Bruce Schneier, firstname.lastname@example.org
X-Lab, 814-865-1395, email@example.com
Kairos, 336-971-0679, firstname.lastname@example.org
STOP, 571-766-6273, Albert@StopSpying.org
Media Alliance, 510-684-6853, email@example.com
Color of Change, 347-869-9707, Kwame.Belle@berlinrosen.com
CAIR-SFBA, 707-412-0786, firstname.lastname@example.org
Today, Fight for the Future, X-Lab, Kairos, Surveillance Technology Oversight Project, Inc, Media Alliance, Color Of Change, the Council on American-Islamic Relations’s San Francisco Bay Area Office, and internationally renowned security technologist, Bruce Schneier, called on Zoom to implement default end to end encryption (E2EE).
Here is a link to the press conference:
The press conference, held on Zoom’s video conferencing platform, praised the video conferencing company for the security improvements made so far and then focused on the importance of implementing E2EE for user safety.
Press conference comes on the heels of Zoom announcing another round of security upgrades including stronger encryption. Zoom 5.0 update includes greater room control that allows hosts to ban participants, report users, and lock meetings. Along with that, they upgraded to AES 256-bit GCM encryption.
Although the organizations were encouraged by Zoom’s responsiveness, they didn’t feel the upgrades went far enough.
"At a time when Zoom is a lifeline for our families, companies, and communities, we need end-to-end encryption to protect our most intimate moments together," said Surveillance Technology Oversight Project Executive Director Albert Fox Cahn. "While zoom has improved their security, we need end-to-end encryption to talk with our friends and loved ones without second guessing everything we say and worrying that someone else may be listening. Encryption has always been indispensable to secure communication, but today it’s more crucial than ever."
"For more than four decades, Media Alliance has been insisting that communication platforms must serve the needs of community-based organizations, said Tracy Rosenberg, Executive Director of Media Alliance. "In moving from one option among many to a central core for how we communicate and how work gets done and human connections are maintained, Zoom has a responsibility to lift their game for security and safety, We believe they are trying, but half measures simply won’t do. Full end to end encryption will assure people that their private communications will stay private. Anything short of that is insufficient for the times we face."
Evan Greer, Deputy Director of Fight for the Future went on to say "Zoom has an opportunity to lead the way in video conferencing security. But to do so, they have to implement default end to end encryption. Implementing end to end encryption is the only way to guarantee user security and the most important thing Zoom could do to keep people safe."
The organizations maintained without E2EE, users will remain vulnerable to bad actors, cyber criminals, and governments looking for opportunities to exploit security gaps.
"Governments and law enforcement agencies around the world will eventually demand Zoom hand over user data or build back doors to surveil users’ communication. And repressive governments will use information collected from the video conferencing platform to persecute people. There is no other way for Zoom to protect themselves and users from being in these situations then to implement default end to end encryption." said Greer.
Sascha Meinrath Director, X-Lab echoed concerns about public safety, "End-to-end encryption is essential to protecting the integrity of our communications and our privacy rights. Too many U.S. companies have implemented technologies that still allow them, their corporate partners, and government officials (both foreign and domestic) to snoop on our most private moments. Put simply, in pursuit of ever-increasing profits, these companies are making Americans less safe."
FolaSade Campaign Manager with Color Of Change spoke to some of the direct threats facing Zoom users, "In a time of increasing fear and anxiety, Zoom’s choice to minimize racial harassment and place the onus of stopping cyberterrorism on its users is ethically irresponsible and unacceptable. The world’s most popular video communication platform cannot afford to have a growing number of racist cyberterrorists infiltrate and harm its user base. We are calling on Zoom to commit to a plan that specifically combats racial harassment on its platform, which would include end-to-end encryption.”
Jelani Drew-Davi, Campaign Manager at Kairos expounded on the impact of Zoom’s security issues on people of color, "End-to-end encryption has become a buzzword that companies like Zoom throw onto their security white page or advertisements to lure in privacy-conscious users even if the feature is not truly enabled. Without the privacy and security that end-to-end encryption provides everyone is put in harm’s way but the burden disportionately falls on Black and Brown communities. Throughout history people of color have been the disproportionate victims of surveillance and over-policing. Today, as technology becomes more intertwined with daily life, that shameful history continues online, making unwarranted surveillance a danger to privacy for Black and Brown communities. Demanding end-to-end encryption is one way we can start to take control of how we interact with digital platforms and create safe platforms online for everyone."
While the civil society organizations explained the important role end to end encryption has in keeping people safe, internationally renowned security technologist, Bruce Schneier, spoke to the technical components of Zoom implementing E2EE.
"For small meetings and definitely for point to point you can do it and they [Zoom] can do it. They’ve done most of the hard stuff. Fixing the key management is the one piece they have left [to implement E2EE]," said Schneier. On his blog, Schneier on Security, he expounds "The real worry is where the encryption keys are generated and stored…There is nothing in Zoom’s latest announcement about key management. So: while the company has done a really good job improving the security and privacy of their platform, there seems to be just one step remaining to fully encrypt the sessions."
Sameena Usman, Government Relations Coordinator for CAIR-SFBA summed up with the press conference with her statement. ""As we rely on tools like Zoom to continue our work of serving and advocating for the community, Zoom must do all it can to earn the community’s trust by having stringent security protections in place. We have enough fear with the global pandemic. We should not have to fear who or what’s entering our apps as well."
Daily Kos was unable to participate in the press conference but Ntebo Mokuena, Digital Campaigner at Daily Kos, wanted to say the following:"The internet and video services have never been more important during this difficult time, helping us stay in touch with others while physical distancing measures remain in place. In particular, millions of us rely on Zoom to make calls to friends, loved ones, and coworkers. Yet, hackers and cyber criminals have repeatedly gained access to supposedly private Zoom calls thanks to the failure of its encryption services. Default end-to-end encryption is a no-brainer. Zoom needs to step up and acknowledge its duty to ensure safe connections as it continues to play an important role in keeping the world connected right now. Daily Kos calls on Zoom to strengthen its security measures and ensure that all Zoom calls are encrypted end-to-end to prevent hackers from gaining access to our conversations and stealing sensitive information."