
sillysaurusx
But you're arguing for the ability for hotels to install peephole cameras in
every room to make sure you're not up to no good.

The point of encryption is that no one knows what you're doing, because they
can't see it. Just like no one can see what you're doing in a hotel, most of
the time.

~~~
jdm2212
No one can see what you're doing inside your hotel room, but they know when
you enter and exit, who you're with, and they can hear you if you make noise.
They can track what you watch on TV, and when you're on the Internet.
Housekeeping goes in every day and sees all your stuff, and rearranges some of
it.

So they can't literally see you every moment, but they have a lot of
visibility into what you're up to.

------
AndyMcConachie
Now might be a good time to mention that if you join the Free Software
Foundation as an associate member you gain an account on their Jitsi server.

[https://www.fsf.org/blogs/community/fsf-gives-freedom-
respec...](https://www.fsf.org/blogs/community/fsf-gives-freedom-respecting-
videoconferencing-to-all-associate-members)

~~~
jrochkind1
How well do you find jitsi works? For multi-party video? Large number of
parties like zoom?

~~~
1over137
Dunno what you consider large, but it works well for me with 20 participants.

------
wereHamster
> […] There will not be a backdoor to allow this.

[https://twitter.com/alexstamos/status/1268061796339814400](https://twitter.com/alexstamos/status/1268061796339814400)

Eh, am I supposed to trust you just like that? If history taught is anything,
it's that there will be.

------
dijksterhuis
Current encryption imementations (AES GCM) will not be downgraded. Meetings
will still be encrypted and meeting content is still not going to be used for
tracking users.

E2E will be an opt in choice for paying users who are willing to sacrifice
some features for the benefits from additional security.

See this thread for more details:
[https://twitter.com/alexstamos/status/1268061790954385408](https://twitter.com/alexstamos/status/1268061790954385408)

Edit to credit vjeux for the thread link

~~~
bobbydroptables
Do I have any way to verify this as a user?

~~~
dijksterhuis
Sure. Study a PhD in cryptanalysis and reverse engineering.

If you want to look at something now, the white paper for the E2E protocol
design is public and open right now:
[https://github.com/zoom/zoom-e2e-whitepaper](https://github.com/zoom/zoom-e2e-whitepaper)

On a more serious note, until there is a protocol and implementation available
then we can't say anything for sure. Us Security folks aren't magicians.

~~~
manquer
That was uncalled for . Yes it is hard or impossible to do in zoom .

If these tools use open standards and well documented protocols this will not
be a problem.

I can verify without a phd in cryptoanalyis and reverse engineering my browser
is running a secure connection to a website and certificate is signed by the
source(for sites enabled with FS and HSTS ).

~~~
dijksterhuis
Don't get me started on browser certificates. That's a whole week of my life
I'll never get back.

The short versiom of it is, your browser trusts CAs to say whether a
certificate is valid. But CAs often trust other CAs who may not actually be
that trustworthy. Those CAs then trust other CAs who definitely are not as
trustworthy... Etc.

So that certificate/padlock picture in your browser may not be as trustworthy
as you think. It's an active problem.

~~~
SXX
Mandatory Ceryificate Transparency is solve problem of trust to CAs quite well
though.

------
eddieoz
That's what you get when you are a MITM-by-design solution.

In short: Zoom E2EE eventually will encrypt corporate conferences, but will
not solve the privacy problems they have, because their structure stills the
same.

Seems it will be a feature just to make customers have the feeling they are
safe (and pay more, indeed).

But, as usual, they are not.

Poor Keybase.

~~~
sneak
Keybase got acquihired, which is a much better outcome for both founders and
investors than that which befalls most startups that never invent a viable
revenue model.

Don’t shed any tears for anyone making hundreds of thousands of dollars per
year while a third of the US has approximately zero income.

~~~
jmiserez
I'm certainly sad to see a company that took security seriously and "did it
right" being bought by a company that arguably did not and got large mostly by
trading security for convenience, even going as far as saying they were E2EE
when they were actually not [1].

How do you compete with that?

Most users don't care about security/privacy and maybe that's fine but it was
nice to see a company that seemed to genuinely care about these things.

