IMHO, the only reason why zoom is interested in end-to-end encryption is to be hipaa compliant so that hospitals can use the platform for remote visits. I don’t see a reason why zoom would be worried whether someone at their company or from other agencies would listen in my calls. I actually believe that they have incentives not to encrypt my calls in case they are served a warrant and need to provide a recording for the calls.
Incidentally, my university has adopted zoom as their platform of choice for the medical school and hospital at the end of September, which would coincide more or less with their release of the end-to-end encryption.
In short, I see the white paper as a evidence of compliance with some government regulation rather than a real effort to secure user communication.
Most of the time, the companies are not compelled to undermine our civil liberties; they’re complicit. But even then, an NSL only allows surreptitious requests for subscriber data. The scope is fairly limited. If the FBI/CIA/NSA trifecta want more than that out of company that has principles, they need to explore other options (subpoena, etc.) because the NSL doesn’t encompass those requests.
But really, most companies are run by would-be crony capitalists that don’t give a damn about your privacy, and therefore cannot be trusted.
IMHO, the only reason why zoom is interested in end-to-end encryption is to be hipaa compliant so that hospitals can use the platform for remote visits. I don’t see a reason why zoom would be worried whether someone at their company or from other agencies would listen in my calls. I actually believe that they have incentives not to encrypt my calls in case they are served a warrant and need to provide a recording for the calls.
Incidentally, my university has adopted zoom as their platform of choice for the medical school and hospital at the end of September, which would coincide more or less with their release of the end-to-end encryption.
In short, I see the white paper as a evidence of compliance with some government regulation rather than a real effort to secure user communication.
Yep. If US companies offer encryption, I wouldn’t expecting any kind of security guarantee out of it – they are either already NSLed or will be.
I don’t think an NSL is relevant here.
Most of the time, the companies are not compelled to undermine our civil liberties; they’re complicit. But even then, an NSL only allows surreptitious requests for subscriber data. The scope is fairly limited. If the FBI/CIA/NSA trifecta want more than that out of company that has principles, they need to explore other options (subpoena, etc.) because the NSL doesn’t encompass those requests.
But really, most companies are run by would-be crony capitalists that don’t give a damn about your privacy, and therefore cannot be trusted.
A reminder we shouldn’t be leaving our private communications at the mercy of privative software.
Open source should be a legal requirement in many scenarios.
Of course the issue is that most governments are not interested in private communications to begin with, often quite the opposite.
Related (IMHO)
https://lobste.rs/s/2kdzvj/discretization_attack