That's not what E2E means at all. E2E means only the parties communicating can decrypt the data i.e. the sender and the receiver. Anything short of that isn't E2E.
It’s kind if what it means? OP’s question is w.r.t to the receiving party’s ability to consume the data. The point that’s being made is that E2E doesn’t mean encrypted at rest and receiver can’t consume the data.
I see a lot of comments nitting on the wording for a lack of specificity but, IMO, OP’s question was more about understanding what goes on at the two ends of the pipe. The point being made is that the recipient can still chose to do whatever it is they want with the content.
I agree with you, but to be honest I don't care what zoom says. I am not going to let them redefine something so it suits them. Might as well call it potato encryption.
E2EE implies both ends have an encrypted channel to transport data to each other directly, without an intermediary step. this is the very definition of the term, at least it is in my mind. Having the data only encrypted to and from their servers would merely be transport layer encryption. Although i have no idea whether they implement one, the other or both.
In context of video conferencing software (WebRTC specifically) this is actually somewhat interesting, because typically the signaling server is the one who hands out the public key of the other peer and needs to be trusted, so they could by all means deliver public keys to which they posses the keys for decryption and it therefore would allow them to play man in the middle in a typically relayed call. So even if E2EE is implemented, it might be done poorly without figuring out how to establish trust independently.
Yeah, the key delivery is the hardest part if you are privacy focused. Signal and Whatsapp have a screen, where you can generate a QR code, and use that to verify that you and your contact have exchanged keys without a man in the middle attack.
I wish browser would do something similar with their WebRTC stack. Something that shows independently of the site (out of its execution context) which keys are used and allow for an easy comparison of them independently. But i don't know of such functionality being there yet.
For some definition of "end." Semantically, E2E encryption should mean encrypted end-to-end between you and the person you're calling, without Zoom having the key or ability to decrypt it. For example, this is Signal's definition of E2E encryption.
Yes, E2E means everything between two ends is securely encrypted, but there is no "their end" between participants in a Zoom call, the Zoom company isn't an "end" in this conversation. If someone like them between the speaker and the listener can decode the data, that's not E2E.
This isn’t what E2E means for communication software. E2E means only the participants have the keys. Signal is a good example of this, the message is encrypted from the sender to the receiver and Signal themselves cannot decrypt it.
Separately, most Zoom meetings are not E2EE. That’s why features like live transcription work.
Only the participants do have the keys. You, the other people on the meeting, the company running Zoom, at least one government. It's still usefully encrypted to stop (at least some) other companies/countries benefiting from the information.
I think zoom probably have a defence against the fraud accusation that no reasonable person would believe end to end encrypted meant zoom doesn't have the data as that's the whole point of the service existing.
Zoom has not committed any fraud. They clearly state that by default their meetings are encrypted, but not end to end encrypted. And that you can turn on end to end encryption, but that it causes a bunch of features to be disabled. I think this is a great balance between being able to add features that are impossible with E2EE, but allowing privacy concious users to choose if they need stronger encryption.
e2e means/implies that only the endpoints (i.e. the users) get to see the unencrypted signal. If Zoom truely uses e2e encryption no trainable data would exist on their servers. Of course, they control the endpoint software too so they could make it do whatever they want realistically.