[1] going by the commonly used definition

~~~
sneak
Not touching for a moment whether or not Keybase “did it right”, but, very
simply: without a good revenue model, their only other option was to
eventually go out of business. They were default-dead, near as I can tell from
outside looking in.

You can do all the open source e2e crypto trendiness you like, but unless
you’re a nonprofit like Signal that can generate a stream of donations, if you
don’t eventually get people to pay you for the service, you’re not going to be
able to stick around.

This was the best possible outcome for them, given the circumstances.

------
lalaland1125
Ah, so if I understand the Zoom CEO correctly, "protecting" pedophiles is fine
as long as they pay Zoom. It's only an issue when they try to use Zoom for
free.

~~~
jdm2212
The issue is that the free tier makes creating and disposing of burner
accounts easy. If you pay, they have credit card info, etc. That makes it easy
for law enforcement to link the Zoom account to a real person if it turns out
that a particular account is a pedophile.

------
sitkack
May I recommend [https://jitsi.org/](https://jitsi.org/) for meetings of 5 or
fewer people. Easy to deploy on any cloud provider.

~~~
baggachipz
Does it bog down with more than 5? For it to be a serious alternative, it
needs to support meetings with dozens of participants (even if it requires
beefy hardware).

~~~
deviantfero
It fares pretty good in my opinion, I was taking Japanese classes before this
COVID situation and they implemented remote classes using a self-hosted jitsi
instace, we're 15 people in the jitsi room, we have the class for 5 hours and
it's pretty stable, I imagine there are more rooms working simultaneously too,
since we were not the only class taking place before this.

------
simzor
As Zoom now owns Keybase, I am really worried about the future of Keybase,
especially after statements like these.

This also makes none or very little sense - if this is actually just to
cooperate with law enforcement, why would encrypting corporate (or paying)
calls be any better, the bad people that are referred to in the statement
could just get a paid plan?

~~~
fareesh
Is keybase fully open source? Or is the server closed source?

~~~
eddieoz
The server stills closed but seems there're people saying the server-side is
not needed(!) to trust the platform.

[https://www.reddit.com/r/Keybase/comments/77c241/keybase_why...](https://www.reddit.com/r/Keybase/comments/77c241/keybase_why_are_you_hiding_your_server_source/)

~~~
sukilot
Why (!)?

Of course servers are untrusted. If you think you need to see the server
source then any trust you have is mistaken.

Same as with HTTPS. If you think you need to trust the MITM, you've already
lost

~~~
eddieoz
I think you don't need to trust the server just if you can audit the frontend
and assure it does not share any sensitive information with the server-side.
If they apply the concept of data minimisation, decentralisation and
distribution properly, there are fewer risks involved.

But, if the server manages sensitive information, yes. It is preferable to
audit the server code to understand how they handle the lifecycle of the
information.

"If you think you need to see the server source then any trust you have is
mistaken."

Sorry but I don't agree. I trust in systems I can verify. Trust without
verifying is not trust, it is faith.

~~~
jrochkind1
OK, but that doesn't help you when they shut down the server, which I think is
what this thread was about? That zoom purchased it as an aquihire to have
staff work on zoom, and isn't committed to the platform.

~~~
eddieoz
Agreed, but a server turned off has lower risks to leak information. And I
think also they bought the expertise of the team to improve zoom, more than
getting the solution per se. It will take some months to have this question
answered (about what will really happen to keybase)

~~~
jrochkind1
Clearly, a product which has been discontinued has less of a chance of
violating your privacy, that's true.... I think there are a couple different
non-intersecting conversations going on here...

~~~
eddieoz
But was it discontinued?

I was looking into their terms
([https://keybase.io/docs/terms](https://keybase.io/docs/terms)) and they
should notify before it. And seems my account is up over there.

------
saint_abroad
Interesting Zoom timing co-incident with the announcement that the DEA has
been authorized to surveil protestors.
[https://news.ycombinator.com/item?id=23397868](https://news.ycombinator.com/item?id=23397868)

Next up: Zoom meeting attendees raided for unlawful assembly.
[https://www.persecution.org/2020/05/24/wuhan-preacher-
taken-...](https://www.persecution.org/2020/05/24/wuhan-preacher-taken-away-
online-evangelism-event/)

Catch up: Identifying influencers from sampled social networks.
[https://ui.adsabs.harvard.edu/abs/2018PhyA..507..294T/abstra...](https://ui.adsabs.harvard.edu/abs/2018PhyA..507..294T/abstract)

------
sneak
Note that warrantless and illegal bulk military intelligence gathering and
“law enforcement” in the US are now practically indistinguishable: several US
federal law enforcement agencies, including the DEA and FBI, receive
intelligence products from the military’s domestic spying apparatus, which
they then use to conduct what’s known as “parallel construction”: illegal
evidence that they then use in court, unrelated to the spying (because that’s
illegal, as well as the evidence that they found later as a result of the
illegal spying).

Additionally, federal “law enforcement” (and concentration camp-operating)
organizations like the CBP are engaging in domestic mass spying using aircraft
to collect mobile phone identity data from millions, even for peaceful
protests and the like. There isn’t really a line between “state surveillance”
and “law enforcement” anymore in the US.

The title of this item as I submitted it to HN prior to its edit by mods ended
in “to aid in state surveillance”, which I think is a more plain, accurate,
and unbiased description of the practice, as I think that pretending that this
illegal military spying practice (PRISM et al) has anything to do with
legitimate “law enforcement” is basically state propaganda at this point.

I stand by my previous snarky, HN-rulebreaking flame of Zoom’s announcement of
end to end encryption support from a month ago:

> _I 'm sure the result of this will be lots of good and secure trustworthy
> software that I'll be eager to install on my computer._

[https://news.ycombinator.com/item?id=23103578](https://news.ycombinator.com/item?id=23103578)

------
nikolay
Latest upgrade of their macOS app bricked me and I have to use Zoom in the
browser. We have a paid account and started to record our meetings and post on
YouTube, although I've increased the quality setting, it's still 360p! In
general, it's the most complex and confusing app, it's expensive, and the
quality of the software is the worst. Unfortunately, Google Hangouts Meet
isn't better and it has much higher internet connection requirements so our
nonprofit was forced to use Zoom. Unfortunately, Jitsi Meet is even worse.
It's kinda ridiculous that Zoom has no popular alternative in 2020.

~~~
wj
WebEx and Skype are the popular alternatives. And if you want to talk about
poor software quality I think Zoom was created because WebEx is such poor
software from a user's perspective.

~~~
anthony_barker
I would add google meetings... I think it has the nicest interface and works
better than the others cross platform.

Its a pity there is no cross platform communication standard - it looks like
it will evolve like messaging with dozens of companies.

~~~
nikolay
We have kids with Chromebooks and older laptops and on meeting with 10+ kids,
Hangouts Meet becomes intolerable. Not to mention the lack of control - kids
mute the teacher, can speak at any time, there's no raising hands, etc. We
have to install a bunch of extensions so that we can have a basic
functionality in place like the Nod Chrome extension.

------
phab
I have cancelled my (paid) Zoom subscription. I will not finance companies
that feel that protection from oppression is only for those that can pay.

~~~
ghostpepper
Same, but strangely when it asks your reason for cancelling, there was no
radio button for "I find your system of morals incompatible with my own".

Unrelated to this, I read yesterday that Jitsi Meet now supports E2E
encryption so I look forward to trying that out.

------
skbly7
Similar thread:
[https://news.ycombinator.com/item?id=23400285](https://news.ycombinator.com/item?id=23400285)

~~~
dang
Good grief this one is complicated.

That Bloomberg article is boring except for the sentence at the end. The
submitter made the title be about the last sentence, but we changed it back to
the original, which didn't satisfy anybody because the only interesting thing
about the article is the last sentence.

The current post seems at first glance to be a garden-variety tweet picking up
on that sentence, but someone pointed out to me that it's actually by the
_author_ of the Bloomberg article, suggesting that he might be at odds with
the Bloomberg editors about what aspects of the story are significant.
Suddenly that's interesting.

Given that Alex has been tweeting in response to this in detail
([https://twitter.com/alexstamos/status/1268061790954385408](https://twitter.com/alexstamos/status/1268061790954385408)),
it seems like there's enough information here to support a substantive thread.

Given that sneak's post was the first on this and that it links to the
statement by the reporter about the only thing that anyone here cares about,
it seems clear that this is the post we should leave up. So I merged the
comments from the other thread hither.

~~~
dijksterhuis
Thank you for your work!

------
esotericn
The optics on this are truly awful. They want to "work more with law
enforcement" \- at this time?

Now?

As the police are moving in to cities across the US military-style?

~~~
robertlagrant
Commenting on the PR-friendliness of something is generally the least valuable
of contributions.

~~~
rpastuszak
I understand your point, but need to disagree: PR-friendliness can have real-
world implications, such as a stronger negative response of Zoom users.

Another important thing to consider: Zoom is probably aware of the risks
involved in this decision and, despite the PR risks, decided to go ahead. Why?
Most of us here can come up with a couple of reasons.

~~~
elric
That, and most zoom users don't care. We use zoom at work, in spite of my
repeated warnings to the contrary and my efforts (and demonstrations) of
Jitsi. But they like zoom. It's convenient. It's sort of cross platform, and
when it isn't, you can just dial in using a phone.

Plot twist? The company I work for is a software company. We're all software
engineers. And yet I'm unable to make them have a negative response to zoom. I
can't imagine the greater public giving an iota.

------
drummer
One more reason not to use this garbage. I keep recommending Signal to
everyone I know.

~~~
kadal
I hope we get group video calls and video calls on desktop soon

~~~
pthatcherg
I work at Signal on calling.

Non-group desktop calls are coming soon (hopefully hitting beta in a few
weeks).

We're working on desktop group calls as well. That will take a bit longer,
though. I don't have a good estimate of when it will be available

~~~
drummer
Excellent news. It would also be helpful if we could also get (missed) call
notifications on desktop. Right now if someone calls and I don't have my phone
with me, I don't see their (missed) attempt on the desktop.

------
panpanna
I guess this is the SF version of "pay us or else..."

------
m-p-3
So a group of corporate employees could conspire over Zoom in full confidence?

Gotta protect that source of revenue I suppose.

------
GhostVII
Can they encrypt the calls at all if they allow people to call in? They would
be the ones receiving the phone call, so they would need to be able to decrypt
the zoom call in order to send it over the phone. I guess they could encrypt
calls only if you disable dialing in or something.

~~~
dijksterhuis
Seems like E2E will be unavailable for meetings where there is a dial in
participant. There's several other features which would need to be disabled as
well to opt into E2E.

[https://twitter.com/alexstamos/status/1268061790954385408](https://twitter.com/alexstamos/status/1268061790954385408)

------
ashtonkem
Aside from the PR fiasco, this is bad for their paying users.

I can’t verify that Zoom actually encrypts my calls, I have to trust that
they’re telling the truth. When I find out that they’re willing to turn off
encryption for some calls _to make spying on their users easier_ , the idea of
holding business meetings on their platform becomes unpalatable.

~~~
robertlagrant
They're not turning off encryption; they're allowing law enforcement
decryption. Whether or not you think that's okay, it's not the same thing.

~~~
lstodd
It's the same thing. If it can be turned off, it will be accidentally turned
off, accidentally not turned on, or a myriad other things in this general
direction.

I witnessed a cellular carrier discovering that they had all encryption
disabled for several months. A honest mistake, but one that should have been
impossible by design.

------
runawaybottle
Secure by default is no longer a staple of communication apps?

I thought we established that standard. Oh well, ride your wave Zoom, don’t
get mad when the inevitable funded competitors start showing up with security
as a default.

~~~
bigiain
I spend less running a Jitsi Meet cloud server than a single Zoom host
account... 2 party e2e is still only experimental in Jitsi, but its coming.

~~~
simonswords82
You are missing the point. Zoom is popular because it's easy to use and "just
works". Enterprise orgs don't care about cost.

~~~
bigiain
I test drove Jitsi with a few different groups (including a not particularly
technical frined group) with no more instruction than "Here's a link to a
video meeting. If you're on mobile it'll prompt you to download the app. The
password is 'foobah'", and it "just works" too.

> Enterprise orgs don't care about cost.

In my experience,thay also don't care too much about ease-of-use either.
Purchasing deparments and managers are looking to someone who'll convince them
that they won't personally take the blame when something goes wrong, which is
why expensive proprietary services win over open source so often... "Sure
everything's gone TITSUP[1], but it's Microsoft/SalesForce/Zoom fault. I've
logged a ticket." is a magical career and face saving phrase...

1 "Total Inability To Supply Useful Product" \- hat tip to El Reg...

~~~
theandrewbailey
> Here's a link to a video meeting. If you're on mobile it'll prompt you to
> download the app.

You can disable forcing mobile users into an app, too.

------
daffy
Is there any reason to believe that, if you pay, Zoom can't listen to your
conversations anyway?

~~~
fsflover
Same reason as with Windows probably...

------
blackrock
Sometimes, this company can’t seem to help but shoot itself in the foot.

The best thing, is to encrypt everything, in order to make all the traffic
look noisy and randomized.

Then, for the paying customers, they can use a stronger encryption, that’s
tougher to crack.

Ideally, this way, all the traffic being sniffed, will look randomized. But,
with the paying customers, having a tougher encryption.

------
chooseaname
So, they'll let the Epsteins of the world pay and get E2EE, but those "Thug"
protestors who want to organize and maybe can't justify the cost need to be
surveilled.

Set against the events of the past week, I strongly feel this message is quite
tone deaf and we're continuing to see two classes. Those exempt from police
authority and those who cannot afford to be.

Edit: Authority isn't the right word. Oppression?

~~~
orestarod
Of course, if you can't justify the cost to a company, you will be stripped of
its services. Is that not expected of private corporations?

~~~
wonderwonder
Its not stripping them of service though is it? Its providing them with the
zoom service, but its specifically removing encryption to expose the
conversations of non paying people to the police. This is not about them
saving money its about them intentionally choosing to hand up non paying
customer chats to law enforcement.

Also from a customer satisfaction / PR perspective I am hard pressed to think
of a worse time for a company to announce this.

~~~
orestarod
I am not applauding this. I just point out how corporations work now.

------
NonEUCitizen
It's okay to use Zoom for a bad purpose as long as you pay?

~~~
koolba
There is some logic to that. Paying requires you provide something traceable
to a physical identity.

I still think it’s a dumb move. Imagine if “HTTPS for pay users only” was a
thing.

~~~
quickthrower2
Or https for everyone, root cert validation for paid users only

------
sunaurus
I guess the hopes of the Keybase acquisition leading to better privacy in Zoom
are dead.

~~~
malka
It just lead to keybase's death.

~~~
corobo
Keybase died when they added bitcoins or whatever it was. Zoom kicked the
corpse.

------
paulcarroty
A lot of general people don't care about zoom 'dark' deals and still use it
just because habit/comfort/etc. Hope many general news&blogging platform will
spread the word about.

------
RcouF1uZ4gsC
I think civil unrest will set back privacy efforts. Basically, when people are
scared, they want the government to protect them and theirs, and privacy
concerns are pushed to the back burner.

~~~
bigiain
> Basically, when people are scared, they want the government to protect them

That works only until the people you're scared of are those the government
sends "to serve and protect"...

------
jariel
“Free users for sure we don’t want to give that because we also want to work
together with FBI, with local law enforcement in case some people use Zoom for
a bad purpose.”

He could be a 'PR Genius' by gently coaxing people into being paying
customers, but I don't think that's it, rather, this is just mind-blowing,
gigantic PR lack of self-awareness verging on disaster. To just say it as he
articulated it, publicly ... my gosh man.

From a communications perspective this is like comedy.

------
neycoda
Why's there still no open-source peer-to-peer standards-based encrypted chat
and video meeting software? I mean, that works well and isn't shady.

~~~
crazygringo
You simply can't do P2P video meetings in a performant way because
videoconferencing a) still requires STUN and TURN servers due to NAT,
firewalls, mobile, etc. and b) requires a server for bandwidth reasons once
you get beyond 2-5 participants, since otherwise bandwidth is N^2 for N
participants.

It's that simple.

Now, if someday NAT's and firewalls die so every device can receive
connections from anywhere, and packet multicast across the internet becomes a
thing, then this could probably change. But I don't think anybody sees either
of those happening anytime in the next decade (or ever), for both technical
and security reasons.

------
drusepth
Thoughts, in order:

1) Good, I guess I'll be using and promoting Zoom as much as I can

2) Well, I guess it doesn't really matter, since bad actors will have other
encrypted software they can use

3) Well, I guess I'll still use and recommmend my friends use it just to avoid
false-positive risks of flags from law enforcement

Yes, I know this is effectively an "if you have nothing to hide" mindset. I'm
okay with that.

------
homakov
I wonder can we do overlay encryption like this: some software encrypts audio
and video stream from your camera, then apps like zoom transfer encrypted
stream with some noise, and end user software tries to decrypt those streams.
This way you can use any middleware app as long as both users have encryption
software overlay. Just a crazy idea

------
abellerose
FBI are slightly above police concerning abuse of authority. Once I reported a
serious crime police in my area weren’t willing to investigate and I filed it
with the fbi but never was contacted again and when I was told they would.
Seeing how cops behave with the protests makes me skeptical if any law
enforcement in USA is legitimate unless you’re loaded with money or social
influence.

------
sudoaza
Source [https://www.msn.com/en-gb/news/world/zoom-wont-encrypt-
conve...](https://www.msn.com/en-gb/news/world/zoom-wont-encrypt-
conversations-for-free-users-so-law-enforcement-can-intercept-calls/ar-
BB14XJPR)

------
fallingfrog
The cops are definitely not learning from this not to abuse black people. They
are instead learning how to cut off lines of movement and communication, how
to kettle and gas people, and they are learning that in a crisis, nobody will
stop them from doing it.

------
ysavir
"Pay us or we share your information with law enforcement".

Does this legally qualify as extortion?

~~~
sukilot
No. Blackmail maybe.

------
awirth
Well, respect for coming out and saying it directly.

------
diebeforei485
I think this is the right call. Putting up a financial barrier so you have
fewer trolls numerically is the right solution (also- the credit card used can
help track down the identity of zoom bombers).

------
mojoraja
What are some reliable open source alternatives for non-commercial use?

~~~
paulryanrogers
Jitsi Meet

------
igama
Reply by Alex Stamos:

[https://twitter.com/alexstamos/status/1268062452123496450](https://twitter.com/alexstamos/status/1268062452123496450)

------
aloukissas
This statement from Zoom makes me believe that even for encrypted calls they
may give authorities a back door (i.e. something that Apple and others have
been very vocal about not doing).

Do enough people care about privacy to warrant a "Signal for video
conferencing" Zoom competitor?

~~~
pthatcherg
I work at Signal on video calls, and we're working on adding video
conferencing so that Signal can be the "Signal of video conferencing".

~~~
ngngngng
Best news I've seen all week. Keep it up! And please keep us posted.

------
bigiain
So it's official then, huh? It's worth $20/month to keep the FBI out of your
shit?

Do they _really_ think terrorists, counterintellegence agents, or criminal
organisations can't afford $20/month???

~~~
walkingolof
When you pay for something, you are very traceable, its a big difference.

~~~
simplyinfinity
stolen credit cards are a thing or proxy purchases

~~~
neonate
What's a proxy purchase?

Edit: never mind, Google told me. It's getting the older kids to buy you
alcohol.

~~~
simplyinfinity
or get homeless guy/junkie to buy 10 sim cards/prepaid phones for 20$

------
ghastmaster
Would compression techniques eliminate any possibilities of using
steganography in real time video calls?

------
nitrobeast
I will be surprised if Microsoft or Goolge encrypt their video calls that LE
cannot access them either.

~~~
bigiain
Jitsi are doing some nice work on this...

[https://jitsi.org/blog/e2ee/](https://jitsi.org/blog/e2ee/)

"If Emil was a rogue service provider running the bridge for the meeting, he
would no longer be able to eavesdrop on it and an attempt to do so would only
yield, well we already said that: an endless stream of rubbish.

The only way for Emil to actually participate in the meeting would be if he
was made privy to the e2ee key. In this case he was and once he enters it,
everything goes back to normal"

(Sadly, Chrome only for now - so if Google and state actors are your
adversary, "you're still gonna get mossad'd upon"...)

~~~
kitd
Lol, Emil should join my scrums. It's an endless stream of rubbish, encrypted
or not.

------
thebanksmoney
‪if paid =true and NotLaw=true then encryption =true else encryption =false ‬

------
crb002
That’s the same as saying they want to aid foreign government corporate
espionage.

------
dijksterhuis
AES GCM will still exist for free users.

> ... this is in reference to end-to-end encryption, but simply ran out of
> space in the tweet. ...

[https://twitter.com/nicoagrant/status/1268020841054269440](https://twitter.com/nicoagrant/status/1268020841054269440)

------
ssivark
Q: Won’t criminals use the paid tier?

A: No, because _crime doesn’t pay_

I’ll see myself out :-)

------
hyko
Bet they work with law enforcement on “encrypted” calls as well.

------
vmception
Free calls: unencrypted, content tappable, participant list subpoana'd

Subscriber calls: encrypted, subscriber list subpoena'd

no real thoughts on it, there wasn't a real expectation for me that Zoom was
private, only convenient.

------
bkayranci
pacman -R zoom

------
thewileyone
Who's placing puts on ZM now?

------
sammycdubs
They really timed that well

------
minicoolva
How about Google meeting

------
tibbydudeza
Bye bye Zoom.

~~~
robertlagrant
The death of Zoom means the dominance of Teams. Hope we're happy with the
trade.

------
daseiner1
fbi, chinese govt, top bidder... ever optional always optional

------
wallabie
My French language classes, typically held in person after work, moved to
online and over Zoom. Initially, we tried Google Meet and found it laggy and
that we would often drop out. Then we moved to Zoom and it has been a much
better experience. The interface is more intuitive, has a few more features
and somehow the quality has improved and the connection is much smoother. I
care deeply about my privacy, but I'm lucky that we don't discuss anything
sensitive in our classes such that the security issues and the lack of
encryption would become a big deal.

EDIT: We tried Meet, not Hangouts.

~~~
vijaybritto
What about Google Meet? Did you try it? I heard that its performing okay.

~~~
InvaderFizz
We're a Gsuite shop, so we've been using Meet since before WFH.

It's fine, not great, but the connection seems stable and we have not
experienced issues with conferences. Zoom is all that plus much more intuitive
and easier to use. The entire Zoom experience is great from start to finish,
built in background replacement is a really big draw along with the full tile
layout (Meet got tiles two weeks ago).

I would also say that Discord video has been great too. It's only downside is
that you can only be in a session on one device. That is an extremely annoying
limitation as I prefer to be mobile on my phone headset and present or stream
on the computer.

~~~
tgsovlerkhgsel
Thanks for giving this overview! Are you using the web version or the Zoom
app?

(I suspect many people on HN are using the web version because Zoom pushes
their app aggressively and in an abusive way, which immediately makes the more
paranoid among us decide that they don't want it. And I've heard that the
installed version is great while the web version is not.)

~~~
cesarb
Last time I tried, the web version of Zoom required you to create an account
(even when using Chromium and the trick of canceling the download twice to
make it show the web version link). The app, on the other hand, does not
require creating an account.

------
adrianN
Zoom is closed source, you could never trust their encryption to begin with.

~~~
tptacek
Are they somehow obfuscating their binaries, or are they simply LLVM output?
Is it your belief that straightforward compiler output is somehow infeasible
to verify?

~~~
occamrazor
It’s already too hard to find security bugs in clean source code. Analyzing a
binary can confirm the existence of encryption and the overall crypto scheme,
but not the absence of backdoors.

~~~
tptacek
Help me understand how the exact opposite thing isn't true? The binary is the
true record of what the platform is actually going to execute, unlike the
source code.

~~~
occamrazor
I should have qualified my statement better. There aren’t many people in the
world who can accurately audit a complex application. Evidence of the above
fact is that there are approximately zero complex applications without a
history of security issues, and there have even been successful attempts to
maliciously add exploitable bugs in open source projects.

Among these people only a small minority is able to perform a similar audit on
compiled code, and only at a much lower pace.

So I agree that it is possible to check a binary, but it is not feasible in a
reasonable way.

PS. You are a well known (maybe even famous in the community) software
security expert. Your perception of the availability and competence of good
experts may be skewed by the fact that you probably know most of the good ones

~~~
wglb
>Your perception of the availability and competence of good experts may be
skewed by the fact that you probably know most of the good ones

This is a bit disingenuous.

The fact that he knows them means that he can comment on the feasibility of
that analysis.

~~~
occamrazor
He can maybe do it, and a few dozen of other people. There aren’t simply
enough good experts to do it on any significant portion of popular software
products.

~~~
wglb
So we are not worried about popular software products, we are concerned about
critical pieces of software.

So seriously--how many are required?

------
seesawtron
Well all the more reason to quit Zoom.

~~~
lancewiggs
Or pay for it. There is always a cost for free.

~~~
asiachick
> There is always a cost for free.

There is? I'm not sure what my cost for clang, python, llvm, firefox, is for
being free. Even wikipedia, mdn, openstreetmaps, ...

~~~
pmlnr
I donate to wikipedia. They need to pay for electricity, servers, etc as well.

------
stcredzero
The more and more I see of Zoom, the less and less I think the organization is
in tune with Liberal ideals and culture. At least this is less devious than
coping an absolute security stance, then turning around and giving the
government the keys anyways.

~~~
monadic2
To clarify, are you referring to the american jargon for the left wing or
contemporary liberalism?

Edit: downvoted on clarification is certainly a new experience.

~~~
stcredzero
I mean the historical concept. In a way, I think Zoom's organization is
somewhat more in touch with the left wing and youth culture. I have a real
distaste for how Zoom (the software) does things for you, as if it knows
better.

~~~
monadic2
I can’t speak for others, but zoom is super oriented for corporate meetings
and they certainly aren’t “in touch” with my culture (esp compared to facetime
or facebook video chat), its current popularity is just an artifact of being
the most popular corporate group video software at the time the pandemic hit
the US.

------
sergioisidoro
This comes just after days after Trump tweeting that "ANTIFA" would be
considered a terrorist organisation.

If this kind of attitude picks up, of labelling domestic protest groups as
terrorists, together with things like these, there won't be much separating
the USA from an oppressive state

------
sys_64738
Can't Zoom encrypt everything and silently drop encryption with a court
subpoena? That sounds like the right thing to do.

~~~
willis936
How is that the right thing to do? It would be the worst PR disaster the
company has ever seen, which is a high bar.

~~~
sys_64738
Co-operating with police isn't a 'PR disaster' when directed by a court.
Checks and balances establish the legal framework for which Zoom aids the
police - a court order. It's not hard.

~~~
willis936
Silently putting in a back door subverts the trust of users and is worse than
having no encryption at all. If they aren't upfront with having backdoors in
their encryption, how can we trust that they haven't been using encryption to
just establish a false sense of security and sell the keys the whole time?
It's a huge pile of bad faith.

------
PeterStuer
This is complete and utter BS.

EVERY communications provider has to comply with lawful intercept [1]
regulation in all the regions where they operate. If they do not they find
themselves hauled before the regulator and they'll be fined or worse until
they do or go out of business.

'Encryption', while it would make it harder to snoop on your calls from third
parties, will not 'protect' you from lawful intercept.

Furthermore specific to the US Zoom also has to comply with the Communications
Assistance for Law Enforcement Act [2]. This does in no way mean Zoom can not
encrypt its traffic. It just means it has to provide law enforcement the
ability to covertly wiretap every and any communication. If Zoom provides end
to end encryption to its paying customers, it still has to provide access to
law enforcement to the content of those communications.

[1]
[https://en.wikipedia.org/wiki/Lawful_interception](https://en.wikipedia.org/wiki/Lawful_interception)

[2]
[https://en.wikipedia.org/wiki/Communications_Assistance_for_...](https://en.wikipedia.org/wiki/Communications_Assistance_for_Law_Enforcement_Act)

~~~
Erlich_Bachman
> 'Encryption', while it would make it harder to snoop on your calls from
> third parties, will not 'protect' you from lawful intercept.

Yes it will, it will make the intercept so expensive that it will not make
sense anymore for them to do it.

In the first case, all they need to do to intercept is to call Zoom
headquarters, or even just go to some pre-setup website and just enter the
identity of the user and voíla you have the data. The cost is 1 man-hour of an
agent.

In the second case, the Zoom doesn't have technical ability to break the
encryption, and to "lawfully intercept" they need to either break your phone
or physically break into your home to install some devices, or construct
elaborate servers to trick your phone into thinking it talks to real Zoom, or
use the supercomputers to break some of the encryption, or use some of their
hidden stashed 0-day, and thus risk exposing it by using it, and not be able
to use it later for a real threat. Cost of this can be astronomical for
breaking a single user. (And all of that is even more true for open-source
solutions.)

Also a lot of people disdain this not because they are terrorists. They
disdain this type of surveillance because it has been shown many times that
governments do not just track terrorists, they always end up abusing their
power and track everyone, and there are agents who sometimes just make fun of
people and read their emails etc. Didn't you read any of the Snowden material
that was published? Encryption prevents exactly this type of ABUSE of the
power by the government.

------
ankmathur96
The reality is that this is being made out to be way more insidious than it
is. Platforms should work with authorities so that bad actors like known
terrorists can’t use a free platform to organize.

To the crowd who says “well you can do bad stuff if you pay” - If terrorists
are paying for Zoom, they’re leaving a paper trail for the FBI. Free platforms
are ripe for abuse _because_ they’re free.

~~~
john_alan
Can you please move into a glass house. I just need to make sure you’re not
doing anything bad, and the FBI can’t see through your walls.

Also I’ll need a copy of your bank account statement. I just need to take a
look. Make sure it’s ok. Unless someone else has recently.

The narrative that we should sack our privacy to help “law enforcement” is
fucking braindead.

~~~
robertlagrant
If you have a warrant, the police can both break into your house and see your
records, no glass required.

